spring security与cas client集成(无http标签方式)
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-4.0.xsd">
<bean id="securityFilter" class="org.springframework.security.web.FilterChainProxy">
<constructor-arg>
<util:list>
<security:filter-chain pattern="/favicon.ico" filters="none" />
<security:filter-chain pattern="/**.html" filters="none" />
<security:filter-chain pattern="/static/**" filters="none" />
<security:filter-chain pattern="/site/**" filters="none" />
<security:filter-chain pattern="/login**" filters="none" />
<security:filter-chain pattern="/login/**" filters="none" />
<security:filter-chain pattern="/signup**" filters="none" />
<security:filter-chain pattern="/signup/**" filters="none" />
<security:filter-chain pattern="/join**" filters="none" />
<security:filter-chain pattern="/join/**" filters="none" />
<security:filter-chain pattern="/remote/**" filters="none" />
<!-- <security:filter-chain pattern="/" filters="casValidationFilter, wrappingFilter" /> -->
<security:filter-chain pattern="/secure/receptor" filters="casValidationFilter" />
<security:filter-chain pattern="/logout" filters="requestSingleLogoutFilter,exceptionTranslationFilter,filterSecurityInterceptor" />
<security:filter-chain pattern="/**"
filters="concurrentSessionFilter,securityContextFilter,casFilter,wrappingFilter,
exceptionTranslationFilter,filterSecurityInterceptor" />
</util:list>
</constructor-arg>
</bean>
<bean id="concurrentSessionFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter"
p:sessionRegistry-ref="sessionRegistry" p:expiredUrl="${security.login}" />
<bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl"/>
<!-- <bean id="sessionRegistry" class="com.weaver.teams.security.session.TeamsSessionRegistry" /> -->
<bean id="securityContextFilter" class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
<constructor-arg name="repo" ref="securityContextRepository" />
</bean>
<bean id="securityContextRepository" class="com.weaver.teams.security.session.TeamsSessionSecurityContextRepository"
p:sessionRegistry-ref="sessionRegistry" />
<bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="accessDecisionManager" ref="accessDecisionManager"/>
<property name="securityMetadataSource">
<security:filter-invocation-definition-source>
<security:intercept-url pattern="/secure/extreme/**" access="ROLE_SUPERVISOR"/>
<security:intercept-url pattern="/secure/**" access="ROLE_USER"/>
<security:intercept-url pattern="/**" access="ROLE_USER"/>
</security:filter-invocation-definition-source>
</property>
</bean>
<bean id="wrappingFilter" class="org.jasig.cas.client.util.HttpServletRequestWrapperFilter" />
<bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">
<property name="service"
value="http://test.eteams.cn:9080/securitycheck"/>
<property name="sendRenew" value="false"/>
</bean>
<bean id="casFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="sessionAuthenticationStrategy" ref="concurrentSessionControlStrategy"/>
<property name="filterProcessesUrl" value="/securitycheck"/>
</bean>
<bean id="concurrentSessionControlStrategy" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<constructor-arg ref="sessionRegistry"/>
</bean>
<bean id="casValidationFilter" class="org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter">
<property name="serverName" value="https://test.eteams.cn:9082" />
<property name="exceptionOnValidationFailure" value="true" />
<property name="proxyGrantingTicketStorage" ref="proxyGrantingTicketStorage" />
<property name="redirectAfterValidation" value="true" />
<property name="ticketValidator" ref="ticketValidator" />
<property name="proxyReceptorUrl" value="/secure/receptor" />
</bean>
<bean id="proxyGrantingTicketStorage" class="org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl" />
<bean id="casEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
<property name="loginUrl" value="https://test.eteams.cn:9082/login"/>
<property name="serviceProperties" ref="serviceProperties"/>
</bean>
<bean id="ticketValidator" class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator" >
<constructor-arg index="0" value="https://test.eteams.cn:9082" />
