基于Spirng的Shiro安全框架与CAS SSO的集成
2015-05-20 11:21
465 查看
首先需要在maven的pom文件中添加依赖
在web.xml中添加相应的filter和listener
先来看一下shiro的property文件
下面进行applicationContext-shiro.xml的配置,记得在sping的主配置文件中引用此配置
上面的用户授权的cache采用ehcache,以下是ehcache-shiro.xml的配置
下面详细介绍 CasRealm bean的实现
< dependency> <groupId >org.apache.shiro </groupId > <artifactId > shiro-cas </artifactId > <version >${shiro.version} </version > <exclusions > <exclusion > <artifactId > servlet-api </artifactId > <groupId >javax.servlet </groupId > </exclusion > <exclusion > <artifactId >commons-logging </artifactId > <groupId >commons-logging </groupId > </exclusion > </exclusions > </dependency > <dependency > <groupId >org.apache.shiro </groupId > <artifactId > shiro-spring</ artifactId> <version >${shiro.version} </version > </dependency > <dependency > <groupId >org.apache.shiro </groupId > <artifactId > shiro-ehcache </artifactId > <version >${shiro.version} </version > </dependency >
在web.xml中添加相应的filter和listener
<!-- The filter-name matches name of a 'shiroFilter' bean inside applicationContext.xml --> <filter> <filter-name>shiroFilter</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> <init-param> <param-name>targetFilterLifecycle</param-name> <param-value>true</param-value> </init-param> </filter> <filter> <filter-name>singleSignOutFilter</filter-name> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> </filter> <listener> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> </listener> <filter-mapping> <filter-name>singleSignOutFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>shiroFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
先来看一下shiro的property文件
shiro.session.timeout=1800000 shiro.session.validate.timespan=1800000 shiro.login.url=http://login.51idc.cn/user/login?service=http://localhost:8086/tickets/shiro-cas shiro.logout.url=http://login.51idc.cn/user/logout?service=http://localhost:8086/tickets/ticket/create shiro.login.success.url=http://localhost: 4000 8086/home shiro.casServer.url=http://login.51idc.cn/user shiro.client.cas=http://localhost:8086/tickets/shiro-cas shiro.failureUrl=/error.jsp
下面进行applicationContext-shiro.xml的配置,记得在sping的主配置文件中引用此配置
<!-- Shiro Filter anon:匿名过滤器,不用登录也可以访问 authc:如果继续操作,需要做对应的表单验证否则不能通过 authcBasic:基本http验证过滤,如果不通过,跳转登录页面 logout:登录退出过滤器 noSessionCreation:没有session创建过滤器 perms:权限过滤器 port:端口过滤器,可以设置是否是指定端口如果不是跳转到登录页面 rest:http方法过滤器,可以指定如post不能进行访问等 roles: 角色过滤器,判断当前用户是否指定角色 ssl:请求需要通过ssl,如果不是跳转回登录页 user:如果访问一个已知用户,比如记住我功能,走这个过滤器 --> <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <property name="securityManager" ref="securityManager" /> <!--没有单点登录下的配置:没有权限或者失败后跳转的页面 --> <!-- <property name="loginUrl" value="/login/toLoginAction"/> --> <!--有单点登录的配置:登录 CAS 服务端地址,参数 service 为服务端的返回地址 --> <property name="loginUrl" value="${shiro.login.url}" /> <property name="successUrl" value="${shiro.login.success.url}" /> <property name="filters"> <map> <entry key="casFilter" value-ref="casFilter" /> <entry key="anon" value-ref="anonymousFilter" /> <entry key="logout" value-ref="logoutFilter" /> <entry key="loginSuccessFilter" value-ref="loginSuccessFilter" /> </map> </property> <property name="filterChainDefinitions"> <value> /shiro-cas = casFilter /**/*.js = anon /**/*.css = anon /static/** = anon /api/** = anon /logout = logout /admin/** = loginSuccessFilter,roles[admin] /** =loginSuccessFilter,roles[employee] </value> </property> </bean> <bean id="casFilter" class="org.apache.shiro.cas.CasFilter"> <!--配置验证错误时的失败页面(Ticket 校验不通过时展示的错误页面) --> <property name="failureUrl" value="${shiro.failureUrl}" /> </bean> <bean id="logoutFilter" class="org.apache.shiro.web.filter.authc.LogoutFilter"> <property name="redirectUrl" value="${shiro.logout.url}" /> </bean> <bean id="anonymousFilter" class="org.apache.shiro.web.filter.authc.AnonymousFilter" /> <!-- 自定义的filter--> <bean id="loginSuccessFilter" class="com.anchnet.tickets.web.filters.LoginSuccessFilter" /> <!-- Shiro's main business-tier object for web-enabled applications --> <property name="sessionManager" ref="defaultWebSessionManager"/> <property name="realms"> <list> <ref bean="casRealm" /> </list> </property> <property name="subjectFactory" ref="casSubjectFactory" /> <property name="cacheManager" ref="shiroEhcacheManager" /> </bean> <bean id="casRealm" class="com.anchnet.tickets.service.account.CustomCASRealm"> <property name="defaultRoles" value="ROLE_USER" /> <property name="casServerUrlPrefix" value="${shiro.casServer.url}" /> <!