1.在pom.xml中增加sso接入相關依賴
<!--cas-client-->
<dependency>
<groupId>org.jasig.cas.client</groupId>
<artifactId>cas-client-core</artifactId>
<version>3.4.1</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>${shiro.version}</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-cas</artifactId>
<version>${shiro.version}</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-aspectj</artifactId>
<version>${shiro.version}</version>
</dependency>
<!--單點登錄-->
<dependency>
<groupId>org.pac4j</groupId>
<artifactId>pac4j-cas</artifactId>
<version>3.0.2</version>
</dependency>
<dependency>
<groupId>io.buji</groupId>
<artifactId>buji-pac4j</artifactId>
<version>4.0.0</version>
<exclusions>
<exclusion>
<artifactId>shiro-web</artifactId>
<groupId>org.apache.shiro</groupId>
</exclusion>
</exclusions>
</dependency>
2. 在springboot項目的配置文件application-dev.xml新增以下配置項:
#cas配置
cas:
client-name: kb
server:
#cas服務端前綴,不是登錄地
url: http://127.0.0.1:8085/cas
project:
#當前客戶端地址,即應用地址(域名)
url: http://127.0.0.1:8088/kg
#前端首頁地址,用於sso驗證成功後重定向到此頁面(注意不是登陸頁面,是登陸成功後的首頁)
ui-url: http://127.0.0.1:11000/admin/#/home
3.重寫ShiroConfig.java文件:
import io.buji.pac4j.filter.CallbackFilter;
import io.buji.pac4j.filter.LogoutFilter;
import io.buji.pac4j.filter.SecurityFilter;
import io.buji.pac4j.subject.Pac4jSubjectFactory;
import org.apache.shiro.spring.LifecycleBeanPostProcessor;
import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.jasig.cas.client.session.SingleSignOutFilter;
import org.jasig.cas.client.session.SingleSignOutHttpSessionListener;
import org.pac4j.core.config.Config;
import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.boot.web.servlet.ServletListenerRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.DependsOn;
import org.springframework.core.Ordered;
import org.springframework.core.annotation.Order;
import org.springframework.web.filter.DelegatingFilterProxy;
import javax.servlet.DispatcherType;
import javax.servlet.Filter;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.Map;
/**
* cas整合shiro
* @author jay
* @date 2019-12-20
*
*/
@Configuration
public class CasShiroConfig {
/**
* 項目工程路徑
*/
@Value("${cas.project.url}")
private String projectUrl;
/**
* 項目cas服務路徑
*/
@Value("${cas.server.url}")
private String casServerUrl;
/**
* 客戶端名稱
*/
@Value("${cas.client-name}")
private String clientName;
/**
* 單點登出的listener
*
* @return
*/
@SuppressWarnings({"rawtypes", "unchecked"})
@Bean
public ServletListenerRegistrationBean<?> singleSignOutHttpSessionListener() {
ServletListenerRegistrationBean bean = new ServletListenerRegistrationBean();
bean.setListener(new SingleSignOutHttpSessionListener());
bean.setEnabled(true);
return bean;
}
/**
* 單點登出filter
*
* @return
*/
@Bean
@Order(Ordered.HIGHEST_PRECEDENCE)
public FilterRegistrationBean singleSignOutFilter() {
FilterRegistrationBean bean = new FilterRegistrationBean();
bean.setName("singleSignOutFilter");
SingleSignOutFilter singleSignOutFilter = new SingleSignOutFilter();
singleSignOutFilter.setCasServerUrlPrefix(casServerUrl);
singleSignOutFilter.setIgnoreInitConfiguration(true);
bean.setFilter(singleSignOutFilter);
bean.addUrlPatterns("/*");
bean.setEnabled(true);
return bean;
}
@Bean("securityManager")
public DefaultWebSecurityManager securityManager(Pac4jSubjectFactory subjectFactory, CasRealm casRealm) {
DefaultWebSecurityManager manager = new DefaultWebSecurityManager();
manager.setRealm(casRealm);
manager.setSubjectFactory(subjectFactory);
// manager.setSessionManager(sessionManager); //去掉session管理
return manager;
}
@Bean
public CasRealm casRealm() {
CasRealm realm = new CasRealm();
// 使用自定義的realm
realm.setClientName(clientName);
realm.setCachingEnabled(false);
//暫時不使用緩存
realm.setAuthenticationCachingEnabled(false);
realm.setAuthorizationCachingEnabled(false);
//realm.setAuthenticationCacheName("authenticationCache");
