cas-sample-site1/2各配上一个用于显示咱们是否可以成功后用户信息的index.jsp

时间 2019-11-12

标签 cas sample site1 site 配上一个用于显示咱们是否可以成功用户信息 index.jsp index jsp 栏目职业生涯繁體版

原文原文链接

在同一个域名下如taobao.com下会有多个商铺（就是租户）比如：javascript

taobao.com/company_101/张飞
taobao.com/company_102/张飞
taobao.com/company_103/赵云

看张飞这个名字，看！！！css

不一样的company（租户）下有着相同的用户，但其实这是两个不用的用户，中国同名同姓的人多了去了，对吧，这时company_101的张飞登陆是因该只看到它所属的company_101这个租户下全部的数据和信息吧，而不能跑到company_102中看到别人家的信息，对吧？html

国外不少解决方案说是在咱们的CAS SSO的配置文件里在绑定LDAP的context时写上多条这样的东西：java

<bean class=" org.sky.cas.auth.CASLDAPAuthenticationHandler"git
p:filter="uid=%u" p:searchBase="o=101,o=company,dc=sky,dc=org"github
p:contextSource-ref="contextSource" />web
<bean class=" org.sky.cas.auth.CASLDAPAuthenticationHandler"spring
p:filter="uid=%u" p:searchBase="o=102,o=company,dc=sky,dc=org"express
p:contextSource-ref="contextSource" />apache
<bean class=" org.sky.cas.auth.CASLDAPAuthenticationHandler"
p:filter="uid=%u" p:searchBase="o=103,o=company,dc=sky,dc=org"
p:contextSource-ref="contextSource" />

但是，咱们想一想：

咱们的租户在咱们的后台系统中是自动“开户”的，companyid是一个自动增长的，我从companyid_101如今增长到了companyid_110时，你是否是每次用户一开户，你就要去手动改这个CAS SSO中的配置文件呢？
若是你不嫌烦，好好好，你够狠，你就手工改吧！可是当你每次在配置文件中新增一条配置语句时，你的CAS SSO是否是要断服务重启啊？那你还怎么作到24*7的这种不间断服务啊

通常来讲，咱们的开户是用程序自动写入LDAP中去的，即LDAP中的company_101, company_102, company_103是由程序自动生成的，那咱们的程序就须要可以让用户在登陆后台B2B系统时自动能够根据用户选择的租户来为用户正确登陆的这么一种自动识别功能，就比如下面这样的一个登陆界面：

看到这个界面了吗？

对的，这个就是CAS SSO的主登陆界面，我把它都给改了，还加入了支持多租户登陆的功能，咱们今天就要来说这个功能是怎么作出来的，包括如何去定制本身的CAS SSO的登陆界面。

再来看看用于今天练习的咱们在LDAP中的组织结构是怎么样的吧。

看到上面这张图了吧，这就是我说的“多租户”的概念，你们应该记得咱们在CAS SSO次日中怎么去拿CAS SSO绑定LDAP中的一条UserDN而后去搜索的吧？

<bean class=" org.sky.cas.auth.CASLDAPAuthenticationHandler"
p:filter="uid=%u" p:searchBase="o=company,dc=sky,dc=org"
p:contextSource-ref="contextSource" />

对吧！！！

如今咱们要作到的就是：

p:searchBase="xxx.xxx.xx"

这条要作成动态的，好比说:

用户是company_id=101的，这时这个p:searchBase就应该变为：“p:searchBase="uid=sky,o=101,o=company,dc=sky,dc=org"
用户是company_id=102的，这时这个p:searchBase就应该变为：“p:searchBase="uid=jason,o=102,o=company,dc=sky,dc=org"

前面咱们提到过，这些配置是放在XML文件中的，所以每次增长一个”租户“咱们要手工在XML配置文件中新增一条，这个不现实，它是实现不了咱们的24*7的这种服务的要求的，咱们要作的是可让这个p:searchBase可以动态的去组建这个userDN，因此重点是要解决这个问题。

该问题在国外的YALE CAS论坛上有两种解决方案：

一种是直接经过CAS的登陆界面而后在输入用户名时要求用户以这种形式“uid=sky,o=101"去输入它的用户名，这种作法先不去说会形成用户登陆时的困扰，并且CAS SSO的登陆界面也不支持这样格式的用户名输入。
一种就是很笨的在CAS SSO的配置文件中绑定多个p:searchBase，这个方法已经被咱们否掉了。

所以，笔者在这边要提的将是首创的能够作到全动态的去根据用户名，密码和所该用户所属组织自动在后台建立p:searchBase的最完美的解决方案，下面咱们就开始吧。

建立工程

咱们此次是要在CAS SSO这个产品上作扩展了，为此，咱们不能再像咱们第一天和次日中那样直接拿个文本编辑器去改CAS SSO里的配置文件了，咱们须要建立一个eclipse工程，来看咱们的eclipse工程。

look，今天咱们把这个cas-server放到了eclipse工程中去了，而后在eclipse里随改随测试，如今咱们就来说述如何建立这个工程以使得cas server能够运行在咱们的eclipse的工程中。

所以咱们在eclipse中新建一个java工程-是java工程你可千万不要建成j2ee工程啊，而后按照上图创建相应的目录。

CAS SERVER工程的组建

导入全部的配置文件

这是咱们在第一天，次日中布署在tomcat下的cas server工程的目录：

D:\tomcat\webapps\cas-server\WEB-INF\classes

把这个目录下全部的内容，除去如下2个目录：

org
META-INF

外全部的东西通通拷贝入eclipse中的cas-server工程中的src/main/resources目录下

构建WEB-INF目录

将D:\tomcat\webapps\cas-server\WEB-INF目录下这几个目录放入cas-server工程的src/main/webapp/WEB-INF目录下

构建cas-server基本源码

解压开咱们下载的”cas-server-3.5.2-release"包，内含源码，它位于这样的一个目录cas-server-3.5.2\cas-server-webapp\src\main\java“

将这个目录下全部的文件置于cas-server工程的src/main/java目录下

并在eclipse工程中作以下设置

此处须要注意的是咱们把：

src/main/java
src/main/resources

这两个目录作成编译路径，而src/main/webapp不做为编译路径。

别忘了把全部的src/main/webapp/WEB-INF/lib目录下的jar加到cas-server工程的Libraries中去。

构建webapp目录

将咱们在第一天、次日中布署在tomcat中的case-server中如下这些目录

拷贝到eclipse的cas-server工程中的src/main/webapp目录

CAS SSO在jboss/weblogic下的bug的修正

因为咱们的eclipse中的cas-server将和咱们的cas-sample-site1以及cas-sample-site2启动在jboss下，所以cas sso在jboss或者是在weblogic下有两个小问题，在此须要修正。

META-INF文件内的persistence.xml中报HSQLDialect错误
报log4jConfiguration.xml文件在启动时找不到的错误

下面咱们来看如何修正这两个小BUG。

修正CAS SSO的persistence.xml文件中的HSQLDialect错误

这是原始的/META-INF/persistence.xml文件的内容：

<class>org.jasig.cas.services.AbstractRegisteredService</class>
<class>org.jasig.cas.services.RegexRegisteredService</class>
<class>org.jasig.cas.services.RegisteredServiceImpl</class>
<class>org.jasig.cas.ticket.TicketGrantingTicketImpl</class>
<class>org.jasig.cas.ticket.ServiceTicketImpl</class>
<class>org.jasig.cas.ticket.registry.support.JpaLockingStrategy$Lock</class>

咱们在文件最后加入如下配置代码

<class>org.jasig.cas.services.AbstractRegisteredService</class>
<class>org.jasig.cas.services.RegexRegisteredService</class>
<class>org.jasig.cas.services.RegisteredServiceImpl</class>
<class>org.jasig.cas.ticket.TicketGrantingTicketImpl</class>
<class>org.jasig.cas.ticket.ServiceTicketImpl</class>
<class>org.jasig.cas.ticket.registry.support.JpaLockingStrategy$Lock</class>
<properties>
<property name="hibernate.dialect" value="org.hibernate.dialect.HSQLDialect" />
</properties>

这是完整的改完后的persistence.xml文件的内容：

<persistence xmlns="http://java.sun.com/xml/ns/persistence"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/persistence http://java.sun.com/xml/ns/persistence/persistence_2_0.xsd"
version="2.0">
<persistence-unit name="CasPersistence" transaction-type="RESOURCE_LOCAL">
<class>org.jasig.cas.services.AbstractRegisteredService</class>
<class>org.jasig.cas.services.RegexRegisteredService</class>
<class>org.jasig.cas.services.RegisteredServiceImpl</class>
<class>org.jasig.cas.ticket.TicketGrantingTicketImpl</class>
<class>org.jasig.cas.ticket.ServiceTicketImpl</class>
<class>org.jasig.cas.ticket.registry.support.JpaLockingStrategy$Lock</class>
<properties>
<property name="hibernate.dialect" value="org.hibernate.dialect.HSQLDialect" />
</properties>
</persistence-unit>
</persistence>

改完后请保存。

修正CAS SSO中log4jConfiguration.xml文件在启动时找不到的错误

找到eclipse的cas-server工程中WEB-INF/spring-configuration/log4jConfiguration.xml文件，将这段内容注释掉

<bean id="log4jInitialization" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="targetClass" value="org.springframework.util.Log4jConfigurer"/>
<property name="targetMethod" value="initLogging"/>
<property name="arguments">
<list>
<value>${log4j.config.location:classpath:log4j.xml}</value>
<value>${log4j.refresh.interval:60000}</value>
</list>
</property>
</bean>

