本文主要介绍 CAS 客户端的接入,使用到的软件版本:JDK 1.8.0_191、Tomcat 8.5.76、SpringBoot 2.5.11、CAS 5.3.16、CAS Client 3.6.4。
1、服务端准备
这里假设服务端已经安装完毕,地址为:http://127.0.0.1:8080/cas,服务端的安装方法可参考:CAS 入门实战(2)--服务端安装。
2、普通 Java Web 应用接入
这里客户端的应用地址为:http://127.0.0.1:9090/cas-client。
2.1、引入依赖
<dependency>
<groupId>org.jasig.cas.client</groupId>
<artifactId>cas-client-core</artifactId>
<version>3.6.4</version>
</dependency>
如果不是使用 maven 来构建项目,可以手动下载对应的包后放到应用的 lib 下。
2.2、配置 AuthenticationFilter
该类型过滤器用于检测用户是否需要进行身份验证;如果需要,则会将用户重定向到 CAS 服务器。有两个可选的过滤器:
org.jasig.cas.client.authentication.AuthenticationFilter
org.jasig.cas.client.authentication.Saml11AuthenticationFilter
这里使用 org.jasig.cas.client.authentication.AuthenticationFilter,在 web.xml 增加如下配置:
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>http://127.0.0.1:8080/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://127.0.0.1:9090</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
org.jasig.cas.client.authentication.AuthenticationFilter 过滤器的参数说明如下:
Property | Description | Required |
| The start of the CAS server URL, i.e. | Yes (unless |
| Defines the location of the CAS server login URL, i.e. | Yes (unless |
| The name of the server this application is hosted on. Service URL will be dynamically constructed using this, i.e. https://localhost:8443 (you must include the protocol, but port is optional if it's a standard port). | Yes |
| The service URL to send to the CAS server, i.e. | No |
| specifies whether | No |
| specifies whether | No |
| specifies the name of the request parameter on where to find the artifact (i.e. | No |
| specifies the name of the request parameter on where to find the service (i.e. | No |
| Whether the client should auto encode the service url. Defaults to | No |
| Defines the url pattern to ignore, when intercepting authentication requests. | No |
| Defines the type of the pattern specified. Defaults to | No |
| The storage class used to record gateway requests | No |
| The class name of the component to decide how to handle authn redirects to CAS | No |
| The method used by the CAS server to send the user back to the application. Defaults to | No |
ignoreUrlPatternType 支持的类型说明如下:
Type | Description |
| Matches the URL the |
| Uses the |
| Uses the |
| Matches the URL the |
2.3、配置 TicketValidationFilter
该类型过滤器负责对票据进行验证。有多个可选的过滤器:
org.jasig.cas.client.validation.Cas10TicketValidationFilter
org.jasig.cas.client.validation.Saml11TicketValidationFilter
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter
org.jasig.cas.client.validation.Cas30ProxyReceivingTicketValidationFilter
org.jasig.cas.client.validation.json.Cas30JsonProxyReceivingTicketValidationFilter
这里使用 org.jasig.cas.client.validation.Cas30ProxyReceivingTicketValidationFilter,在 web.xml 增加如下配置:
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas30ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>http://127.0.0.1:8080/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://127.0.0.1:9090</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
org.jasig.cas.client.validation.Cas30ProxyReceivingTicketValidationFilter 过滤器的参数说明如下:
Property | Description | Required |
| The start of the CAS server URL, i.e. | Yes |
| The name of the server this application is hosted on. Service URL will be dynamically constructed using this, i.e. | Yes |
| Specifies whether | No |
| Whether to redirect to the same URL after ticket validation, but without the ticket in the parameter. Defaults to | No |
| Whether to store the Assertion in session or not. If sessions are not used, tickets will be required for each request. Defaults to | No |
| whether to throw an exception or not on ticket validation failure. Defaults to | No |
| The URL to watch for | No |
