springboot+springSecurity+springSessionDataRedis+CAS搭建集群单点登陆系统

来源：互联网发布：知党情感党恩作文编辑：程序博客网时间：2024/06/05 02:27

springboot+springSecurity+springSessionDataRedis+CAS搭建集群单点登陆系统

环境描述

windows 7 64bitspring boot:1.4.0.RELEASEspring security:4.1.0.RELEASECAS:4.1.3nginx:随便

搭建CAS服务

1.Tomcat配置SSL

1.生成证书

以命令方式进入目录%TOMCAT_HOME%,输入如下命令：

keytool -genkey -alias tomcat_key -keyalg RSA -storepass changeit -keystore server.keystore -validity 3600

注意： -storepass 与 -validity 可以根据需要更改

用户名输入域名，如:test.cas.com,其它全部以Enter跳过，最后确认，此时会在%TOMCAT_HOME%下生成server.keystore文件

2.将证书导入到客户端使用的JDK的证书信任库中

这步对于Tomcat的SSL配置不是必须，但对于CAS SSO是必须的，否则会出现如下错误：
edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidate.

导入过程分2步，第一步是导出证书，第二步是导入到证书信任库，命令如下：

keytool -export -trustcacerts -alias tomcat_key -file server.cer -keystore server.keystore -storepass changeit keytool -import -trustcacerts -alias tomcat_key -file server.cer -keystore D:/”Program Files”/Java/jdk1.8.0_60/jre/lib/security/cacerts -storepass changeit

其它有用keytool命令（列出信任证书库中所有已有证书，删除库中某个证书）:

keytool -list -keystore %JAVA_HOME%/jre/lib/security/cacerts >t.txt keytool -delete -trustcacerts -alias tomcat_key -keystore %JAVA_HOME%/jre/lib/security/cacerts -storepass changeit

3.tomcat启用ssl

配置server.xml：

<Connector       protocol="org.apache.coyote.http11.Http11NioProtocol"       port="9443" maxThreads="200"       scheme="https" secure="true" SSLEnabled="true"       keystoreFile="server.keystore" keystorePass="changeit"       clientAuth="false" sslProtocol="TLS"/>

2.CAS服务的配置

1.部署CAS web server：

从https://github.com/apereo 下载CAS server对应的版本源码
解压，使用maven命令mvn package对cas进行编译打包，这里可能会出现2个问题：
　　a.单元测试不通过==》尝试加上-Dmaven.test.skip=true跳过；
　　b.编译到一半编译不过==》进入cas-server-core，执行命令mvn install -Dmaven.test.skip=true先将core编译为jar包后，再进行。

3.将打包好的cas-server-webapp下的war包复制到tomcat下，运行tomcat先试试吧；
注意：如果觉得麻烦，可以上网搜索cas-server-webapp，使用别人打好的war包

4.将war包放入tomcat的webapps目录下即可

2.从数据库获取用户信息

1.修改%tomcathome%\webapps\cas\WEB-INF中deployerConfigContext.xml：

 <constructor-arg>        <map>            <!--               | IMPORTANT               | Every handler requires a unique name.               | If more than one instance of the same handler class is configured, you must explicitly               | set its name to something other than its default name (typically the simple class name).               -->            <!--<entry key-ref="proxyAuthenticationHandler" value-ref="proxyPrincipalResolver" />-->            <!--<entry key-ref="primaryAuthenticationHandler" value-ref="primaryPrincipalResolver" />-->            <entry key-ref="dbAuthHandler" value-ref="primaryPrincipalResolver"/>        </map>    </constructor-arg><bean id="dataSource" class="com.mchange.v2.c3p0.ComboPooledDataSource"    p:driverClass="com.mysql.jdbc.Driver"    p:jdbcUrl="jdbc:mysql://127.0.0.1:3306/demo2?characterEncoding=utf8"    p:user="root"    p:password="system" />  <bean id="passwordEncoder" class="org.jasig.cas.authentication.handler.DefaultPasswordEncoder"    c:encodingAlgorithm="MD5"    p:characterEncoding="UTF-8" />  <bean id="dbAuthHandler"    class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler"    p:dataSource-ref="dataSource"    p:sql="select password_hash from jhi_user where login = ?"    p:passwordEncoder-ref="passwordEncoder"/>