<property name="proxyGrantingTicketStorage" ref="proxyGrantingTicketStorage" />
<property name="proxyCallbackUrl" value="https://test.eteams.cn:9082/secure/receptor" />
</bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="casAuthenticationProvider"/>
</security:authentication-manager>
<bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
<property name="authenticationUserDetailsService" ref="teamsUserDetailsByNameService" />
<property name="serviceProperties" ref="serviceProperties" />
<property name="ticketValidator" ref="ticketValidator" />
<property name="key" value="an_id_for_this_auth_provider_only"/>
</bean>
<bean id="teamsUserDetailsByNameService" class="com.weaver.teams.security.cas.TeamsUserDetailsByNameService" />
<!-- <bean id="casAuthenticationUserDetailsService" class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<property name="userDetailsService" >
<ref bean="userService" />
</property>
</bean>
<security:user-service id="userService">
<security:user name="1111" authorities="ROLE_USER" />
</security:user-service> -->
<bean id="requestSingleLogoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
<constructor-arg value="https://test.eteams.cn:9082/logout"/>
<constructor-arg>
<bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"/>
</constructor-arg>
<property name="filterProcessesUrl" value="/logout"/>
</bean>
<bean id="exceptionTranslationFilter" class="org.springframework.security.web.access.ExceptionTranslationFilter"
p:authenticationEntryPoint-ref="casEntryPoint" p:accessDeniedHandler-ref="accessDeniedHandler" />
<bean id="accessDeniedHandler" class="org.springframework.security.web.access.AccessDeniedHandlerImpl"/>
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased"
p:allowIfAllAbstainDecisions="false" p:decisionVoters-ref="decisionVoters" />
<util:list id="decisionVoters">
<bean class="org.springframework.security.access.vote.RoleVoter" p:rolePrefix="ROLE_" />
<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
</util:list>
<bean id="sessionStrategy" class="com.weaver.teams.security.session.TeamsConcurrentSessionControlStrategy">
<constructor-arg name="sessionRegistry" ref="sessionRegistry" />
</bean>
</beans>
自定义了一个testfilter用于测试,能够删掉,usermanager是实现的UserDetailsService接口(注意这个在和cas整合后是不须要放入密码的),至于为何不用http标签方式配置,由于这个灵活度高,可扩展性强!html
ConcurrentSessionFilter,管理session,若是session过时则logoutweb
SecurityContextPersistenceFilter,从SecurityContextRepository(session或jdbc或别的实现)取出SecurityContext(若是为空则建立一个新的empty SecurityContext),放入SecurityContextHolder(默认为ThreadLocal实现)spring
CasAuthenticationFilter,拦截/j_spring_cas_security_check的url(默认,能够自定义此url,此例子中为/securitycheck),取得服务器返回的ticket(ServiceTicket)参数进行验证,调用cas服务器的/validate接口,将返回的xml解析为Assertion对象,若是验证失败会抛出异常,这个filter能够配置一个sessionAuthenticationStrategy的策略接口的属性,实现防止固化攻击和session最大数量控制(非cas的spring security则是经过SessionManagementFilter来实现的,http标签方式也有对应标签<session-management>)api
HttpServletRequestWrappingFilter,支持servlet api,填充HttpServletRequest对象服务器
ExceptionTranslationFilter,代码里有try,catch结构,try里会执行doFilter即filterSecurityInterceptor的验证和权限判断逻辑,若是验证失败或者权限校验失败则调用casEntryPoint的url转向cas server的login进行登陆session
FilterSecurityInterceptor,验证Authentication对象,验证权限app
只要理清了这些filter的逻辑,自定义一些实现好比验证码,usb动态密码,客户端的信息记录如客户端类型(pc,手机等)等等均可以自定义实现ide
相关文章
- 1. spring security集成cas
- 2. security 集成cas
- 3. spring security+cas(cas proxy配置)
- 4. CAS与Spring的集成
- 5. cas介绍及与spring-security整合
- 6. 单点登陆:spring-security-cas
- 7. Spring Security(18)——Jsp标签
- 8. spring security的标签库
- 9. Spring Boot CAS 集成
- 10. eureka server 集成security,eureka client报错com.netflix.discovery.shared.transport.TransportException...
- 更多相关文章...
- • MyBatis if标签 - MyBatis教程
- • Mybatis select标签 - MyBatis教程
- • Spring Cloud 微服务实战(三) - 服务注册与发现
- • 常用的分布式事务解决方案
相关标签/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
欢迎关注本站公众号,获取更多信息
相关文章
- 1. spring security集成cas
- 2. security 集成cas
- 3. spring security+cas(cas proxy配置)
- 4. CAS与Spring的集成
- 5. cas介绍及与spring-security整合
- 6. 单点登陆:spring-security-cas
- 7. Spring Security(18)——Jsp标签
- 8. spring security的标签库
- 9. Spring Boot CAS 集成
- 10. eureka server 集成security,eureka client报错com.netflix.discovery.shared.transport.TransportException...