//realm.setAuthorizationCacheName("authorizationCache");
return realm;
}
/**
* 使用 pac4j 的 subjectFactory
*
* @return
*/
@Bean
public Pac4jSubjectFactory subjectFactory() {
return new Pac4jSubjectFactory();
}
@Bean
public FilterRegistrationBean filterRegistrationBean() {
FilterRegistrationBean filterRegistration = new FilterRegistrationBean();
filterRegistration.setFilter(new DelegatingFilterProxy("shiroFilter"));
// 該值缺省爲false,表示生命週期由SpringApplicationContext管理,設置爲true則表示由ServletContainer管理
filterRegistration.addInitParameter("targetFilterLifecycle", "true");
filterRegistration.setEnabled(true);
filterRegistration.addUrlPatterns("/*");
filterRegistration.setDispatcherTypes(DispatcherType.REQUEST, DispatcherType.FORWARD);
return filterRegistration;
}
/**
* 加載shiroFilter權限控制規則(從數據庫讀取然後配置)
*
* @param shiroFilterFactoryBean
*/
private void loadShiroFilterChain(ShiroFilterFactoryBean shiroFilterFactoryBean) {
/*下面這些規則配置最好配置到配置文件中 */
Map<String, String> filterChainDefinitionMap = new LinkedHashMap<>();
filterChainDefinitionMap.put("/kg/", "securityFilter");
filterChainDefinitionMap.put("/kg/ssoLogin", "securityFilter");
filterChainDefinitionMap.put("/kg/index", "securityFilter");
filterChainDefinitionMap.put("/kg/callback/**", "callbackFilter");
//filterChainDefinitionMap.put("kg/logout", "logout");
filterChainDefinitionMap.put("kg/ssoLogout", "ssoLogoutFilter");
// filterChainDefinitionMap.put("/**","anon");
filterChainDefinitionMap.put("/**", "jwt"); //使用自己的過濾器
// filterChainDefinitionMap.put("/user/edit/**", "authc,perms[user:edit]");
shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
}
/**
* shiroFilter
*
* @param securityManager
* @param config
* @return
*/
@Bean("shiroFilter")
public ShiroFilterFactoryBean factory(DefaultWebSecurityManager securityManager, Config config) {
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
// 必須設置 SecurityManager
shiroFilterFactoryBean.setSecurityManager(securityManager);
//shiroFilterFactoryBean.setUnauthorizedUrl("/403");
// 添加casFilter到shiroFilter中
loadShiroFilterChain(shiroFilterFactoryBean);
Map<String, Filter> filters = new HashMap<>(4);
//cas 資源認證攔截器
SecurityFilter securityFilter = new SecurityFilter();
securityFilter.setConfig(config);
securityFilter.setClients(clientName);
filters.put("securityFilter", securityFilter);
//cas 認證後回調攔截器
CallbackFilter callbackFilter = new CallbackFilter();
callbackFilter.setConfig(config);
callbackFilter.setDefaultUrl(projectUrl);
filters.put("callbackFilter", callbackFilter);
//驗證請求攔截器
filters.put("jwt", new JWTFilter()); //添加自己的過濾器
// 註銷 攔截器
LogoutFilter logoutFilter = new LogoutFilter();
logoutFilter.setConfig(config);
logoutFilter.setCentralLogout(true);
logoutFilter.setLocalLogout(true);
logoutFilter.setDefaultUrl(projectUrl + "/callback?client_name=" + clientName);
filters.put("ssoLogoutFilter", logoutFilter);
shiroFilterFactoryBean.setFilters(filters);
return shiroFilterFactoryBean;
}
/**
* 下面的代碼是添加註解支持
*/
@Bean
@DependsOn("lifecycleBeanPostProcessor")
public DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator() {
DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator = new DefaultAdvisorAutoProxyCreator();
// 強制使用cglib,防止重複代理和可能引起代理出錯的問題
// https://zhuanlan.zhihu.com/p/29161098
defaultAdvisorAutoProxyCreator.setProxyTargetClass(true);
return defaultAdvisorAutoProxyCreator;
}
@Bean
public static LifecycleBeanPostProcessor lifecycleBeanPostProcessor() {
return new LifecycleBeanPostProcessor();
}
@Bean
public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(DefaultWebSecurityManager securityManager) {
AuthorizationAttributeSourceAdvisor advisor = new AuthorizationAttributeSourceAdvisor();
advisor.setSecurityManager(securityManager);
return advisor;
}
}
4.重寫ShiroRealm.java文件
注意點:這裏有個大坑,一定要注意重寫supports方法增加對token類型的支持,不然會報類型不支持的錯,導致後續所有權限驗證失敗,這個錯折騰了最少三天才解決!!!
