CAS Server (supports https) there are client1
, client2
, client3
multiple applications, among which client1
and client2
can normally support single sign-on, but client3
is not. The problem is that when CAS Server logs in, The page will be redirected in a loop between https://cas-server/login?service=https://localhost:8443/cas-client3/login
and https://localhost:8443/cas-client3/login?ticket=ST-1645-XXXXXXX-cas01.example.org
, causing the page not to be accessed properly
< H1 > the configuration of spring security and CAS is as follows < / H1 > < H2 > configuration file < / H2 >
-sharp CAS
app:
login:
url: /login
logout:
url: /logout
server:
host:
url: https://localhost:8443/cas-client3
cas:
server:
host:
url: https://cas-server
login_url: ${cas.server.host.url}/login
logout_url: ${cas.server.host.url}/logout?service=${app.server.host.url}
< H2 > configuration class < / H2 >
import com.cloume.mooc.security.MyPermissionEvaluator;
import com.cloume.mooc.security.SpringContextUtil;
import org.jasig.cas.client.session.SingleSignOutFilter;
import org.jasig.cas.client.validation.Cas20ServiceTicketValidator;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Profile;
import org.springframework.security.cas.ServiceProperties;
import org.springframework.security.cas.authentication.CasAssertionAuthenticationToken;
import org.springframework.security.cas.authentication.CasAuthenticationProvider;
import org.springframework.security.cas.web.CasAuthenticationEntryPoint;
import org.springframework.security.cas.web.CasAuthenticationFilter;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.session.SessionRegistry;
import org.springframework.security.core.session.SessionRegistryImpl;
import org.springframework.security.core.userdetails.AuthenticationUserDetailsService;
import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler;
import org.springframework.security.web.authentication.logout.LogoutFilter;
import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
import javax.annotation.Resource;
import java.util.Map;
/**
* spring security
*
* Created by surpass.wei@gmail.com on 2017/7/26.
*/
@Configuration
@EnableWebSecurity // webspring boot
@EnableGlobalMethodSecurity(prePostEnabled = true) //
@Profile("cas")
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Resource
private CasProperties casProperties;
/**
*
*/
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
super.configure(auth);
auth.authenticationProvider(casAuthenticationProvider());
}
/**
*
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
//
.antMatchers("/html/**")
.permitAll()
.expressionHandler(httpSecurityExpressionHandler())
.anyRequest()
.authenticated()
.and()
.formLogin()
.loginProcessingUrl("/login")
.permitAll()
.and()
.rememberMe()
.tokenValiditySeconds(31536000)
.and()
.csrf()
.disable()
.logout()
.permitAll();
http.exceptionHandling().authenticationEntryPoint(casAuthenticationEntryPoint())
.and()
.addFilter(casAuthenticationFilter())
.addFilterBefore(casLogoutFilter(), LogoutFilter.class)
.addFilterBefore(singleSignOutFilter(), CasAuthenticationFilter.class);
http.csrf().disable(); //CSRF
}
/**
* service
*/
@Bean
public ServiceProperties serviceProperties() {
ServiceProperties serviceProperties = new ServiceProperties();
serviceProperties.setService(casProperties.getAppServerUrl() + casProperties.getAppLoginUrl());
serviceProperties.setAuthenticateAllArtifacts(true);
return serviceProperties;
}
@Bean
public SessionRegistry getSessionRegistry() {
return new SessionRegistryImpl();
}
@Bean
public DefaultWebSecurityExpressionHandler httpSecurityExpressionHandler() {
DefaultWebSecurityExpressionHandler expressionHandler = new DefaultWebSecurityExpressionHandler();
expressionHandler.setPermissionEvaluator(new MyPermissionEvaluator());
return expressionHandler;
}
@Bean
public DefaultWebSecurityExpressionHandler webSecurityExpressionHandler() {
final Map<String, DefaultWebSecurityExpressionHandler> expressionHandlers =
SpringContextUtil.getApplicationContext().getBeansOfType(DefaultWebSecurityExpressionHandler.class);
if (expressionHandlers.values().toArray()[0] != null) {
((DefaultWebSecurityExpressionHandler) expressionHandlers.values().toArray()[0]).setPermissionEvaluator(new MyPermissionEvaluator());
}
return (DefaultWebSecurityExpressionHandler) expressionHandlers.values().toArray()[0];
}
/**
* CAS
*/
@Bean
public CasAuthenticationFilter casAuthenticationFilter() throws Exception {
CasAuthenticationFilter casAuthenticationFilter = new CasAuthenticationFilter();
casAuthenticationFilter.setAuthenticationManager(authenticationManager());
casAuthenticationFilter.setFilterProcessesUrl(casProperties.getAppLoginUrl());
//
//casAuthenticationFilter.setAuthenticationSuccessHandler(new SimpleUrlAuthenticationSuccessHandler("/html/user.html"));
return casAuthenticationFilter;
}
/**
* cas Provider
*/
@Bean
public CasAuthenticationProvider casAuthenticationProvider() {
CasAuthenticationProvider casAuthenticationProvider = new CasAuthenticationProvider();
casAuthenticationProvider.setAuthenticationUserDetailsService(customUserDetailsService());
//casAuthenticationProvider.setUserDetailsService(customUserDetailsService()); //
casAuthenticationProvider.setServiceProperties(serviceProperties());
casAuthenticationProvider.setTicketValidator(cas20ServiceTicketValidator());
casAuthenticationProvider.setKey("casAuthenticationProviderKey");
return casAuthenticationProvider;
}
/**
* AuthenticationUserDetailsService
*/
@Bean
public AuthenticationUserDetailsService<CasAssertionAuthenticationToken> customUserDetailsService() {
return new CustomUserDetailsService();
}
@Bean
public Cas20ServiceTicketValidator cas20ServiceTicketValidator() {
return new Cas20ServiceTicketValidator(casProperties.getCasServerUrl());
}
/**
* CAS
*/
@Bean
public CasAuthenticationEntryPoint casAuthenticationEntryPoint() {
CasAuthenticationEntryPoint casAuthenticationEntryPoint = new CasAuthenticationEntryPoint();
casAuthenticationEntryPoint.setLoginUrl(casProperties.getCasServerLoginUrl());
casAuthenticationEntryPoint.setServiceProperties(serviceProperties());
return casAuthenticationEntryPoint;
}
/**
* CAS
*/
@Bean
public LogoutFilter casLogoutFilter() {
LogoutFilter logoutFilter = new LogoutFilter(casProperties.getCasServerLogoutUrl(), new SecurityContextLogoutHandler());
logoutFilter.setFilterProcessesUrl(casProperties.getAppLogoutUrl()); //
return logoutFilter;
}
/**
* CAS
*/
@Bean
public SingleSignOutFilter singleSignOutFilter() {
SingleSignOutFilter singleSignOutFilter = new SingleSignOutFilter();
singleSignOutFilter.setCasServerUrlPrefix(casProperties.getCasServerUrl());
singleSignOutFilter.setIgnoreInitConfiguration(true);
return singleSignOutFilter;
}
}