整个log4jConfiguration.xml文件修改后是这个样子的：

<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
<!--
<bean id="log4jInitialization" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="targetClass" value="org.springframework.util.Log4jConfigurer"/>
<property name="targetMethod" value="initLogging"/>
<property name="arguments">
<list>
<value>${log4j.config.location:classpath:log4j.xml}</value>
<value>${log4j.refresh.interval:60000}</value>
</list>
</property>
</bean>
-->
</beans>

改完后请保存。

将CAS-SERVER从eclipse java工程改成j2ee工程

右键单击cas-sso工程，选择project properties，而后选择project facet，按照以下截图来作选择。

组装可在eclipse中启动的cas-server web工程

右键单击cas-sso工程，选择project properties，而后选择Deployment Assembly，这个基本功我已经在通向架构师的道路（第二十天）万能框架spring(二)maven结合spring与ibatis中详细讲述过这个Deployment Assembly是干什么用的了。

在eclipse中启动cas-server工程

一切无误后请在eclipse中启动cas-sso吧。

开始修改源码

如何让cas-server支持动态的p:searchBase呢

咱们的p:searchBase从这一层o=company,dc=sky,dc=org开始要进行动态组装，所以咱们将在deployConfiguration.xml文件中将咱们的ldap的p:searchBase的绑定改为以下：

p:searchBase="o=company,dc=sky,dc=org"，而后咱们使用程序动态组建o=company,dc=sky,dc=org以前的内容究竟是该“o=101”呢仍是因该是“o=102” 这样的串。

为cas server的登陆增长一个项

原来的cas sso的登陆项只有两个属性：

username
password

咱们须要增长一个companyid，用于判断当前登陆的用户是属于哪一个租户的。

新建CASCredential类

public class CASCredential extends RememberMeUsernamePasswordCredentials {
private static final long serialVersionUID = 1L;
private Map<String, Object> param;
private String companyid;
/**
* @return the companyid
*/
public String getCompanyid() {
return companyid;
}
/**
* @param companyid the companyid to set
*/
public void setCompanyid(String companyid) {
this.companyid = companyid;
}
public Map<String, Object> getParam() {
return param;
}
public void setParam(Map<String, Object> param) {
this.param = param;
}
}

这就是咱们扩展的CASCredential类，该类除了拥有原来CAS SSO基本credential中的username和password两个属性外还有一个叫companyid的属性。

将新增的companyid绑定至cas sso的登陆页面

修改src/main/webapp/WEB-INF/login-webflow.xml文件，找到如下这段：

<view-state id="viewLoginForm" view="casLoginView" model="credentials">
<binder>
<binding property="username" />
<binding property="password" />
</binder>

将其改为：

<view-state id="viewLoginForm" view="casLoginView" model="credentials">
<binder>
<binding property="username" />
<binding property="password" />
<binding property="companyid"/>
</binder>

扩展CAS SSO登陆页面的submit行为以支持咱们在页面中新增的companyid属性能够被提交到CAS SSO的后台

新建一个类CASAuthenticationViaFormAction，内容以下：

package org.sky.cas.auth;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.validation.constraints.NotNull;
import org.jasig.cas.CentralAuthenticationService;
import org.jasig.cas.authentication.handler.AuthenticationException;
import org.jasig.cas.authentication.principal.Credentials;
import org.jasig.cas.authentication.principal.Service;
import org.jasig.cas.ticket.TicketException;
import org.jasig.cas.web.bind.CredentialsBinder;
import org.jasig.cas.web.support.WebUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.binding.message.MessageBuilder;
import org.springframework.binding.message.MessageContext;
import org.springframework.util.StringUtils;
import org.springframework.web.util.CookieGenerator;
import org.springframework.webflow.core.collection.MutableAttributeMap;
import org.springframework.webflow.execution.RequestContext;
@SuppressWarnings("deprecation")
public class CASAuthenticationViaFormAction {
/**
* Binder that allows additional binding of form object beyond Spring
* defaults.
*/
private CredentialsBinder credentialsBinder;
/** Core we delegate to for handling all ticket related tasks. */
@NotNull
private CentralAuthenticationService centralAuthenticationService;
@NotNull
private CookieGenerator warnCookieGenerator;
protected Logger logger = LoggerFactory.getLogger(getClass());
public final void doBind(final RequestContext context, final Credentials credentials) throws Exception {
final HttpServletRequest request = WebUtils.getHttpServletRequest(context);
if (this.credentialsBinder != null && this.credentialsBinder.supports(credentials.getClass())) {
this.credentialsBinder.bind(request, credentials);
}
}
public final String submit(final RequestContext context, final Credentials credentials, final MessageContext messageContext)
throws Exception {
String companyid = "";
// Validate login ticket
final String authoritativeLoginTicket = WebUtils.getLoginTicketFromFlowScope(context);
final String providedLoginTicket = WebUtils.getLoginTicketFromRequest(context);
if (credentials instanceof CASCredential) {
String companyCode = "compnayid";
CASCredential rmupc = (CASCredential) credentials;
companyid = rmupc.getCompanyid();
}
if (!authoritativeLoginTicket.equals(providedLoginTicket)) {
this.logger.warn("Invalid login ticket " + providedLoginTicket);
final String code = "INVALID_TICKET";
messageContext.addMessage(new MessageBuilder().error().code(code).arg(providedLoginTicket).defaultText(code).build());
return "error";
}
final String ticketGrantingTicketId = WebUtils.getTicketGrantingTicketId(context);
final Service service = WebUtils.getService(context);
if (StringUtils.hasText(context.getRequestParameters().get("renew")) && ticketGrantingTicketId != null && service != null) {
try {
final String serviceTicketId = this.centralAuthenticationService.grantServiceTicket(ticketGrantingTicketId,
service, credentials);
WebUtils.putServiceTicketInRequestScope(context, serviceTicketId);
putWarnCookieIfRequestParameterPresent(context);
return "warn";
} catch (final TicketException e) {
if (isCauseAuthenticationException(e)) {
populateErrorsInstance(e, messageContext);
return getAuthenticationExceptionEventId(e);
}
this.centralAuthenticationService.destroyTicketGrantingTicket(ticketGrantingTicketId);
if (logger.isDebugEnabled()) {
logger.debug("Attempted to generate a ServiceTicket using renew=true with different credentials", e);
}
}
}
try {
CASCredential rmupc = (CASCredential) credentials;
WebUtils.putTicketGrantingTicketInRequestScope(context,
centralAuthenticationService.createTicketGrantingTicket(rmupc));
putWarnCookieIfRequestParameterPresent(context);
return "success";
} catch (final TicketException e) {
populateErrorsInstance(e, messageContext);
if (isCauseAuthenticationException(e))
return getAuthenticationExceptionEventId(e);
return "error";
}
}
private void populateErrorsInstance(final TicketException e, final MessageContext messageContext) {
try {
messageContext.addMessage(new MessageBuilder().error().code(e.getCode()).defaultText(e.getCode()).build());
} catch (final Exception fe) {
logger.error(fe.getMessage(), fe);
}
}
private void putWarnCookieIfRequestParameterPresent(final RequestContext context) {
final HttpServletResponse response = WebUtils.getHttpServletResponse(context);
if (StringUtils.hasText(context.getExternalContext().getRequestParameterMap().get("warn"))) {
this.warnCookieGenerator.addCookie(response, "true");
} else {
this.warnCookieGenerator.removeCookie(response);
}
}
private AuthenticationException getAuthenticationExceptionAsCause(final TicketException e) {
return (AuthenticationException) e.getCause();
}
private String getAuthenticationExceptionEventId(final TicketException e) {
final AuthenticationException authEx = getAuthenticationExceptionAsCause(e);
if (this.logger.isDebugEnabled())
this.logger.debug("An authentication error has occurred. Returning the event id " + authEx.getType());
return authEx.getType();
}
private boolean isCauseAuthenticationException(final TicketException e) {
return e.getCause() != null && AuthenticationException.class.isAssignableFrom(e.getCause().getClass());
}
public final void setCentralAuthenticationService(final CentralAuthenticationService centralAuthenticationService) {
this.centralAuthenticationService = centralAuthenticationService;
}
/**
* Set a CredentialsBinder for additional binding of the HttpServletRequest
* to the Credentials instance, beyond our default binding of the
* Credentials as a Form Object in Spring WebMVC parlance. By the time we
* invoke this CredentialsBinder, we have already engaged in default binding
* such that for each HttpServletRequest parameter, if there was a JavaBean
* property of the Credentials implementation of the same name, we have set
* that property to be the value of the corresponding request parameter.
* This CredentialsBinder plugin point exists to allow consideration of
* things other than HttpServletRequest parameters in populating the
* Credentials (or more sophisticated consideration of the
* HttpServletRequest parameters).
*
* @param credentialsBinder the credentials binder to set.
*/
public final void setCredentialsBinder(final CredentialsBinder credentialsBinder) {
this.credentialsBinder = credentialsBinder;
}
public final void setWarnCookieGenerator(final CookieGenerator warnCookieGenerator) {
this.warnCookieGenerator = warnCookieGenerator;
}
}

这个类很简单，主要是第59行到第64行的：

if (credentials instanceof CASCredential) {
String companyCode = "compnayid";
CASCredential rmupc = (CASCredential) credentials;
companyid = rmupc.getCompanyid();
}

以及第98行到第100行的：

CASCredential rmupc = (CASCredential) credentials;
WebUtils.putTicketGrantingTicketInRequestScope(context,
centralAuthenticationService.createTicketGrantingTicket(rmupc));

它告诉了CAS SSO使用咱们自定义的CASCredential来验证用户在CAS SSO中的登陆信息，而不是原来CAS SSO默认的UsernameAndPasswordCredential。