import io.buji.pac4j.realm.Pac4jRealm;
import io.buji.pac4j.subject.Pac4jPrincipal;
import io.buji.pac4j.token.Pac4jToken;
import org.apache.commons.lang3.StringUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.SimplePrincipalCollection;
import org.pac4j.core.profile.CommonProfile;
import org.springframework.beans.factory.annotation.Autowired;
import javax.servlet.http.HttpServletRequest;
import java.util.List;
import java.util.Set;
/**
* cas認證與授權
* @author jay
* @date 2019-12-20
**/
public class CasRealm extends Pac4jRealm {
private String clientName;
public String getClientName() {
return clientName;
}
public void setClientName(String clientName) {
this.clientName = clientName;
}
@Autowired
private UserManager userManager;
@Autowired
private RedisService redisService;
/**
* 認證
* @param authenticationToken
* @return
* @throws AuthenticationException
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) {
if (!(authenticationToken instanceof JWTToken)) {
final Pac4jToken pac4jToken = (Pac4jToken) authenticationToken;
final List<CommonProfile> commonProfileList = pac4jToken.getProfiles();
final CommonProfile commonProfile = commonProfileList.get(0);
System.out.println("單點登錄返回的信息" + commonProfile.toString());
//todo
final Pac4jPrincipal principal = new Pac4jPrincipal(commonProfileList, getPrincipalNameAttribute());
final PrincipalCollection principalCollection = new SimplePrincipalCollection(principal, getName());
return new SimpleAuthenticationInfo(principalCollection, commonProfileList.hashCode());
//return new SimpleAuthenticationInfo(t, t, "kb_shiro_realm");
} else {
// 這裏的 token是從 JWTFilter 的 executeLogin 方法傳遞過來的,已經經過了解密
// System.out.println(authenticationToken.getCredentials());
String token = (String)authenticationToken.getCredentials();
// 從 redis裏獲取這個 token
HttpServletRequest request = HttpContextUtil.getHttpServletRequest();
String ip = IPUtil.getIpAddr(request);
String encryptToken = KBUtil.encryptToken(token);
String encryptTokenInRedis = null;
try {
encryptTokenInRedis = redisService.get(KBConstant.TOKEN_CACHE_PREFIX + encryptToken + "." + ip);
} catch (Exception ignore) {
}
// 如果找不到,說明已經失效
if (StringUtils.isBlank(encryptTokenInRedis))
throw new AuthenticationException("token已經過期");
String username = JWTUtil.getUsername(token);
if (StringUtils.isBlank(username))
throw new AuthenticationException("token校驗不通過");
// 通過用戶名查詢用戶信息
User user = userManager.getUser(username);
if (user == null)
throw new AuthenticationException("用戶名或密碼錯誤");
if (!JWTUtil.verify(token, username, user.getPassword()))
throw new AuthenticationException("token校驗不通過");
return new SimpleAuthenticationInfo(token, token, "kb_shiro_realm");
}
}
/**
* 授權/驗權(todo 後續有權限在此增加)
* @param principals
* @return
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection token) {
String username = JWTUtil.getUsername(token.toString());
SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
// 獲取用戶角色集
Set<String> roleSet = userManager.getUserRoles(username);
simpleAuthorizationInfo.setRoles(roleSet);
// 獲取用戶權限集
Set<String> permissionSet = userManager.getUserPermissions(username);