| Specifies whether any proxy is OK. Defaults to | No |
| Specifies the proxy chain. Each acceptable proxy chain should include a space-separated list of URLs (for exact match) or regular expressions of URLs (starting by the | No |
| The callback URL to provide the CAS server to accept Proxy Granting Tickets. | No |
| Specify an implementation of the ProxyGrantingTicketStorage class that has a no-arg constructor. | No |
| A reference to a properties file that includes SSL settings for client-side SSL config, used during back-channel calls. The configuration includes keys for | No. |
| Specifies the encoding charset the client should use | No |
| The secret key used by the | No |
| The algorithm used by the | No |
| Startup delay for the cleanup task to remove expired tickets from the storage. Defaults to | No |
| Ticket validator class to use/create | No |
| Hostname verifier class name, used when making back-channel calls | No |
| The path to a private key to decrypt PGTs directly sent encrypted as an attribute | No |
| The algorithm of the private key. Defaults to | No |
如果设置了 acceptAnyProxy 或 allowedProxyChains 参数,则会创建 Cas30ProxyTicketValidator;否则创建不支持代理票据的 Cas30ServiceTicketValidator。
2.4、配置 HttpServletRequestWrapperFilter(可选)
包装 HttpServletRequest 的过滤器,getRemoteUser 和 getPrincipal 方法会返回与 CAS 相关的实体信息。在 web.xml 增加如下配置:
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
该过滤器的参数说明如下:
Property | Description | Required |
| Used to determine the principal role. | No |
| Whether role checking should ignore case. Defaults to | No |
2.5、配置 AssertionThreadLocalFilter(可选)
该过滤器把登录信息放入 ThreadLocal 中,可以通过 org.jasig.cas.client.util.AssertionHolder 来获取用户信息(AssertionHolder.getPrincipal()),这在无法使用 HttpServletRequest 时很有用。在 web.xml 增加如下配置:
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
2.6、配置 ErrorRedirectFilter(可选)
该过滤器用于发生异常时,重定向到指定的地址。在 web.xml 增加如下配置:
<filter>
<filter-name>CAS Error Redirect Filter</filter-name>
<filter-class>org.jasig.cas.client.util.ErrorRedirectFilter</filter-class>
<init-param>
<param-name>java.lang.Exception</param-name>
<param-value>/yourapp/error.jsp</param-value>
</init-param>
<init-param>
<param-name>defaultErrorRedirectPage</param-name>
<param-value>/yourapp/defaulterror.jsp</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Error Redirect Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
该过滤器的参数说明如下:
Property | Description | Required |
| Default url to redirect to, in case no error matches are found. | Yes |
| Fully qualified exception name. Its value must be redirection url | No |
2.7、单点登出(可选)
2.7.1、单点登录服务端配置
在 WEB-INF\classes\application.properties 文件,增加如下配置:
#允许登出后跳转到指定页面
cas.logout.followServiceRedirects=true
#登出后重定向地址的参数名
cas.logout.redirectParameter=service
#登出后默认的重定向地址
#cas.logout.redirectUrl=http://127.0.0.1:9090
#登出时是否弹出确认框
cas.logout.confirmLogout=false
#是否移除子系统的票据
cas.logout.removeDescendantTickets=true
#是否禁用单点登出
#cas.slo.disabled=true
#是否默认异步通知客户端清除session
cas.slo.asynchronous=false
2.7.2、单点登录客户端配置
单点登出客户端需要配置一个 SingleSignOutFilter 和一个 ContextListener,SingleSignOutFilter 需要配置在其他过滤器的最前面。在 web.xml 增加如下配置:
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
<init-param>
<param-name>logoutCallbackPath</param-name>
<param-value>http://127.0.0.1:9090/cas_client_tomcat_war_exploded/test.jsp</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
SingleSignOutFilter 过滤器的参数说明如下:
Property | Description | Required |
| The ticket artifact parameter name. Defaults to | No |
| Defaults to | No |
| Defaults to | No |
| Defaults to | No |
| Defaults to | No |
| The path which is expected to receive logout callback requests from the CAS server. This is necessary if your app needs access to the raw input stream when handling form posts. If not configured, the default behavior will check every form post for a logout parameter. | No |