把”CASAuthenticationViaFormAction“类注册给CAS SSO，告诉CAS SSO在登陆页面点击”登陆“按钮后可以使用这个咱们自定义的submit action：

修改配置文件：src/main/webapp/WEB-INF/cas-servlet.xml

找到如下这行：

<bean id="authenticationViaFormAction" class="org.jasig.cas.web.flow.AuthenticationViaFormAction"
p:centralAuthenticationService-ref="centralAuthenticationService"
p:warnCookieGenerator-ref="warnCookieGenerator"/>

把它注释掉改为：

<!-- <bean id="authenticationViaFormAction" class="org.jasig.cas.web.flow.AuthenticationViaFormAction"
p:centralAuthenticationService-ref="centralAuthenticationService"
p:warnCookieGenerator-ref="warnCookieGenerator"/>
-->
<bean id="authenticationViaFormAction"
class="org.sky.cas.auth.CASAuthenticationViaFormAction"
p:centralAuthenticationService-ref="centralAuthenticationService"
p:warnCookieGenerator-ref="warnCookieGenerator" />

此时，CAS SSO的登陆界面在用户点击submit按钮时，就会使用咱们自定义的这个CASAuthenticationViaFormAction类了。

增长p:searchBase使得CAS SSO的LDAP能够根据不一样的companyid动态搜索用户的功能

新增一个类CASLDAPAuthenticationHandler，代码以下：

package org.sky.cas.auth;
import org.jasig.cas.adaptors.ldap.AbstractLdapUsernamePasswordAuthenticationHandler;
import org.jasig.cas.authentication.handler.AuthenticationException;
import org.jasig.cas.authentication.principal.UsernamePasswordCredentials;
import org.jasig.cas.util.LdapUtils;
import org.springframework.ldap.NamingSecurityException;
import org.springframework.ldap.core.ContextSource;
import org.springframework.ldap.core.LdapTemplate;
import org.springframework.ldap.core.NameClassPairCallbackHandler;
import org.springframework.ldap.core.SearchExecutor;
import javax.naming.NameClassPair;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.DirContext;
import javax.naming.directory.SearchControls;
import javax.validation.constraints.Max;
import javax.validation.constraints.Min;
import java.util.ArrayList;
import java.util.List;
public class CASLDAPAuthenticationHandler extends AbstractLdapUsernamePasswordAuthenticationHandler {
/** The default maximum number of results to return. */
private static final int DEFAULT_MAX_NUMBER_OF_RESULTS = 1000;
/** The default timeout. */
private static final int DEFAULT_TIMEOUT = 1000;
/** The search base to find the user under. */
private String searchBase;
/** The scope. */
@Min(0)
@Max(2)
private int scope = SearchControls.ONELEVEL_SCOPE;
/** The maximum number of results to return. */
private int maxNumberResults = DEFAULT_MAX_NUMBER_OF_RESULTS;
/** The amount of time to wait. */
private int timeout = DEFAULT_TIMEOUT;
/** Boolean of whether multiple accounts are allowed. */
private boolean allowMultipleAccounts;
protected final boolean authenticateUsernamePasswordInternal(final UsernamePasswordCredentials credentials)
throws AuthenticationException {
CASCredential rmupc = (CASCredential) credentials;
final String companyid = rmupc.getCompanyid();
final List<String> cns = new ArrayList<String>();
final SearchControls searchControls = getSearchControls();
final String transformedUsername = getPrincipalNameTransformer().transform(credentials.getUsername());
final String filter = LdapUtils.getFilterWithValues(getFilter(), transformedUsername);
try {
this.getLdapTemplate().search(new SearchExecutor() {
public NamingEnumeration executeSearch(final DirContext context) throws NamingException {
String baseDN = "";
if (companyid != null && companyid.trim().length() > 0) {
baseDN = "o=" + companyid + "," + searchBase;
} else {
baseDN = searchBase;
}
//System.out.println("searchBase=====" + baseDN);
return context.search(baseDN, filter, searchControls);
}
}, new NameClassPairCallbackHandler() {
public void handleNameClassPair(final NameClassPair nameClassPair) {
cns.add(nameClassPair.getNameInNamespace());
}
});
} catch (Exception e) {
log.error("search ldap error casue: " + e.getMessage(), e);
return false;
}
if (cns.isEmpty()) {
log.debug("Search for " + filter + " returned 0 results.");
return false;
}
if (cns.size() > 1 && !this.allowMultipleAccounts) {
log.warn("Search for " + filter + " returned multiple results, which is not allowed.");
return false;
}
for (final String dn : cns) {
DirContext test = null;
String finalDn = composeCompleteDnToCheck(dn, credentials);
try {
this.log.debug("Performing LDAP bind with credential: " + dn);
test = this.getContextSource().getContext(finalDn, getPasswordEncoder().encode(credentials.getPassword()));
if (test != null) {
return true;
}
} catch (final NamingSecurityException e) {
log.debug("Failed to authenticate user {} with error {}", credentials.getUsername(), e.getMessage());
return false;
} catch (final Exception e) {
this.log.error(e.getMessage(), e);
return false;
} finally {
LdapUtils.closeContext(test);
}
}
return false;
}
protected String composeCompleteDnToCheck(final String dn, final UsernamePasswordCredentials credentials) {
return dn;
}
private SearchControls getSearchControls() {
final SearchControls constraints = new SearchControls();
constraints.setSearchScope(this.scope);
constraints.setReturningAttributes(new String[0]);
constraints.setTimeLimit(this.timeout);
constraints.setCountLimit(this.maxNumberResults);
return constraints;
}
/**
* Method to return whether multiple accounts are allowed.
* @return true if multiple accounts are allowed, false otherwise.
*/
protected boolean isAllowMultipleAccounts() {
return this.allowMultipleAccounts;
}
/**
* Method to return the max number of results allowed.
* @return the maximum number of results.
*/
protected int getMaxNumberResults() {
return this.maxNumberResults;
}
/**
* Method to return the scope.
* @return the scope
*/
protected int getScope() {
return this.scope;
}
/**
* Method to return the search base.
* @return the search base.
*/
protected String getSearchBase() {
return this.searchBase;
}
/**
* Method to return the timeout.
* @return the timeout.
*/
protected int getTimeout() {
return this.timeout;
}
public final void setScope(final int scope) {
this.scope = scope;
}
/**
* @param allowMultipleAccounts The allowMultipleAccounts to set.
*/
public void setAllowMultipleAccounts(final boolean allowMultipleAccounts) {
this.allowMultipleAccounts = allowMultipleAccounts;
}
/**
* @param maxNumberResults The maxNumberResults to set.
*/
public final void setMaxNumberResults(final int maxNumberResults) {
this.maxNumberResults = maxNumberResults;
}
/**
* @param searchBase The searchBase to set.
*/
public final void setSearchBase(final String searchBase) {
this.searchBase = searchBase;
}
/**
* @param timeout The timeout to set.
*/
public final void setTimeout(final int timeout) {
this.timeout = timeout;
}
/**
* Sets the context source for LDAP searches. This method may be used to
* support use cases like the following:
* <ul>
* <li>Pooling of LDAP connections used for searching (e.g. via instance
* of {@link org.springframework.ldap.pool.factory.PoolingContextSource}).</li>
* <li>Searching with client certificate credentials.</li>
* </ul>
* <p>
* If this is not defined, the context source defined by
* {@link #setContextSource(ContextSource)} is used.
*
* @param contextSource LDAP context source.
*/
public final void setSearchContextSource(final ContextSource contextSource) {
setLdapTemplate(new LdapTemplate(contextSource));
}
}

这个类的做用就是给src/main/webapp/WEB-INF/deployerConfiguration.xml中如下这段用的：

<property name="authenticationHandlers">
<list>
<bean
class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:httpClient-ref="httpClient" />
<bean class=" org.sky.cas.auth.CASLDAPAuthenticationHandler"
p:filter="uid=%u" p:searchBase="o=company,dc=sky,dc=org"
p:contextSource-ref="contextSource" />
</list>
</property>

请注意代码50行处：

final String companyid = rmupc.getCompanyid();

以及59行到69行处：

public NamingEnumeration executeSearch(final DirContext context) throws NamingException {
String baseDN = "";
if (companyid != null && companyid.trim().length() > 0) {
baseDN = "o=" + companyid + "," + searchBase;
} else {
baseDN = searchBase;
}
//System.out.println("searchBase=====" + baseDN);
return context.search(baseDN, filter, searchControls);
}
}, new NameClassPairCallbackHandler() {

这就是在根据用户在登陆界面中选择的companyid不一样，而动态的去重组这个searchBase，以使得这个searchBase能够是o=101,o=company,dc=sky,dc=org, 也能够是o=102,o=company,dc=sky,dc=org同时它也能够变成o=103,o=company,dc=sky,dc=org。

有了这个类咱们要修改咱们的src/main/webapp/WEB-INF/deployerConfiguration.xml文件了，注意这个bean中的写法，已经被我修改掉了

<bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl">
<property name="credentialsToPrincipalResolvers">
<list>
<bean class="org.sky.cas.auth.CASCredentialsToPrincipalResolver">
<property name="attributeRepository" ref="attributeRepository" />
</bean>
</list>
</property>
<property name="authenticationHandlers">
<list>
<bean
class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:httpClient-ref="httpClient" />
<bean class=" org.sky.cas.auth.CASLDAPAuthenticationHandler"
p:filter="uid=%u" p:searchBase="o=company,dc=sky,dc=org"
p:contextSource-ref="contextSource" />
</list>
</property>
</bean>