simpleAuthorizationInfo.setStringPermissions(permissionSet);
return simpleAuthorizationInfo;
}
/**
* @author jay
* 需要重寫 AuthorizingRealm(被Pac4jRealm繼承)的supports方法,增加對JWTToken的支持
* 否則會報錯:does not support authentication token
* @param token
* @return
*/
@Override
public boolean supports(AuthenticationToken token) {
Boolean flag = false;
if (super.supports(token) || token instanceof Pac4jToken || token instanceof JWTToken ) {
flag = true;
}
return flag;
}
}
5.增加 CasClient.java類
package com.upai.kb.common.authentication;
import org.pac4j.cas.config.CasConfiguration;
import org.pac4j.core.context.Pac4jConstants;
import org.pac4j.core.context.WebContext;
import org.pac4j.core.context.session.SessionStore;
import org.pac4j.core.redirect.RedirectAction;
import org.pac4j.core.util.CommonHelper;
/**
* cas客戶端
* @author jay
* @date 2019-12-20
*
*/
public class CasClient extends org.pac4j.cas.client.CasClient {
public CasClient() {
super();
}
public CasClient(CasConfiguration configuration) {
super(configuration);
}
/*
* (non-Javadoc)
* @see org.pac4j.core.client.IndirectClient#getRedirectAction(org.pac4j.core.context.WebContext)
*/
@Override
public RedirectAction getRedirectAction(WebContext context) {
this.init();
if (getAjaxRequestResolver().isAjax(context)) {
this.logger.info("AJAX request detected -> returning the appropriate action");
RedirectAction action = getRedirectActionBuilder().redirect(context);
this.cleanRequestedUrl(context);
return getAjaxRequestResolver().buildAjaxResponse(action.getLocation(), context);
} else {
final String attemptedAuth = (String)context.getSessionStore().get(context, this.getName() + ATTEMPTED_AUTHENTICATION_SUFFIX);
if (CommonHelper.isNotBlank(attemptedAuth)) {
this.cleanAttemptedAuthentication(context);
this.cleanRequestedUrl(context);
//這裏按自己需求處理,默認是返回了401,我在這邊改爲跳轉到cas登錄頁面
//throw HttpAction.unauthorized(context);
return this.getRedirectActionBuilder().redirect(context);
} else {
return this.getRedirectActionBuilder().redirect(context);
}
}
}
private void cleanRequestedUrl(WebContext context) {
SessionStore<WebContext> sessionStore = context.getSessionStore();
if (sessionStore.get(context, Pac4jConstants.REQUESTED_URL) != null) {
sessionStore.set(context, Pac4jConstants.REQUESTED_URL, "");
}
}
private void cleanAttemptedAuthentication(WebContext context) {
SessionStore<WebContext> sessionStore = context.getSessionStore();
if (sessionStore.get(context, this.getName() + ATTEMPTED_AUTHENTICATION_SUFFIX) != null) {
sessionStore.set(context, this.getName() + ATTEMPTED_AUTHENTICATION_SUFFIX, "");
}
}
}
6.增加Pac4jConfig.java類,Pac4j主要做跳轉用,跳轉地址都在這個類裏面配置
import edu.yale.its.tp.cas.util.SecureHash64Util;
import io.buji.pac4j.context.ShiroSessionStore;
import org.pac4j.cas.config.CasConfiguration;
import org.pac4j.cas.config.CasProtocol;
import org.pac4j.core.config.Config;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import java.io.IOException;
/**
* cas跳轉
* @author jay
* @date 2019-12-20
*
*/
@Configuration
public class Pac4jConfig {
/**
* 地址爲:cas地址
*/
@Value("${cas.server.url}")
private String casServerUrl;