2.8、编写测试页面
这里写个简单的 JSP,在页面中获取用户的信息(web.xml 中需配置 HttpServletRequestWrapperFilter 和 单点登出):
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<%@ page import="org.jasig.cas.client.authentication.AttributePrincipal"%>
<%
String remoteUser = request.getRemoteUser();
AttributePrincipal principal = (AttributePrincipal)request.getUserPrincipal();
String attributes = principal.getAttributes().toString();
%>
<html>
<head>
<title>Title</title>
</head>
<body>
remoteUser:<%=remoteUser%>
principalName:<%=principal.getName()%>
principalAttributes:<%=attributes%>
<br><a href="http://127.0.0.1:8080/cas/logout?service=http://127.0.0.1:9090/cas-client/index.jsp">logout</a>
</body>
</html>
2.9、部署 Web 应用
部署 Web 应用到 Java Web 应用服务器(如:Tomcat)中即可。
3、SpringBoot 应用接入
3.1、引入依赖
<dependency>
<groupId>org.jasig.cas.client</groupId>
<artifactId>cas-client-support-springboot</artifactId>
<version>3.6.4</version>
</dependency>
3.2、增加 CAS 相关配置
在 application.yml 中增加如下配置:
cas:
server-login-url: http://127.0.0.1:8080/cas/login #cas服务端登录地址
server-url-prefix: http://127.0.0.1:8080/cas #cas服务端地址
client-host-url: http://127.0.0.1:9090 #客户端地址
validation-type: cas3 #验证使用的协议
server:
port: 9090
其他的可选参数如下:
-
cas.single-logout.enabled 是否单点登出,默认false
-
cas.authentication-url-patterns 与AuthenticationFilter作用类似,默认/*
-
cas.validation-url-patterns 与TicketValidationFilter作用类似,默认/*
-
cas.request-wrapper-url-patterns 与HttpServletRequestWrapperFilter作用类似,默认/*
-
cas.assertion-thread-local-url-patterns
-
cas.gateway
-
cas.use-session
-
cas.attribute-authorities
-
cas.redirect-after-validation
-
cas.allowed-proxy-chains
-
cas.proxy-callback-url
-
cas.proxy-receptor-url
-
cas.accept-any-proxy
-
server.context-parameters.renew
3.3、启动类增加 @EnableCasClient
@EnableCasClient
@SpringBootApplicationpublic class CasApplication {...}
3.4、编写测试 Controller
package com.abc.controller;
import org.jasig.cas.client.authentication.AttributePrincipal;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpServletRequest;
@RequestMapping("/test")
@Controller
public class TestController {
private static Logger logger = LoggerFactory.getLogger(TestController.class);
@ResponseBody
@RequestMapping("/getUser")
public String test1(HttpServletRequest request) {
String remoteUser = request.getRemoteUser();
AttributePrincipal principal = (AttributePrincipal)request.getUserPrincipal();
return "remoteUser=" + remoteUser + ",principalName=" + principal.getName() + ",principalAttributes=" + principal.getAttributes();
}
}
启动应用后访问:http://127.0.0.1:9090/test/getUser,登录后页面返回用户相关信息。
4、CAS 客户端集群接入
如果客户端是集群的话,可以使用 Spring Session 来实现同一类型的各客户端节点的 Session 共享;前端使用代理服务器来代理。
4.1、集群创建
Spring Session 的使用可参考:,这里就不详述了。假设使用上面的 SpringBoot 应用来组建集群:
地址 | 说明 |
http://127.0.0.1:9090 | 节点1 |
http://127.0.0.1:9091 | 节点2 |
http://127.0.0.1:9092 | 代理地址 |
启动节点1:
java -Dcas.client-host-url=http://127.0.0.1:9092 -Dserver.port=9090 -jar cas-client-springboot-1.0.0.jar
启动节点2
java -Dcas.client-host-url=http://127.0.0.1:9092 -Dserver.port=9091 -jar cas-client-springboot-1.0.0.jar
配置 nginx 代理:
upstream cas {
server 127.0.0.1:9090 weight=1;
server 127.0.0.1:9091 weight=1;
#ip_hash;
}
server {
listen 9092;
server_name localhost;
location / {
proxy_pass http://cas;
}
}
启动 ngxin 并访问代理地址:http://127.0.0.1:9092/test/getUser。
4.2、集群单点登出
使用 Spring Session 后,单点登出客户端的 Session 还是存在的,可能是 CAS 客户端还不能和 Spring Session 结合使用。处理方法:
1、先调用客户端的一个请求,在该请求中使用 Session 失效:
@ResponseBody
@RequestMapping("/logout")
public String logout(HttpSession session) {
session.invalidate();
return "logout success";
}
2、再访问单点登出的地址 http://127.0.0.1:8080/cas/logout?service=http://127.0.0.1:9092/test/getUser。
CAS 客户端接入的详细说明可参考官网说明:https://github.com/apereo/java-cas-client。