看到这个CASLDAPAuthenticationHandler类在这边的做用了吧。

将LDAP中登陆用户的其它信息也带入到客户端登陆成功后跳转的页面中去

咱们知道，CAS SSO能够把username(uid)带入到客户端登陆成功后的页面中去，但是一个uid在LDAP中还关联着许多其它有用的信息如：email。还有就是咱们刚才新增的companyid，咱们也想把这些信息同时带到客户端登陆成功的画面中去呢？

这边就须要使用到CAS SSO中的一个特殊的属性，它叫attributeRepository。

attributeRepository的做用

attributeRepository关联着一个dao和一个resolver，它们的做用以下：

attributeDAO是用于根据searchBase在LDAP中定位到一条数据，而后把该条数据全部的属性取出来用的一个工具类
credentialsToPrincipalResolvers，该类用于向客户端（就是咱们的cas-samples-site1/site2)返回用户在CAS SSO中登陆画面中输入的登陆相关信息用的一个工具类

先来讲attributeDAO的做用吧。

CASLdapPersonAttributeDao

好比说咱们这边想要把ldap中某个uid的mail属性也带给到客户端中去

咱们就要按照下面这段代码来书写CASLdapPersonAttributeDao类，该类扩展自”AbstractQueryPersonAttributeDao“类，它被置于”package org.jasig.services.persondir.support.ldap“包中，由于该包中还有其它相关的此类须要”引用"的工具类，咱们不想处处import来import去了，所以直接把这个咱们自定义的attributeDao类就直接放置于该包中了。

可是，嘿嘿嘿，在package org.jasig.services.persondir.support.ldap包中没有其它这个类须要引用的那些外部类，以下图所示：

怎么办？

很简单，直接找到cas-server 3.5.2的源码，将这两个外部类置于咱们自定义的CASLdapPersonAttributeDao同一层的包路径下便可，我会在本文结束后直接给出完整的eclipse中可运行的cas-server的所有源码。

/**
* Licensed to Jasig under one or more contributor license
* agreements. See the NOTICE file distributed with this work
* for additional information regarding copyright ownership.
* Jasig licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file
* except in compliance with the License. You may obtain a
* copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on
* an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.jasig.services.persondir.support.ldap;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.naming.directory.SearchControls;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.jasig.cas.util.CASCredentialHelper;
import org.jasig.services.persondir.IPersonAttributes;
import org.jasig.services.persondir.support.AbstractQueryPersonAttributeDao;
import org.jasig.services.persondir.support.CaseInsensitiveAttributeNamedPersonImpl;
import org.jasig.services.persondir.support.CaseInsensitiveNamedPersonImpl;
import org.jasig.services.persondir.support.QueryType;
import org.sky.cas.auth.LdapPersonInfoBean;
import org.springframework.beans.factory.BeanCreationException;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.ldap.core.AttributesMapper;
import org.springframework.ldap.core.ContextSource;
import org.springframework.ldap.core.LdapTemplate;
import org.springframework.ldap.filter.EqualsFilter;
import org.springframework.ldap.filter.Filter;
import org.springframework.ldap.filter.LikeFilter;
import org.springframework.util.Assert;
/**
* LDAP implementation of {@link org.jasig.services.persondir.IPersonAttributeDao}.
*
* In the case of multi valued attributes a {@link java.util.List} is set as the value.
*
* <br>
* <br>
* Configuration:
* <table border="1">
* <tr>
* <th align="left">Property</th>
* <th align="left">Description</th>
* <th align="left">Required</th>
* <th align="left">Default</th>
* </tr>
* <tr>
* <td align="right" valign="top">searchControls</td>
* <td>
* Set the {@link SearchControls} used for executing the LDAP query.
* </td>
* <td valign="top">No</td>
* <td valign="top">Default instance with SUBTREE scope.</td>
* </tr>
* <tr>
* <td align="right" valign="top">baseDN</td>
* <td>
* The base DistinguishedName to use when executing the query filter.
* </td>
* <td valign="top">No</td>
* <td valign="top">""</td>
* </tr>
* <tr>
* <td align="right" valign="top">contextSource</td>
* <td>
* A {@link ContextSource} from the Spring-LDAP framework. Provides a DataSource
* style object that this DAO can retrieve LDAP connections from.
* </td>
* <td valign="top">Yes</td>
* <td valign="top">null</td>
* </tr>
* <tr>
* <td align="right" valign="top">setReturningAttributes</td>
* <td>
* If the ldap attributes set in the ldapAttributesToPortalAttributes Map should be copied
* into the {@link SearchControls#setReturningAttributes(String[])}. Setting this helps reduce
* wire traffic of ldap queries.
* </td>
* <td valign="top">No</td>
* <td valign="top">true</td>
* </tr>
* <tr>
* <td align="right" valign="top">queryType</td>
* <td>
* How multiple attributes in a query should be concatenated together. The other option is OR.
* </td>
* <td valign="top">No</td>
* <td valign="top">AND</td>
* </tr>
* </table>
*
* @author andrew.petro@yale.edu
* @author Eric Dalquist
* @version $Revision$ $Date$
* @since uPortal 2.5
*/
public class CASLdapPersonAttributeDao extends AbstractQueryPersonAttributeDao<LogicalFilterWrapper> implements InitializingBean {
private static final Pattern QUERY_PLACEHOLDER = Pattern.compile("\\{0\\}");
private final static AttributesMapper MAPPER = new AttributeMapAttributesMapper();
protected final Log logger = LogFactory.getLog(getClass());
/**
* The LdapTemplate to use to execute queries on the DirContext
*/
private LdapTemplate ldapTemplate = null;
private String baseDN = "";
private String queryTemplate = null;
private ContextSource contextSource = null;
private SearchControls searchControls = new SearchControls();
private boolean setReturningAttributes = true;
private QueryType queryType = QueryType.AND;
public CASLdapPersonAttributeDao() {
this.searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE);
this.searchControls.setReturningObjFlag(false);
}
/* (non-Javadoc)
* @see org.springframework.beans.factory.InitializingBean#afterPropertiesSet()
*/
public void afterPropertiesSet() throws Exception {
final Map<String, Set<String>> resultAttributeMapping = this.getResultAttributeMapping();
if (this.setReturningAttributes && resultAttributeMapping != null) {
this.searchControls.setReturningAttributes(resultAttributeMapping.keySet().toArray(
new String[resultAttributeMapping.size()]));
}
if (this.contextSource == null) {
throw new BeanCreationException("contextSource must be set");
}
}
/* (non-Javadoc)
* @see org.jasig.services.persondir.support.AbstractQueryPersonAttributeDao#appendAttributeToQuery(java.lang.Object, java.lang.String, java.util.List)
*/
@Override
protected LogicalFilterWrapper appendAttributeToQuery(LogicalFilterWrapper queryBuilder, String dataAttribute,
List<Object> queryValues) {
if (queryBuilder == null) {
queryBuilder = new LogicalFilterWrapper(this.queryType);
}
for (final Object queryValue : queryValues) {
String queryValueString = queryValue == null ? null : queryValue.toString();
LdapPersonInfoBean person = new LdapPersonInfoBean();
//person = CASCredentialHelper.getPersoninfoFromCredential(queryValueString);
//queryValueString = person.getUsername();
person = CASCredentialHelper.getPersoninfoFromCredential(queryValueString);
queryValueString=person.getUsername();
if (StringUtils.isNotBlank(queryValueString)) {
final Filter filter;
if (!queryValueString.contains("*")) {
filter = new EqualsFilter(dataAttribute, queryValueString);
} else {
filter = new LikeFilter(dataAttribute, queryValueString);
}
queryBuilder.append(filter);
}
}
return queryBuilder;
}
/* (non-Javadoc)
* @see org.jasig.services.persondir.support.AbstractQueryPersonAttributeDao#getPeopleForQuery(java.lang.Object, java.lang.String)
*/
@Override
protected List<IPersonAttributes> getPeopleForQuery(LogicalFilterWrapper queryBuilder, String queryUserName) {
LdapPersonInfoBean ldapPerson = new LdapPersonInfoBean();
ldapPerson = CASCredentialHelper.getPersoninfoFromCredential(queryUserName);
final String generatedLdapQuery = queryBuilder.encode();
//If no query is generated return null since the query cannot be run
if (StringUtils.isBlank(generatedLdapQuery)) {
return null;
}
//Insert the generated query into the template if it is configured
final String ldapQuery;
if (this.queryTemplate == null) {
ldapQuery = generatedLdapQuery;
} else {
final Matcher queryMatcher = QUERY_PLACEHOLDER.matcher(this.queryTemplate);
ldapQuery = queryMatcher.replaceAll(generatedLdapQuery);
}
String searchBase = "";
if (ldapPerson.getCompanyid().trim().length() > 0) {
searchBase = "o=" + ldapPerson.getCompanyid() + "," + baseDN;
} else {
searchBase = baseDN;
}
logger.info("searchBase=====" + searchBase);
//Execute the query
List<Map<String, List<Object>>> queryResults = new ArrayList<Map<String, List<Object>>>();
try {
queryResults = this.ldapTemplate.search(searchBase, ldapQuery, this.searchControls, MAPPER);
} catch (Exception e) {
logger.error(
"search ldap with [searchBase===" + searchBase + "] [ldapQuery====" + ldapQuery + "], caused by: "
+ e.getMessage(), e);
}
final List<IPersonAttributes> peopleAttributes = new ArrayList<IPersonAttributes>(queryResults.size());
for (final Map<String, List<Object>> queryResult : queryResults) {
IPersonAttributes person;
//if (ldapPerson.getUsername() != null) {
if (queryUserName != null && queryUserName.trim().length() > 0) {
//person = new CaseInsensitiveNamedPersonImpl(ldapPerson.getUsername(), queryResult);
person = new CaseInsensitiveNamedPersonImpl(queryUserName, queryResult);
} else {
//Create the IPersonAttributes doing a best-guess at a userName attribute
String userNameAttribute = this.getConfiguredUserNameAttribute();
person = new CaseInsensitiveAttributeNamedPersonImpl(userNameAttribute, queryResult);
}
peopleAttributes.add(person);
}
return peopleAttributes;
}
/**
* @see javax.naming.directory.SearchControls#getTimeLimit()
* @deprecated Set the property on the {@link SearchControls} and set that via {@link #setSearchControls(SearchControls)}
*/
@Deprecated
public int getTimeLimit() {
return this.searchControls.getTimeLimit();
}
/**
* @see javax.naming.directory.SearchControls#setTimeLimit(int)
* @deprecated
*/
@Deprecated
public void setTimeLimit(int ms) {
this.searchControls.setTimeLimit(ms);
}
/**
* @return The base distinguished name to use for queries.
*/
public String getBaseDN() {
return this.baseDN;
}
/**
* @param baseDN The base distinguished name to use for queries.
*/
public void setBaseDN(String baseDN) {
if (baseDN == null) {
baseDN = "";
}
this.baseDN = baseDN;
}
/**
* @return The ContextSource to get DirContext objects for queries from.
*/
public ContextSource getContextSource() {
return this.contextSource;
}
/**
* @param contextSource The ContextSource to get DirContext objects for queries from.
*/
public synchronized void setContextSource(final ContextSource contextSource) {
Assert.notNull(contextSource, "contextSource can not be null");
this.contextSource = contextSource;
this.ldapTemplate = new LdapTemplate(this.contextSource);
}
/**
* Sets the LdapTemplate, and thus the ContextSource (implicitly).
*
* @param ldapTemplate the LdapTemplate to query the LDAP server from. CANNOT be NULL.
*/
public synchronized void setLdapTemplate(final LdapTemplate ldapTemplate) {
Assert.notNull(ldapTemplate, "ldapTemplate cannot be null");
this.ldapTemplate = ldapTemplate;
this.contextSource = this.ldapTemplate.getContextSource();
}
/**
* @return Search controls to use for LDAP queries
*/
public SearchControls getSearchControls() {
return this.searchControls;
}
/**
* @param searchControls Search controls to use for LDAP queries
*/
public void setSearchControls(SearchControls searchControls) {
Assert.notNull(searchControls, "searchControls can not be null");
this.searchControls = searchControls;
}
/**
* @return the queryType
*/
public QueryType getQueryType() {
return queryType;
}
/**
* Type of logical operator to use when joining WHERE clause components
*
* @param queryType the queryType to set
*/
public void setQueryType(QueryType queryType) {
this.queryType = queryType;
}
public String getQueryTemplate() {
return this.queryTemplate;
}
/**
* Optional wrapper template for the generated part of the query. Use {0} as a placeholder for where the generated query should be inserted.
*/
public void setQueryTemplate(String queryTemplate) {
this.queryTemplate = queryTemplate;
}
}