/**
* 地址爲:驗證返回後的項目地址:http://localhost:8081
*/
@Value("${cas.project.url}")
private String projectUrl;
/**
* 相當於一個標誌,可以隨意
*/
@Value("${cas.client-name}")
private String clientName;
@Value("${cas.sysIdStr}")
private String sysIdStr;
/**
* pac4j配置
*
* @param casClient
* @param shiroSessionStore
* @return
*/
@Bean("authcConfig")
public Config config(CasClient casClient, ShiroSessionStore shiroSessionStore) {
Config config = new Config(casClient);
config.setSessionStore(shiroSessionStore);
return config;
}
/**
* 自定義存儲
*
* @return
*/
@Bean
public ShiroSessionStore shiroSessionStore() {
return new ShiroSessionStore();
}
/**
* cas 客戶端配置
*
* @param casConfig
* @return
*/
@Bean
public CasClient casClient(CasConfiguration casConfig) {
CasClient casClient = new CasClient(casConfig);
//客戶端回調地址, 登陸成功後會攔截這個地址
casClient.setCallbackUrl(projectUrl + "/callback");
casClient.setName(clientName);
return casClient;
}
/**
* 請求cas服務端配置
*
* @param
*/
@Bean
public CasConfiguration casConfig() throws IOException {
final CasConfiguration configuration = new CasConfiguration();
String serviceEncrypted = SecureHash64Util.obfusecate(projectUrl + "/callback?client_name="+clientName);
//CAS server登錄地址,這裏增加了幾個參數是因爲針對公司sso客戶端的需要,可以不加
configuration.setLoginUrl(casServerUrl + "/login?" +
"sysIdStr=" + sysIdStr +
"&flag=" + serviceEncrypted
);
//CAS 版本,默認爲 CAS30,我們使用的是 CAS20
configuration.setProtocol(CasProtocol.CAS20);
configuration.setAcceptAnyProxy(true);
configuration.setPrefixUrl(casServerUrl + "/");
return configuration;
}
}
7.增加LoginController.java中的登錄成功回調方法,用於重定向到前端首頁
說明:本項目只是簡單接入sso,通過sso登錄,並沒有使用ticket作爲權限驗證憑據,而是獲取sso登陸成功後的用戶名再根據用戶名去獲取菜單角色等權限信息,沿用了項目本身的驗證,可以根據項目需要來更改ticket驗證方式!
sso登錄成功後後臺拿到登錄用戶,經過aes對稱加密一起返回給前端,前端再調接口獲取需要的權限角色等信息完成登錄,
博主這個沒有一次把所有信息返回給前端,是因爲參數太多,都拼接再地址後面感覺不好,就只傳遞了一個加密後的用戶名,如果有更好的方法可以留言交流一下。
/**
* cas登錄認證
*
* @return 登錄結果
* @author jay
* @date 2019-12-20
*/
@ApiOperation(value = "sso登錄接口", notes = "sso登錄接口")
@GetMapping({"/", "/ssoLogin", "/index"})
public void login(HttpServletRequest request, HttpServletResponse response) {
try {
Pac4jPrincipal principal = (Pac4jPrincipal) request.getUserPrincipal();
String userStr = (String) principal.getProfile().getId();
String loginAccount = userStr.split(":")[0];
//aes 16位加密,防止惡意登錄
loginAccount = AESUtils.encrypt(loginAccount);
logger.info("---sso返回參數---Pac4jPrincipal:" + principal
+ ";userStr:" + userStr
+ ";loginAccount:"+loginAccount
);
/*重定向到前端登錄頁面,考慮到安全問題,只傳給前端登陸賬戶,前端再調接口獲取登錄所需數據
http://前端服務器地址:前端項目端口(前端部署到nginx後nginx配置端口)
+ "/"(注意/是前端路由中登錄頁面的path,並且與nginx.conf文件中的
location後的/一致)+ 返回給前端的數據。
注意:前端服務器地址與前端項目中
config/index.js配置的host: 'x.x.x.x',保持一致*/
//參數暫定在重定向時傳過去,缺點是會顯得url太長,後續考慮只傳用戶id過去,再根據id查詢需要的參數
String serviceEncrypted = SecureHash64Util.obfusecate(projectUrl + "/callback");
/*String url = casServerUrl + "/login?" +
"service=" + projectUrl + "/callback" +
"&sysIdStr=" + sysIdStr +
"&flag=" + serviceEncrypted;*/
String url = casUIUrl + "?loginAccount="+loginAccount;
response.sendRedirect(url);
} catch (Exception e) {
System.out.println("登錄失敗,請聯繫管理員!");
e.printStackTrace();
}
}
8.源碼
等後續有空會把源碼上傳到github上發出來。
