CAS统一认证相关问题记录
2019-11-29 本文已影响0人
wilesan
SSL(https)修改:
-
之前的Https是用Nginx加Lets Encrypt生成的免费证书来做的,这样子就配置的nginx代理;
-
之前的项目是配置在tomcat中的,访问的时候是通过nginx代理来访问到tomcat中;
-
这边的cas认证说不可以通过代理,所以要把nginx去掉,就从新申请了一个腾讯云的免费ssl证书:
-
申请流程(过程中选择文件验证):https://www.soweng.com/ssl/39.html
-
配置流程(选择tomca8.5.35t证书部署):https://www.jianshu.com/p/7a8e7b9e04d2
<Connector port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="/usr/local/apache-tomcat-8.5.35/conf/keys/Tomcat/es.****.cn.jks"
certificateKeyAlias="es.****.cn"
certificateKeystorePassword="wil**n"
type="RSA" />
</SSLHostConfig>
</Connector>
基于Springboot的cas配置
-
给的文档中仅有基于web.xml的cas配置,项目这边是基于springboot来做的,就需要把配置在springboot里面来实现;
-
用了一个cas自动配置的工具:cas-client-autoconfig-support
-
文档中给的是cas-client-core3.2.1,客服说是标准的cas方式 来弄的,就直接到了一个3.5.0的配合cas-client-autoconfig-support2.2.0-GA来做:
pom.xml配置:
<!--cas的客户端 -->
<dependency>
<groupId>net.unicon.cas</groupId>
<artifactId>cas-client-autoconfig-support</artifactId>
<version>2.2.0-GA</version>
<exclusions>
<exclusion>
<groupId>org.jasig.cas.client</groupId>
<artifactId>cas-client-core</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.jasig.cas.client</groupId>
<artifactId>cas-client-core</artifactId>
<version>3.5.0</version>
</dependency>
yml文件配置
#cas 前缀
cas:
server-url-prefix: https://***.cn/authserver
#cas cas登录
server-login-url: https://***.cn/authserver/login
#回调
client-host-url: https://***.cn/**/cas/login
#Ticket校验器使用Cas30ProxyReceivingTicketValidationFilter
validation-type: CAS3
#cas不拦截的url
udf:
ignore-host-url: /|/*|/**/cas/login|/cas/login
ignore-url-pattern-type: ""
设置ignore-host-url
@Configuration
public class CASConfig {
@Value("${cas.server-url-prefix}")
private String serverUrlPrefix;
@Value("${cas.server-login-url}")
private String serverLoginUrl;
@Value("${cas.client-host-url}")
private String clientHostUrl;
@Value("${udf.ignore-host-url}")
private String ignoreHostUrl;
@Value("${udf.ignore-url-pattern-type}")
private String ignoreUrlPatternType;
/**
* 授权过滤器
* @return
*/
@Bean
public FilterRegistrationBean filterAuthenticationRegistration() {
FilterRegistrationBean registration = new FilterRegistrationBean();
registration.setFilter(new AuthenticationFilter());
// 设定匹配的路径
registration.addUrlPatterns("/*");
Map<String, String> initParameters = new HashMap<>();
initParameters.put("casServerLoginUrl", serverLoginUrl);
initParameters.put("serverName", clientHostUrl);
//忽略的url,"|"分隔多个url
if(StrUtil.isNotEmpty(ignoreHostUrl)) {
for(int i= 0 ;i<100;i++){
System.out.println("ignoreHostUrl"+ignoreHostUrl);
}
initParameters.put("ignorePattern", ignoreHostUrl);
}
registration.setInitParameters(initParameters);
// 设定加载的顺序
registration.setOrder(1);
return registration;
}
}
设置cas登出
/**
* 退出登录
*/
@RequestMapping(value = "/logout", method = RequestMethod.GET)
public String logOut() {
LogManager.me().executeLog(LogTaskFactory.exitLog(ShiroKit.getUser().getId(), getIp()));
ShiroKit.getSubject().logout();
deleteAllCookie();
String casLogoutURL = "https://*****.cn/authserver/logout";
String redirectURL = casLogoutURL + "?service=https%3A%2F%2F*****.cn%2F***%2Fcas%2Flogin";
//return REDIRECT + "/login";
return REDIRECT + redirectURL;
}
设置过滤问题
shiroFilter中添加:
hashMap.put("/cas/**", "anon");