注意206到211行处的写法：

String searchBase = "";
if (ldapPerson.getCompanyid().trim().length() > 0) {
searchBase = "o=" + ldapPerson.getCompanyid() + "," + baseDN;
} else {
searchBase = baseDN;
}
logger.info("searchBase=====" + searchBase);

CASLdapPersonAttributeDao类中须要使用到另外两个咱们自定义的工具类代码以下：

CASCredentialHelper

package org.jasig.cas.util;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import java.io.StringReader;
import java.util.*;
import org.jdom.*;
import org.jdom.input.SAXBuilder;
import org.jdom.xpath.*;
import org.sky.cas.auth.LdapPersonInfoBean;
import org.xml.sax.InputSource;
public class CASCredentialHelper {
public final static Log logger = LogFactory.getLog(CASCredentialHelper.class);
public static LdapPersonInfoBean getPersoninfoFromCredential(String dnStr) {
LdapPersonInfoBean person = new LdapPersonInfoBean();
logger.debug("credential str======" + dnStr);
try {
if (dnStr != null) {
//建立一个新的字符串
String[] p_array = dnStr.split(",");
if (p_array != null) {
person.setCompanyid(p_array[1]);
person.setUsername(p_array[0]);
}
}
} catch (Exception e) {
logger.error("get personinfo from DN: [:" + dnStr + "] error caused by: " + e.getMessage(), e);
}
return person;
}
public static void main(String[] args) throws Exception {
StringBuffer sb = new StringBuffer();
sb.append("<?xml version=\"1.0\" encoding=\"utf-8\"?>");
sb.append("<CASCredential>");
sb.append("<result>");
sb.append("<loginid>sys</loginid>");
sb.append("<companyid>401</companyid>");
sb.append("<email>aaa@a.net</email>");
sb.append("</result>");
sb.append("</CASCredential>");
getPersoninfoFromCredential(sb.toString());
}
}

LdapPersonInfoBean

package org.sky.cas.auth;
import java.io.Serializable;
public class LdapPersonInfoBean implements Serializable {
private String companyid = "";
private String username = "";
/**
* @return the companyid
*/
public String getCompanyid() {
return companyid;
}
/**
* @param companyid the companyid to set
*/
public void setCompanyid(String companyid) {
this.companyid = companyid;
}
/**
* @return the username
*/
public String getUsername() {
return username;
}
/**
* @param username the username to set
*/
public void setUsername(String username) {
this.username = username;
}
}

以上这两个类到底在干什么，你们不要急，咱们接着看下面的这个CASCredentialsToPrincipalResolver类吧

CASCredentialsToPrincipalResolver类

该类的做用是这样的：

一个客户在CAS SSO登陆界面登陆了，而后输入了相关的登陆信息，而后CAS SSO跳转到客户端的主界面中去，客户端在主界面经过如下语句：

AttributePrincipal principal = (AttributePrincipal) req.getUserPrincipal();
String userName = principal.getName();

便可以获得CAS SSO转发过来的合法登陆了的用户名，但是，但是。。。CAS SSO默认只能带一个username过来给到客户端，而该成功登陆了的用户的在LDAP中的其它属性是经过如下语句获得的：

Map attributes = principal.getAttributes();
String email = (String) attributes.get("email");

如今问题来了，咱们新增的companyid即不是该用户在ldap中的一个属性，又不能在req.getUserPrincipal();中带过来，怎么办？

熊掌与鱼兼得法，既能够把用户在LDAP中其它属性带到客户端又能够把客户的登陆信息也带到客户端

所以咱们须要定制CASCredentialsToPrincipalResolver这个类，来看该类的代码：

package org.sky.cas.auth;
import org.apache.commons.httpclient.UsernamePasswordCredentials;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.jasig.cas.authentication.principal.AbstractPersonDirectoryCredentialsToPrincipalResolver;
import org.jasig.cas.authentication.principal.Credentials;
import java.io.ByteArrayOutputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import org.jdom.Document;
import org.jdom.Element;
import org.jdom.JDOMException;
import org.jdom.output.Format;
import org.jdom.output.XMLOutputter;
public class CASCredentialsToPrincipalResolver extends AbstractPersonDirectoryCredentialsToPrincipalResolver {
public final Log logger = LogFactory.getLog(this.getClass());
protected String extractPrincipalId(final Credentials credentials) {
final CASCredential casCredential = (CASCredential) credentials;
return buildCompCredential(casCredential.getUsername(), casCredential.getCompanyid());
}
/**
* Return true if Credentials are UsernamePasswordCredentials, false
* otherwise.
*/
public boolean supports(final Credentials credentials) {
return credentials != null && CASCredential.class.isAssignableFrom(credentials.getClass());
}
public String buildCompCredential(String loginId, String companyId) {
StringBuffer sb = new StringBuffer();
sb.append(loginId).append(",");
sb.append(companyId);
return sb.toString();
}
}

注意第23行和buildCompCredential方法，你们来看这个类原先是继承自AbstractPersonDirectoryCredentialsToPrincipalResolver 类对吧，若是咱们不自定这个类，CAS SSO有一个默认的Resolver，大家知道CAS SSO默认的这个Resolver是怎么写的吗？

你们能够本身跟一下原码，在原码中，它是这样写的：

package org.sky.cas.auth;
import org.apache.commons.httpclient.UsernamePasswordCredentials;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.jasig.cas.authentication.principal.AbstractPersonDirectoryCredentialsToPrincipalResolver;
import org.jasig.cas.authentication.principal.Credentials;
import java.io.ByteArrayOutputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import org.jdom.Document;
import org.jdom.Element;
import org.jdom.JDOMException;
import org.jdom.output.Format;
import org.jdom.output.XMLOutputter;
public class CASCredentialsToPrincipalResolver extends AbstractPersonDirectoryCredentialsToPrincipalResolver {
public final Log logger = LogFactory.getLog(this.getClass());
protected String extractPrincipalId(final Credentials credentials) {
final CASCredential casCredential = (CASCredential) credentials;
return casCredential.getUsername();
}
/**
* Return true if Credentials are UsernamePasswordCredentials, false
* otherwise.
*/
}

看到了没有，它只返回了一个username，所以，咱们把这个类扩展了一下，使得CAS SSO在登陆成功后能够给客户端返回这样的一个字串："username,companyid”。

经过这样的方法以使得当客户在登陆时输入的那些并不属于LDAP库中存储的信息也可以被带到客户端中去，这样的话咱们在客户端中若是经过如下这段代码:

AttributePrincipal principal = (AttributePrincipal) req.getUserPrincipal();
String userName = principal.getName();

去试图获取从CAS SSO中带来的登陆信息时，客户端将会获得一个这样的字串“username,companyid”，所以咱们只要再在客户端作一次简单的切割，便可将咱们须要的登陆信息进行剥离了，以下例子：

