【发布时间】:2015-12-08 03:58:45
【问题描述】:
我没有找到任何关于在我的应用程序上实现单点注销 CAS 功能的实际指南。我在这里尝试了很多关于 SO 的答案,但没有一个有效(比如this 和this)。此外,没有找到使用 Java 配置的 Spring Security+CAS 的示例,所以我对此也有点迷茫。我什至无法弄清楚这是否是我应该使用的实际 URL,因为文档告诉我使用“/j_spring_security_logout”,这只是将我重定向到空白索引页面,因为如果我访问它,我的索引页面正在工作通常(尽管控制台显示所有正确的请求,如 JS 和 CSS)。非常感谢一些指导,因为我找不到使用 Java 注释的文档。提前致谢!
我的网络安全配置:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private static String CAS_URL = "https://localhost:8443/cas";
private static String APP_URL = "https://localhost:8443/i9t-YM";
@Bean
public ServiceProperties serviceProperties() {
ServiceProperties serviceProperties = new ServiceProperties();
serviceProperties.setService(APP_URL+"/j_spring_cas_security_check");
serviceProperties.setSendRenew(false);
return serviceProperties;
}
@Bean
public CasAuthenticationProvider casAuthenticationProvider() {
CasAuthenticationProvider casAuthenticationProvider = new CasAuthenticationProvider();
casAuthenticationProvider.setAuthenticationUserDetailsService(authenticationUserDetailsService());
casAuthenticationProvider.setServiceProperties(serviceProperties());
casAuthenticationProvider.setTicketValidator(cas20ServiceTicketValidator());
casAuthenticationProvider.setKey("an_id_for_this_auth_provider_only");
return casAuthenticationProvider;
}
@Bean
public AuthenticationUserDetailsService authenticationUserDetailsService() {
return new TestCasAuthenticationUserDetailsService();
}
@Bean
public Cas20ServiceTicketValidator cas20ServiceTicketValidator() {
return new Cas20ServiceTicketValidator(CAS_URL);
}
@Bean
public CasAuthenticationFilter casAuthenticationFilter() throws Exception {
CasAuthenticationFilter casAuthenticationFilter = new CasAuthenticationFilter();
casAuthenticationFilter.setAuthenticationManager(authenticationManager());
return casAuthenticationFilter;
}
@Bean
public CasAuthenticationEntryPoint casAuthenticationEntryPoint() {
CasAuthenticationEntryPoint casAuthenticationEntryPoint = new CasAuthenticationEntryPoint();
casAuthenticationEntryPoint.setLoginUrl(CAS_URL+"/login");
casAuthenticationEntryPoint.setServiceProperties(serviceProperties());
return casAuthenticationEntryPoint;
}
@Bean
public SingleSignOutFilter SingleSignOutFilter(){
return new SingleSignOutFilter();
}
@Bean
public LogoutFilter requestLogoutFilter(){
SecurityContextLogoutHandler handler = new SecurityContextLogoutHandler();
handler.setClearAuthentication(true);
handler.setInvalidateHttpSession(true);
LogoutFilter logoutFilter = new LogoutFilter(APP_URL, handler);
return logoutFilter;
}
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(casAuthenticationProvider());
auth.inMemoryAuthentication().withUser("joe").password("joe").roles("USER");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.addFilter(casAuthenticationFilter());
http.exceptionHandling().authenticationEntryPoint(casAuthenticationEntryPoint());
http.addFilterBefore(requestLogoutFilter(), LogoutFilter.class);
http.addFilterBefore(SingleSignOutFilter(), CasAuthenticationFilter.class);
http.httpBasic().and().authorizeRequests().antMatchers("/index.html", "/home.html", "/login.html", "/")
.permitAll().anyRequest().authenticated()
.and().addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class)
.csrf().csrfTokenRepository(csrfTokenRepository())
;
http.logout()
.deleteCookies("remove").invalidateHttpSession(true).logoutUrl("cas/logout")
.logoutSuccessUrl("/");
//http.exceptionHandling().accessDeniedPage("/403.html");
}
private CsrfTokenRepository csrfTokenRepository() {
HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
repository.setHeaderName("X-XSRF-TOKEN");
return repository;
}
}
我的 Web.xml 上的 SSOut 过滤器,不知道我添加它的确切原因:
<filter>
<filter-name>characterEncodingFilter</filter-name>
<filter-class>
org.springframework.web.filter.CharacterEncodingFilter
</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>characterEncodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>
org.jasig.cas.client.session.SingleSignOutHttpSessionListener
</listener-class>
</listener>
【问题讨论】:
-
你为什么不写一个控制器方法,你可以在其中手动注销用户并将用户重定向到任何你想要的地方。我会将用户身份验证设为空。
-
@WeareBorg 但这就是问题所在:Spring 安全性不应该为我做这件事吗?据我从文档中了解到的,我只需要这样做,以便当我收到'/j_spring_security_cas_logout' 时,Spring 会使会话无效,然后从 CAS 的角度来看,SSOut 将是可选的。除非我真的不明白。让我检查一下……
标签: java spring spring-security cas