注意：配置中使用mysql数据库，c3p0连接池，需要引入相关的jar包

将c3p0-0.9.1.1.jar，cas-server-support-jdbc-4.1.3.jar，mysql-connector-java-5.1.32.jar放入%tomcathome%\webapps\cas\WEB-INF\lib中

2.修改%tomcathome%\webapps\cas\WEB-INF\classes\services\Apereo-10000002.json

"serviceId" : "^http.*",

3.设置ST(service ticket)过期策略

修改%tomcathome%\webapps\cas\WEB-INF\spring-configuration\ticketExpirationPolicies.xml

<bean id="serviceTicketExpirationPolicy"class="org.jasig.cas.ticket.support.MultiTimeUseOrTimeoutExpirationPolicy"c:numberOfUses="10" c:timeToKill="${st.timeToKillInSeconds:1000}" c:timeUnit-ref="SECONDS"/>

注意：根据需要进行修改

至此，所需配置完成，浏览器：http://test.cas.com/cas，进行登陆测试！
注意：test.cas.com为CAS 服务所在机器的域名(如无进行域名配置，可以修改本机hosts，127.0.0.1 test.cas.com达到测试效果）

整合springSecurity与CAS

1.在springboot项目中引入依赖：

    <!-- security -->    <dependency>        <groupId>org.springframework.boot</groupId>        <artifactId>spring-boot-starter-security</artifactId>    </dependency>    <dependency>        <groupId>org.springframework.security</groupId>        <artifactId>spring-security-data</artifactId>    </dependency>    <dependency>        <groupId>org.springframework.security</groupId>        <artifactId>spring-security-cas</artifactId>    </dependency>

2.配置类

@Configuration@EnableWebSecurity@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)public class SecurityConfiguration extends WebSecurityConfigurerAdapter {    @Inject    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {        auth.authenticationProvider(casAuthenticationProvider());    }    @Override    public void configure(WebSecurity web) throws Exception {        web.ignoring()            .antMatchers(HttpMethod.OPTIONS, "/**")            .antMatchers("/app/**/*.{js,html}")            .antMatchers("/bower_components/**")            .antMatchers("/i18n/**")            .antMatchers("/content/**")            .antMatchers("/test/**")            ;    }    @Bean    public PasswordEncoder passwordEncoder() {        return new StandardPasswordEncoder("tnappsk1234");    }    @Bean    public ServiceProperties serviceProperties() {        ServiceProperties sp = new ServiceProperties();        //从cas server获取st后重定向的url，casAuthenticationFilter进行捕获，默认以/login/cas结尾        String fstr = "http://test.tn.com/login/cas";        sp.setService(fstr);        sp.setSendRenew(false);        return sp;    }    @Bean    public CasAuthenticationEntryPoint casAuthenticationEntryPoint(){        CasAuthenticationEntryPoint ep = new CasAuthenticationEntryPoint();        ep.setServiceProperties(serviceProperties());        //cas server 登陆路径        ep.setLoginUrl("https://test.cas.com:9443/cas/login");        return ep;    }    @Bean    public CasAuthenticationProvider casAuthenticationProvider(){        CasAuthenticationProvider pro = new CasAuthenticationProvider();        pro.setServiceProperties(serviceProperties());        pro.setAuthenticationUserDetailsService(customUserDetailsService());        pro.setTicketValidator(cas20ServiceTicketValidator());        pro.setKey("an_id_for_this_auth_provider_only");        return pro;    }    @Bean    public Cas20ServiceTicketValidator cas20ServiceTicketValidator() {        //cas server路径        return new Cas20ServiceTicketValidator("https://test.cas.com:9443/cas");    }    @Bean    public AuthenticationUserDetailsService<CasAssertionAuthenticationToken> customUserDetailsService() {        Set<String> admins = new HashSet<String>();        String adminUserName = "admin";        admins.add("admin");        if (adminUserName != null && !adminUserName.isEmpty()) {            admins.add(adminUserName);        }        return new CustomUserDetailsService(admins);    }    @Bean    public CasAuthenticationFilter casAuthenticationFilter() throws Exception{        CasAuthenticationFilter af = new CasAuthenticationFilter();        af.setSessionAuthenticationStrategy(sessionStrategy());        af.setAuthenticationManager(authenticationManager());        return af;    }    @Bean    public SessionAuthenticationStrategy sessionStrategy() {        SessionAuthenticationStrategy sessionStrategy = new SessionFixationProtectionStrategy();        return sessionStrategy;    }    @Bean    public SingleSignOutFilter singleSignOutFilter() {        SingleSignOutFilter singleSignOutFilter = new SingleSignOutFilter();        singleSignOutFilter.setIgnoreInitConfiguration(true);        singleSignOutFilter.setCasServerUrlPrefix("https://test.cas.com:9443/cas");        return singleSignOutFilter;    }    @Bean    public LogoutFilter requestCasGlobalLogoutFilter() {        LogoutFilter logoutFilter = new LogoutFilter("https://test.cas.com:9443/cas/logout?service=http://test.tn.com", new SecurityContextLogoutHandler());        logoutFilter.setFilterProcessesUrl("/api/logout");        logoutFilter.setLogoutRequestMatcher(new AntPathRequestMatcher("/api/logout", "POST"));        return logoutFilter;    }    @Override    protected void configure(HttpSecurity http) throws Exception {        http.exceptionHandling().authenticationEntryPoint(casAuthenticationEntryPoint())            .and().addFilter(casAuthenticationFilter())            .addFilterBefore(singleSignOutFilter(), CasAuthenticationFilter.class)            .addFilterBefore(requestCasGlobalLogoutFilter(), LogoutFilter.class);        http        .csrf().disable()            .headers()            .frameOptions()            .disable()        .and()            .authorizeRequests()            .antMatchers("/api/register").denyAll()            .antMatchers("/api/activate").permitAll()            .antMatchers("/api/content-items/category").permitAll()            .antMatchers("/api/authenticate").permitAll()            .antMatchers("/api/account/reset_password/init").permitAll()            .antMatchers("/api/account/reset_password/finish").permitAll()            .antMatchers("/api/profile-info").permitAll()            .antMatchers("/api/**").authenticated()            .antMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN)            .antMatchers("/v2/api-docs/**").permitAll()            .antMatchers("/swagger-resources/configuration/ui").permitAll()            .antMatchers("/swagger-ui/index.html").hasAuthority(AuthoritiesConstants.ADMIN);    }    @Bean    public SecurityEvaluationContextExtension securityEvaluationContextExtension() {        return new SecurityEvaluationContextExtension();    }}