String[] userAttri = userName.split(",");
uinfo.setUserName(userAttri[0]);
uinfo.setCompanyId(userAttri[1]);

最终版src/main/webapp/WEB-INF/deployerConfiguration.xml文件

有了attributeDao, 有了resolver，咱们完全来从新配置一下咱们的deployerConfiguration.xml文件吧，来看下面的配置：

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p"
xmlns:tx="http://www.springframework.org/schema/tx" xmlns:sec="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl">
<property name="credentialsToPrincipalResolvers">
<list>
<bean class="org.sky.cas.auth.CASCredentialsToPrincipalResolver">
<property name="attributeRepository" ref="attributeRepository" />
</bean>
</list>
</property>
<property name="authenticationHandlers">
<list>
<bean
class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:httpClient-ref="httpClient" />
<bean class=" org.sky.cas.auth.CASLDAPAuthenticationHandler"
p:filter="uid=%u" p:searchBase="o=company,dc=sky,dc=org"
p:contextSource-ref="contextSource" />
</list>
</property>
</bean>

<bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">
<property name="password" value="secret" />
<property name="pooled" value="true" />
<property name="url" value="ldap://localhost:389" />

<property name="userDn" value="cn=Manager,dc=sky,dc=org" />
<property name="baseEnvironmentProperties">
<map>

<entry key="com.sun.jndi.ldap.connect.timeout" value="60" />
<entry key="com.sun.jndi.ldap.read.timeout" value="60" />
<entry key="java.naming.security.authentication" value="simple" />
</map>
</property>
</bean>
<sec:user-service id="userDetailsService">
<sec:user name="@@THIS SHOULD BE REPLACED@@" password="notused"
authorities="ROLE_ADMIN" />
</sec:user-service>
<bean id="attributeRepository"
class="org.jasig.services.persondir.support.ldap.CASLdapPersonAttributeDao">
<property name="contextSource" ref="contextSource" />
<property name="baseDN" value="o=company,dc=sky,dc=org" />
<property name="requireAllQueryAttributes" value="true" />
<property name="queryAttributeMapping">
<map>
<entry key="username" value="uid" />
</map>
</property>
<property name="resultAttributeMapping">
<map>
<entry key="uid" value="loginid" />
<entry key="mail" value="email" />
</map>
</property>
</bean>
<bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl">
<property name="registeredServices">
<list>
<bean class="org.jasig.cas.services.RegexRegisteredService">
<property name="id" value="0" />
<property name="name" value="HTTP and IMAP" />
<property name="description" value="Allows HTTP(S) and IMAP(S) protocols" />
<property name="serviceId" value="^(https?|imaps?)://.*" />
<property name="evaluationOrder" value="10000001" />
<property name="ignoreAttributes" value="false" />
<property name="allowedAttributes">
<list>
<value>loginid</value>
<value>email</value>
</list>
</property>
</bean>
</list>
</property>
</bean>
<bean id="auditTrailManager"
class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" />
<bean id="healthCheckMonitor" class="org.jasig.cas.monitor.HealthCheckMonitor">
<property name="monitors">
<list>
<bean class="org.jasig.cas.monitor.MemoryMonitor"
p:freeMemoryWarnThreshold="10" />
<!-- NOTE The following ticket registries support SessionMonitor: * DefaultTicketRegistry
* JpaTicketRegistry Remove this monitor if you use an unsupported registry. -->
<bean class="org.jasig.cas.monitor.SessionMonitor"
p:ticketRegistry-ref="ticketRegistry"
p:serviceTicketCountWarnThreshold="5000"
p:sessionCountWarnThreshold="100000" />
</list>
</property>
</bean>
</beans>

在这个配置文件里，咱们把attributeDao还有Resolver还有咱们的Ldap认证时用的AuthenticationHandler都变成了咱们自定义的类了，但仍是有2段配置代码你们看起来有些疑惑，不要紧，咱们接着来分析接着来变态：

<bean id="attributeRepository"
class="org.jasig.services.persondir.support.ldap.CASLdapPersonAttributeDao">
<property name="contextSource" ref="contextSource" />
<property name="baseDN" value="o=company,dc=sky,dc=org" />
<property name="requireAllQueryAttributes" value="true" />
<property name="queryAttributeMapping">
<map>
<entry key="username" value="uid" />
</map>
</property>
<property name="resultAttributeMapping">
<map>
<entry key="uid" value="loginid" />
<entry key="mail" value="email" />
</map>
</property>
</bean>

看到这边的resultAttributeMapping，它的意思就是：根据上面的“queryAttributeMapping”的这个键值找到ldap中该条数据，而后经过resultAttributeMapping返回给客户端，这段配置作的就是这么一件事。

注：

必定要在queryAttributeMapping的entry key=后面写上"username”,这个username来自于咱们cas sso登陆主界面中的username这个属性。
在resultAttributeMapping中key为LDAP中相关数据的“主键”，value就是咱们但愿让客户端经过如下代码获取到CAS SSO服务端传过来的值的那个key，千万不要搞错了哦。

Map attributes = principal.getAttributes();
String email = (String) attributes.get("email");

固然，到了这边，咱们的值还不能直接返回给客户端！！！

若是可以直接返回，到此处为止，咱们的变态就应该已经全结束了，但是CAS SSO有着其严格的定义，不是说你要返回什么值给客户端你就能够返回的，还须要一个“allowed”。

继续看下去：

<bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl">
<property name="registeredServices">
<list>
<bean class="org.jasig.cas.services.RegexRegisteredService">
<property name="id" value="0" />
<property name="name" value="HTTP and IMAP" />
<property name="description" value="Allows HTTP(S) and IMAP(S) protocols" />
<property name="serviceId" value="^(https?|imaps?)://.*" />
<property name="evaluationOrder" value="10000001" />
<property name="ignoreAttributes" value="false" />
<property name="allowedAttributes">
<list>
<value>loginid</value>
<value>email</value>
</list>
</property>
</bean>
</list>
</property>
</bean>

看到这个地方了吗？

<property name="allowedAttributes">
<list>
<value>loginid</value>
<value>email</value>
</list>
</property>

这段XML配置的意思就是: 根据上面的“queryAttributeMapping”的这个键值找到ldap中该条数据，而后经过resultAttributeMapping返回给客户端，而且“容许“loginid”与"email“两个值能够经过客户端使用以下的的代码被容许访问获得：

Map attributes = principal.getAttributes();
String email = (String) attributes.get("email");

很烦？不是，其实不烦，这是由于老外的框架作的严谨，并且扩展性好，只要经过extend, implement就能够实现咱们本身的功能了，这种设计很强，或者说很变态，由于接下去还没完呢，哈哈，继续。

修改cas sso的主登陆界面，把界面修改为以下风格

修改src/main/webapp/WEB-INF/view/jsp/default/ui/casLoginView.jsp

这个改页面，很简单，这个页面在：src/main/webapp/WEB-INF/view/default/ui/casLoginView.jsp

上手把这个页面的两个include去掉，如何去？如何增长如下这个下拉框：

<select id="companyid" name="companyid" >
<option value="101" selected>上海煤气公司</option>
<option value="102" selected>上海自来水厂</option>
<option value="103" selected>FBI</option>
<option value="104" selected>神盾局</option>
</select>

我在这边就不细说了，这属于copy & paste的工做，我在此就直接给出我本身制做完成后的casLoginView.jsp页面内全部的源码吧：

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<%@ page session="true"%>
<%@ page pageEncoding="utf-8"%>
<%@ page contentType="text/html; charset=utf-8"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<%@ taglib prefix="spring" uri="http://www.springframework.org/tags"%>
<%@ taglib prefix="form" uri="http://www.springframework.org/tags/form"%>
<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions"%>
<html>
<head>
<link href="${pageContext.request.contextPath}/css/login.css"
rel="stylesheet" type="text/css" />
<link href="${pageContext.request.contextPath}/css/login_form.css"
rel="stylesheet" type="text/css" />
<script language="javascript">
var relativePath="<%=request.getContextPath()%>";
</script>
<title>CAS SSO登陆</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body id="cas">
<div style="text-align: center;">
</div>
<form:form method="post" id="fm1" commandName="${commandName}"
htmlEscape="true" style="height:300px">
<div class="login_div" id="login">
<table border="0" cellspacing="0" cellpadding="0">
<tr>
<td colspan="2" style="border-bottom: 1px solid #e5e9ee;"><img src="${pageContext.request.contextPath}/css/images/login_dot.png" width="24" height="24" hspace="5" align="absbottom" />登陆</td>
</tr>
<tr>
<td width="175" class="label"> 用户名：</td>
<td width="405">
<c:if test="${empty sessionScope.openIdLocalId}">
<spring:message code="screen.welcome.label.netid.accesskey"
var="userNameAccessKey" />
<form:input onblur="refreshOrgList();" id="username"
tabindex="1" accesskey="${userNameAccessKey}" path="username"/>
</c:if>
</td>
</tr>
<tr>
<td class="label">密码:</td>
<td><form:password cssClass="required" cssErrorClass="error"
id="password" size="25" tabindex="2" path="password"
accesskey="${passwordAccessKey}" autocomplete="off" />
</td>
</tr>
<tr>
<td class="label">公司ID:</td>
<td>
<select id="companyid" name="companyid" >
<option value="101" selected>上海煤气公司</option>
<option value="102" selected>上海自来水厂</option>
<option value="103" selected>FBI</option>
<option value="104" selected>神盾局</option>
</select>
</td>
</tr>
<tr>
<td class="label"></td>
<td><font color="red"><form:errors id="msg" class="errors" /> </font></td>
</tr>
</table>
</div>
<div class="but_div">
<input type="hidden" name="lt" value="${loginTicket}" />
<input type="hidden" name="execution" value="${flowExecutionKey}" />
<input type="hidden" name="_eventId" value="submit" />
<input name="submit" accesskey="l" class="login_but" value="<spring:message code="screen.welcome.button.login" />"
tabindex="4" type="submit" />
<input name="button2" type="reset" class="cancel_but" id="button2" value="取消" />
</div>
</form:form>
<div class="loginbottom_div">
</div>
</body>

