单点登录(Single Sign-On, 简称SSO)是目前比较流行的服务于企业业务整合的解决方案之一,SSO使得在多个应用系统中,用户只需要登录一次就可以访问所有相互信任的应用系统。大家在使用时CAS Server验证成功后会立即跳转到客户端,CAS Server默认只返回账号uid给客户端,如何定义CAS server返回信息到CAS Client客户端(CAS server返回更多用户信息)呢?下面本站素文宅www.yoodb.com本篇文章具体讲解一下怎么实现,仅供大家参考学习。
1、相关接口
首先了解一下相关的几个接口
• Credentials
• Principal
• IPersonAttributeDao
• CredentialsToPrincipalResolver
1)org.jasig.cas.authentication.principal.Credentials接口, 在工程中UsernamePasswordCredential 的类就是实现了Credentials接口。这个接口是用来定义我们在登录时输入的认证信息,比如用户名、密码、验证码等,可以理解为用户认证的相关凭据。
2)org.jasig.cas.authentication.principal.Principal接口,主要是用来保存用户认证后的用户信息,信息保存在一个Map集合中。
3)org.jasig.services.persondir.IPersonAttributeDao接口,是用来定义我们需要返回给客户端相关信息的接口,CAS Server默认有提供许多实现,比如
• SingleRowJdbcPersonAttributeDao : JDBC SQL查询返回信息
• LdapPersonAttributeDao :查询 LDAP 目录返回信息
• StubPersonAttributeDao :自定义属性返回信息
等参考源码中的实现,CAS Server提供了各种功能的实现
4)org.jasig.cas.authentication.principal. CredentialsToPrincipalResolver接口,主要是用来把Credentials里面的信息转换到 Principal中,在这接口中有两个方法,具体如下:
Principal resolvePrincipal(Credentials credentials);// 解析Credentials中的信息,返回 Principal 接口
boolean supports(Credentials credentials); //判断Credentials 是否支持 Principal 协议
注意:在3.x版本是CredentialsToPrincipalResolver接口,4.x版本是PrincipalResolver接口
2、CAS Server流程
打开 deployerConfigContext.xml 文件,CAS Server3.5.2版本默认配置了org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver类,它注入一个 attributeRepository 属性,实现IPersonAttributeDao 接口调用getPerson方法,传入principalId参数,也就是调用Credentials 接口的getId() 方法,配置文件详情具体如下:
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:sec="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
ldap://127.0.0.1:1389
java.naming.security.authentication
simple
class="org.jasig.cas.authentication.AuthenticationManagerImpl">
class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />
p:httpClient-ref="httpClient" />
class="org.jasig.cas.util.ShiroStubPersonAttributeDao">
id="serviceRegistryDao"
class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl">
p:freeMemoryWarnThreshold="10" />
p:ticketRegistry-ref="ticketRegistry"
p:serviceTicketCountWarnThreshold="5000"
p:sessionCountWarnThreshold="100000" />
新增以及修改内容,具体如下:
class="org.jasig.cas.util.ShiroStubPersonAttributeDao">
调试源码会发现org.jasig.cas.CentralAuthenticationServiceImpl.java类中有判断是否允许客户端获取数据信息,代码如下:
if (!registeredService.isIgnoreAttributes()) {
final Map attributes = new HashMap();
for (final String attribute : registeredService.getAllowedAttributes()) {
final Object value = principal.getAttributes().get(attribute);
if (value != null) {
attributes.put(attribute, value);
}
}
下面配置将ignoreAttributes属性值设置为true,允许客户端获取数据,具体配置如下:
重写org.jasig.services.persondir.support.StubPersonAttributeDao类中getPerson方法,实现多用户信息具体代码如下:
package org.jasig.cas.util;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.jasig.services.persondir.IPersonAttributes;
import org.jasig.services.persondir.support.AttributeNamedPersonImpl;
import org.jasig.services.persondir.support.StubPersonAttributeDao;
public class ShiroStubPersonAttributeDao extends StubPersonAttributeDao{
@Override
public IPersonAttributes getPerson(String uid) {
Map> attributes = new HashMap>();
attributes.put("uid", Collections.singletonList((Object)uid));
attributes.put("username", Collections.singletonList((Object)"www.yoodb.com"));
attributes.put("password", Collections.singletonList((Object)"123456"));
return new AttributeNamedPersonImpl(attributes);
}
}
修改cas-server-webapp工程中路径/cas-server-webapp/src/main/webapp/WEB-INF/view/jsp/protocol/2.0/casServiceValidationSuccess.jsp文件内容,具体如下:
Licensed to Jasig under one or more contributor license
agreements. See the NOTICE file distributed with this work
for additional information regarding copyright ownership.
Jasig licenses this file to you under the Apache License,
Version 2.0 (the "License"); you may not use this file
except in compliance with the License. You may obtain a
copy of the License at the following location:
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
--%>
${fn:escapeXml(assertion.chainedAuthentications[fn:length(assertion.chainedAuthentications)-1].principal.id)}
${fn:escapeXml(attr.value)}
${pgtIou}
step="1">
${fn:escapeXml(proxy.principal.id)}
新增内容,具体如下:
${fn:escapeXml(attr.value)}
3、CAS Client流程
在CAS Client设置信息接收,java可以通过下面的方式获取,代码如下:
AttributePrincipal principal = (AttributePrincipal) request.getUserPrincipal();
Map attributes = principal.getAttributes();
String uid = attributes .get("uid");
CAS Client如果集成了shiro权限控制,由于cas client将casFilter交给了shiroFilter来控制,接受数据信息代码如下:
Subject subject = SecurityUtils.getSubject();
List list = subject.getPrincipals().asList();
String name = (String) list.get(0);//账号
Map info = (Map)list.get(1);//Json串
String uid = (String) info.get("uid");