注意：密码passwordEncoder()，需要配置成与cas一致，使用MD5，这里配置有误

主要：CasAuthenticationFilter，CasAuthenticationEntryPoint，CasAuthenticationProvider的配置，
具体可以参考Spring Security官方文档CAS Authentication部分：

http://docs.spring.io/spring-security/site/docs/4.2.0.RELEASE/reference/htmlsingle/#cas

使用redis做http session共享

使用redis做http session的缓存，这样当从cas server 重定向回某类应用的service url（下有多个机子组成集群）时，可以指定同一个域名，这样session就实现了共享。

1.引入依赖

<!-- redis --><dependency>    <groupId>org.springframework.boot</groupId>    <artifactId>spring-boot-starter-redis</artifactId></dependency><dependency>  <groupId>org.springframework.session</groupId>  <artifactId>spring-session-data-redis</artifactId></dependency>

2.配置类

@Configuration@EnableRedisHttpSessionpublic class RedisSessionConfig {    /**     * 修改数据在redis中的存储方式，方便调试     * @Title: sessionRedisTemplate      * @Description: TODO     * @param connectionFactory     * @return     * @return: RedisTemplate<Object,Object>     */    @Bean    public RedisTemplate<Object, Object> sessionRedisTemplate(            RedisConnectionFactory connectionFactory) {        RedisTemplate<Object, Object> template = new RedisTemplate<Object, Object>();        template.setKeySerializer(new GenericJackson2JsonRedisSerializer());        template.setHashKeySerializer(new GenericJackson2JsonRedisSerializer());        template.setConnectionFactory(connectionFactory);        return template;    }}

使用nginx做负载均衡

修改nginx.conf，负载均衡采用轮询的策略：

http{   upstream tn {     server test.tn.com:6900;     server test.tn.com:6901;   }   server{     listen 80;     location / {      proxy_pass http://tn;     }  }

修改hosts

127.0.0.1 test.tn.com  //webapp127.0.0.1 test.cas.com //cas server

start nginx启动

浏览器中，访问http://test.tn.com/xxx/xxx（受管控方法），跳转到Cas Server，登陆验证身份后，重定向回之前的url，不断刷新，通过观察日子，请求分发到不同的webapp

阅读全文

0 0