你能够直接使用我作的页面，我把它也上传在”资源共享”中了，你也能够本身照着我这个jsp动手去改，改前请必定记得保存好原文件，反正改坏了你就再改一遍，改个4，5次也就习惯了，呵呵！

修改src/main/webapp/WEB-INF/view/jsp/default/protocol/2.0/casServiceValidationSuccess.jsp

CAS SSO中这个jsp是用于在用户登陆成功后把用户登陆成功后的信息组成一个map传给客户端调用的，即客户端能够经过以下代码：

Map attributes = principal.getAttributes();
String email = (String) attributes.get("email");

它是经过CAS SSO服务端的attributeDao来取得相关的LDAP中的其他信息的，可是它默认只带username到客户端，所以为了让客户端可以取得如下这些额外的信息：

<property name="resultAttributeMapping">
<map>
<entry key="uid" value="loginid" />
<entry key="mail" value="email" />
</map>
</property>

咱们须要更改这个jsp代码，打开该JSP，加入以下的这段代码：


<c:if test="${fn:length(assertion.chainedAuthentications[fn:length(assertion.chainedAuthentications)-1].principal.attributes) > 0}">
<cas:attributes>
<c:forEach var="attr" items="${assertion.chainedAuthentications[fn:length(assertion.chainedAuthentications)-1].principal.attributes}">
<cas:${fn:escapeXml(attr.key)}>${fn:escapeXml(attr.value)}</cas:${fn:escapeXml(attr.key)}>
</c:forEach>
</cas:attributes>
</c:if>

改完后的casServiceValidationSuccess.jsp完整代码以下，请注意至处的代码，这段代码就是咱们新增的用于向客户端返回attributeDao中取出的全部的属性的遍历代码：

<%@ page session="false" %>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<%@ taglib uri="http://java.sun.com/jsp/jstl/functions" prefix="fn" %>
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
<cas:user>${fn:escapeXml(assertion.chainedAuthentications[fn:length(assertion.chainedAuthentications)-1].principal.id)}
</cas:user>

<c:if test="${fn:length(assertion.chainedAuthentications[fn:length(assertion.chainedAuthentications)-1].principal.attributes) > 0}">
<cas:attributes>
<c:forEach var="attr" items="${assertion.chainedAuthentications[fn:length(assertion.chainedAuthentications)-1].principal.attributes}">
<cas:${fn:escapeXml(attr.key)}>${fn:escapeXml(attr.value)}</cas:${fn:escapeXml(attr.key)}>
</c:forEach>
</cas:attributes>
</c:if>

<c:if test="${not empty pgtIou}">
<cas:proxyGrantingTicket>${pgtIou}</cas:proxyGrantingTicket>
</c:if>
<c:if test="${fn:length(assertion.chainedAuthentications) > 1}">
<cas:proxies>
<c:forEach var="proxy" items="${assertion.chainedAuthentications}" varStatus="loopStatus" begin="0" end="${fn:length(assertion.chainedAuthentications)-2}" step="1">
<cas:proxy>${fn:escapeXml(proxy.principal.id)}</cas:proxy>
</c:forEach>
</cas:proxies>
</c:if>
</cas:authenticationSuccess>
</cas:serviceResponse>

好了，终于全改完了，开始书写咱们的客户端来作这个测试吧。

制做测试用客户端工程

在客户端咱们会设置一个web session，把从cas-server带过来的用户ID，租户ID以及存在LDAP中的该客户的email都存储于这个session中。

为此，咱们须要这样一个东西：即咱们须要一个filter，用于在每次从CAS SSO登陆成功后转到客户端时把相关的用户登陆信息存储到web session中去。

固然，这些工做涉及到一系列的工具类，并且这些个工具类对于cas-sample-site1和cas-sample-site2具备一样的功能，出于代码可维护性以及统一性的考虑，这两个工程所使用到的这块代码功能都是相同的，所以咱们来重组一下咱们的客户端工程的目录结构吧。

myplatform工程

myplatform工程结构

该工程是cas-sample-site1和cas-sample-site2共用的一个工程，它的结构以下：

myplatform工程与CAS客户端工程cas-sample-site1和cas-sample-site2的依赖关系

两个客户端工程的依赖所有如上面图示所列那样去设置。

存储客户登陆信息的UserSession

package org.sky.framework.session;
import java.io.Serializable;
public class UserSession implements Serializable {
private String companyId = "";
private String userName = "";
private String userEmail = "";
public String getCompanyId() {
return companyId;
}
public void setCompanyId(String companyId) {
this.companyId = companyId;
}
public String getUserName() {
return userName;
}
public void setUserName(String userName) {
this.userName = userName;
}
public String getUserEmail() {
return userEmail;
}
public void setUserEmail(String userEmail) {
this.userEmail = userEmail;
}
}

AppSessionListener

package org.sky.framework.session;
import javax.servlet.http.HttpSessionEvent;
import javax.servlet.http.HttpSessionListener;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import javax.servlet.ServletContext;
import javax.servlet.ServletRequestEvent;
import javax.servlet.ServletRequestListener;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
public class AppSessionListener implements HttpSessionListener {
protected Logger logger = LoggerFactory.getLogger(this.getClass());
@Override
public void sessionCreated(HttpSessionEvent se) {
HttpSession session = null;
try {
session = se.getSession();
// get value
ServletContext context = session.getServletContext();
String timeoutValue = context.getInitParameter("sessionTimeout");
int timeout = Integer.valueOf(timeoutValue);
// set value
session.setMaxInactiveInterval(timeout);
logger.info(">>>>>>session max inactive interval has been set to "
+ timeout + " seconds.");
} catch (Exception ex) {
ex.printStackTrace();
}
}
@Override
public void sessionDestroyed(HttpSessionEvent arg0) {
// TODO Auto-generated method stub
}
}

咱们的filter SampleSSOSessionFilter

package org.sky.framework.session;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.io.IOException;
import java.io.PrintWriter;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Map;
import org.jasig.cas.client.authentication.AttributePrincipal;
import org.jasig.cas.client.util.AssertionHolder;
import org.jasig.cas.client.validation.Assertion;
import org.sky.util.WebConstants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
public class SampleSSOSessionFilter implements Filter {
protected Logger logger = LoggerFactory.getLogger(this.getClass());
private String excluded;
private static final String EXCLUDE = "exclude";
private boolean no_init = true;
private ServletContext context = null;
private FilterConfig config;
String url = "";
String actionName = "";
public void setFilterConfig(FilterConfig paramFilterConfig) {
if (this.no_init) {
this.no_init = false;
this.config = paramFilterConfig;
if ((this.excluded = paramFilterConfig.getInitParameter("exclude")) != null)
this.excluded += ",";
}
}
private String getActionName(String actionPath) {
logger.debug("filter actionPath====" + actionPath);
StringBuffer actionName = new StringBuffer();
try {
int begin = actionPath.lastIndexOf("/");
if (begin >= 0) {
actionName.append(actionPath.substring(begin, actionPath.length()));
}
} catch (Exception e) {
}
return actionName.toString();
}
private boolean excluded(String paramString) {
// logger.info("paramString====" + paramString);
// logger.info("excluded====" + this.excluded);
// logger.info(this.excluded.indexOf(paramString + ","));
if ((paramString == null) || (this.excluded == null))
return false;
return (this.excluded.indexOf(paramString + ",") >= 0);
}
@Override
public void destroy() {
// TODO Auto-generated method stub
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain arg2) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse resp = (HttpServletResponse) response;
UserSession uinfo = new UserSession();
HttpSession se = req.getSession();
url = req.getRequestURI();
actionName = getActionName(url);
//actionName = url;
logger.debug(">>>>>>>>>>>>>>>>>>>>SampleSSOSessionFilter: request actionname" + actionName);
if (!excluded(actionName)) {
try {
uinfo = (UserSession) se.getAttribute(WebConstants.USER_SESSION_OBJECT);
AttributePrincipal principal = (AttributePrincipal) req.getUserPrincipal();
String userName = principal.getName();
logger.info("userName: " + userName);
if (userName != null && userName.length() > 0 && uinfo == null) {
Map attributes = principal.getAttributes();
String email = (String) attributes.get("email");
uinfo = new UserSession();
String[] userAttri = userName.split(",");
uinfo.setUserName(userAttri[0]);
uinfo.setCompanyId(userAttri[1]);
uinfo.setUserEmail(email);
se.setAttribute(WebConstants.USER_SESSION_OBJECT, uinfo);
}
} catch (Exception e) {
logger.error("SampleSSOSessionFilter error:" + e.getMessage(), e);
resp.sendRedirect(req.getContextPath() + "/syserror.jsp");
return;
}
} else {
arg2.doFilter(request, response);
return;
}
try {
arg2.doFilter(request, response);
return;
} catch (Exception e) {
logger.error("SampleSSOSessionFilter fault: " + e.getMessage(), e);
}
}
@Override
public void init(FilterConfig config) throws ServletException {
// TODO Auto-generated method stub
this.config = config;
if ((this.excluded = config.getInitParameter("exclude")) != null)
this.excluded += ",";
this.no_init = false;
}
}

case-sample-site1和cas-sample-site2中的web.xml

咱们对于这两个CAS客户端工程的web.xml文件所作出的修改以下

将原有的9090（由于原来咱们的cas-server是放在tomcat里的，当时设的端口号为9090，那是为了不端口号和咱们的jboss中的8080重复。而如今，咱们能够把全部的9090改回成8080了）。
增长如下这段代码

<filter>
<filter-name>SampleSSOSessionFilter</filter-name>
<filter-class>org.sky.framework.session.SampleSSOSessionFilter</filter-class>
<init-param>
<param-name>exclude</param-name>
<param-value>/syserror.jsp
</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>SampleSSOSessionFilter</filter-name>
<url-pattern>*</url-pattern>
</filter-mapping>

看这个filter，它有一个特殊的地方，即我在标准的基于servlet2.4标准上对这个filter扩展了一个参数。

由于咱们为两个CAS客户端工程增长了一个syserror.jsp，以用于在获取CAS SERVER端出错时进行重定向用，而这个syserror.jsp是不须要通过什么登陆、什么记录websession用的，因此，它必须是被“excluded”掉的，对吧，具体它是怎么实现的，你们能够本身跟一下代码。

主要是注意看SampleSSOSessionFilter中如下这段代码：

uinfo = (UserSession) se.getAttribute(WebConstants.USER_SESSION_OBJECT);
AttributePrincipal principal = (AttributePrincipal) req.getUserPrincipal();
String userName = principal.getName();
logger.info("userName: " + userName);
if (userName != null && userName.length() > 0 && uinfo == null) {
Map attributes = principal.getAttributes();
String email = (String) attributes.get("email");
uinfo = new UserSession();
String[] userAttri = userName.split(",");
uinfo.setUserName(userAttri[0]);
uinfo.setCompanyId(userAttri[1]);
uinfo.setUserEmail(email);
se.setAttribute(WebConstants.USER_SESSION_OBJECT, uinfo);
}

好了，咱们如今要作的就是为cas-sample-site1/2各配上一个用于显示咱们是否可以成功从cas-server端传过来登陆成功后用户信息的index.jsp了。

cas-sample-site1/index.jsp

<%@ page language="java" contentType="text/html; charset=utf-8"
pageEncoding="utf-8"%>
<%@ page import="org.sky.framework.session.UserSession, org.sky.util.WebConstants" %>
<%
UserSession us=(UserSession)session.getAttribute(WebConstants.USER_SESSION_OBJECT);
String uname=us.getUserName();
String email=us.getUserEmail();
String companyId=us.getCompanyId();
%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>cas sample site1</title>
</head>
<body>
<h1>cas sample site1 Hello: <%=uname%>(<%=email%>) u are@Company: <%=companyId%></h1>
</p>
<a href="http://localhost:8080/cas-sample-site2/index.jsp">cas-sample-site2</a>
</br>
<a href="http://localhost:8080/cas-server/logout">退出</a>
</body>
</html>

cas-sample-site2/index.jsp

<%@ page language="java" contentType="text/html; charset=utf-8"
pageEncoding="utf-8"%>
<%@ page import="org.sky.framework.session.UserSession, org.sky.util.WebConstants" %>
<%
UserSession us=(UserSession)session.getAttribute(WebConstants.USER_SESSION_OBJECT);
String uname=us.getUserName();
String email=us.getUserEmail();
String companyId=us.getCompanyId();
%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>cas sample site2</title>
</head>
<body>
<h1>cas sample site2 Hello: <%=uname%>(<%=email%>) u are@Company: <%=companyId%></h1>
<a href="http://localhost:8080/cas-sample-site1/index.jsp">cas-sample-site1</a>
</br>
<a href="http://localhost:8080/cas-server/logout">退出</a>
</body>
</html>

运行今天全部的例子

测试用ldap中全部用户的ldif代码：

dn: dc=sky,dc=org
dc: sky
objectClass: top
objectClass: domain
dn: o=company,dc=sky,dc=org
objectClass: organization
o: company
dn: ou=members,o=company,dc=sky,dc=org
objectClass: organizationalUnit
ou: members
dn: cn=user1,ou=members,o=company,dc=sky,dc=org
sn: user1
cn: user1
userPassword: aaaaaa
objectClass: organizationalPerson
dn: cn=user2,ou=members,o=company,dc=sky,dc=org
sn: user2
cn: user2
userPassword: abcdefg
objectClass: organizationalPerson
dn: uid=mk,ou=members,o=company,dc=sky,dc=org
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
gidNumber: 0
givenName: Yuan
sn: MingKai
displayName: YuanMingKai
uid: mk
homeDirectory: e:\user
mail: mk.yuan@nttdata.com
cn: YuanMingKai
uidNumber: 13599
userPassword: {SHA}96niR3fsIyEsVNejULxb6lR3/bs=
dn: o=101,o=company,dc=sky,dc=org
o: 101
objectClass: organization
dn: o=102,o=company,dc=sky,dc=org
o: 102
objectClass: organization
dn: o=103,o=company,dc=sky,dc=org
o: 103
objectClass: organization
dn: o=104,o=company,dc=sky,dc=org
o: 104
objectClass: organization
dn: uid=marious,o=101,o=company,dc=sky,dc=org
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
gidNumber: 0
givenName: Wang
sn: LiMing
displayName: WangLiMing
uid: marious
homeDirectory: d:\
cn: WangLiMing
uidNumber: 47967
userPassword: {SHA}96niR3fsIyEsVNejULxb6lR3/bs=
mail: aaa@a.net
dn: uid=sky,o=101,o=company,dc=sky,dc=org
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
gidNumber: 0
givenName: Yuan
sn: Tao
displayName: YuanTao
uid: sky
homeDirectory: d:\
cn: YuanTao
uidNumber: 26422
userPassword: {SHA}96niR3fsIyEsVNejULxb6lR3/bs=
mail: bbb@b.net
dn: uid=jason,o=102,o=company,dc=sky,dc=org
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
gidNumber: 0
givenName: zhang
sn: lei
displayName: zhanglei
uid: jason
homeDirectory: d:\
cn: zhanglei
uidNumber: 62360
userPassword: {SHA}96niR3fsIyEsVNejULxb6lR3/bs=
mail: jason@abc.net
dn: uid=andy.li,o=103,o=company,dc=sky,dc=org
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
gidNumber: 0
givenName: Li
sn: Jun
displayName: LiJun
uid: andy.li
homeDirectory: d:\
cn: LiJun
uidNumber: 51204
userPassword: {SHA}96niR3fsIyEsVNejULxb6lR3/bs=
mail: andy.li@jesus.chris
dn: uid=pitt,o=104,o=company,dc=sky,dc=org
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
gidNumber: 0
givenName: Brad
sn: Pitt
displayName: Brad Pitt
uid: pitt
homeDirectory: d:\
cn: Brad Pitt
uidNumber: 64650
userPassword: {SHA}96niR3fsIyEsVNejULxb6lR3/bs=
mail: pitt@hollywood.com

把:

cas-server
cas-sample-site1
cas-sample-site2

所有在eclipse里用jboss7运行起来：

打开一个IE，输入http://localhost:8080/cas-sample-site1，出现以下界面：

咱们在用户名处输入jason
密码输入aaaaaa
公司ID选择成“上海自来水厂”

点击【登陆】按钮，此时页面显示以下：

点击cas-sample-site2这个连接，页面显示以下：

咱们看来看jason这我的在咱们的ldap中的相关信息：

再来看看“上海自来水厂”的companyid是什么：

<select id="companyid" name="companyid" >
<option value="101" selected>上海煤气公司</option>
<option value="102" selected>上海自来水厂</option>
<option value="103" selected>FBI</option>
<option value="104" selected>神盾局</option>
</select>

是102，说明咱们的传值传对了。

咱们如今再用debug模式来调试一下这个用例。

好了，结束今天的课程。

在今天的课程中咱们完成了几件事，这几件事中尤为是对于多租户的CAS SSO的解决方案是目前网上没有的包括国外的网站和主力论坛上（或者说有人解决了没有公布出来）：

自定义CAS SSO登陆界面
在CAS SSO登陆界面增长咱们自定义的登陆用元素
使用LDAP带出登陆用户在LDAP内存储的其它更多的信息
实现了CAS SSO支持多租户登陆的功能

虽然这一过程很痛苦，很变态，可是经过这样的一个案例，咱们完成了一件了不得的事情，同时对于这种国外开源软件的customization咱们也有了一个认识，就是欧美的一些软件，它的自定义都是经过扩展、继承、插件式的方式来实现的，这说明他们的软件在设计之初就考虑到了这些扩展。

那不少人就会来问，改了这么一堆东西，我怎么知道要改这些东西，要去动这些代码或者有些代码怎么写?

我回答这个问题的方式很简单，我把它称之为：play with it。

由于开源的软件都提供源码的，你把源码都导入eclipse工程，想办法运行起来，这个过程可能折腾个1-2周吧，可是源码一旦跑起来了，你就能够本身去跟代码啦，而后看人家这块逻辑这块设计是怎么实现的，而后照着写或者按照人家的规范插入本身的一部分的自定义的代码，就这样一点点，一点点的你也就能够把本属于别人一个产品变成为本身的一套东西了，这个过程就叫play with it。

作IT的必定要多play with it，要否则，你很难有本身的感性上的认识，没有了感性认识的基础，那也就谈不上什么“理性认识”和“升华”了，呵呵！

在咱们从此的教程中，咱们动手改代码或者集成其它开源产品的机会还有不少、不少。。。。。。甚至还会涉及到JDK里的一些东西，让咱们一块儿慢慢来吧。