--客户端的回调地址设置,必须和上面的shiro-cas过滤器拦截的地址一致 --> <property name="casService" value="${shiro.client.cas}" /> </bean> <!--Define the realm you want to use to connect to your back-end security datasource: --> <bean id="casSubjectFactory" class="org.apache.shiro.cas.CasSubjectFactory" /> <!-- default web session manager --> <bean id="defaultWebSessionManager" class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager"> <property name="globalSessionTimeout" value="${shiro.session.timeout}"/> <property name="sessionIdCookie" ref="simpleCookie"/> <property name="sessionValidationScheduler" ref="sessionValidationScheduler"/> <property name="sessionValidationSchedulerEnabled" value="true"/> <property name="deleteInvalidSessions" value="true"/> </bean> <bean id="simpleCookie" class="org.apache.shiro.web.servlet.SimpleCookie"> <constructor-arg index="0" value="JSESSIONID_COOKIE"/> <property name="httpOnly" value="true"/> </bean> <bean id="sessionValidationScheduler" class="org.apache.shiro.session.mgt.ExecutorServiceSessionValidationScheduler"> <property name="sessionManager" ref="defaultWebSessionManager"/> <property name="interval" value="${shiro.session.validate.timespan}"/> </bean> <!-- 用户授权信息Cache, 采用EhCache --> <bean id="shiroEhcacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager"> <property name="cacheManagerConfigFile" value="classpath:cache/ehcache-shiro.xml" /> </bean> <!-- 保证实现了Shiro内部lifecycle函数的bean执行 --> <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" /> <!--AOP式方法级权限检查 --> <!--Enable Shiro Annotations for Spring-configured beans. Only run after --> <!--the lifecycleBeanProcessor has run: --> <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"> <property name="proxyTargetClass" value="true" /> </bean> <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"> <property name="securityManager" ref="securityManager" /> </bean>
上面的用户授权的cache采用ehcache,以下是ehcache-shiro.xml的配置
<ehcache updateCheck="false" name="shiroCache"> <!-- http://ehcache.org/ehcache.xml --> <defaultCache maxElementsInMemory="10000" eternal="false" timeToIdleSeconds="120" timeToLiveSeconds="120" overflowToDisk="false" diskPersistent="false" diskExpiryThreadIntervalSeconds="120" /> </ehcache>
下面详细介绍 CasRealm bean的实现
import java.io.Serializable; import java.util.Map; import org.apache.commons.lang3.StringUtils; import org.apache.shiro.authz.AuthorizationInfo; import org.apache.shiro.authz.SimpleAuthorizationInfo; import org.apache.shiro.authz.UnauthorizedException; import org.apache.shiro.cas.CasRealm; import org.apache.shiro.subject.PrincipalCollection; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import com.google.common.base.Objects; import com.google.common.collect.ImmutableList; public class CustomCASRealm extends CasRealm { private static Logger logger = LoggerFactory .getLogger(CustomCASRealm.class); // @Autowired protected AccountService accountService; @Override protected AuthorizationInfo doGetAuthorizationInfo( PrincipalCollection principals) { SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo(); String loginName = (String) principals.getPrimaryPrincipal(); if (loginName == null) { throw new UnauthorizedException("无效的凭证"); } try { Map rolesMaps = (Map) principals.asList().get(1); String roles = (String) rolesMaps.get("role"); if (roles.length() > 0) { roles = roles.substring(1); roles = roles.substring(0, roles.length() - 1); logger.debug("!!!!! get roles:{}", roles); authorizationInfo.addRoles(ImmutableList.copyOf(StringUtils.split(roles, ", "))); } else { logger.debug("user {} has no roles!!!", loginName); } } catch (Exception e) { e.printStackTrace(); throw new UnauthorizedException("无效的凭证"); } return authorizationInfo; }
相关文章推荐
- 【原创】基于Spring-SpringMVC-Mybatis 的 Shiro 安全框架使用教程--转载请注明出处
- 基于权限安全框架Shiro的登录验证功能实现
- java安全框架-Shiro学习笔记(五)-Shiro集成Web
- SSM集成安全框架shiro
- 基于权限安全框架Shiro的登录验证功能实现
- AdminEAP框架-集成Shiro安全认证
- Spring Boot系列(十五) 安全框架Apache Shiro(二)缓存-基于Hazelcast的分布式缓存
- java安全框架-Shiro学习笔记(二)-身份认证
- java安全框架-Shiro学习笔记(七)-自定义realm
- Shiro安全登录框架
- Apache Shiro在web开发安全框架中的应用
- shiro框架之集成验证码 二十二
- Shiro安全框架整理
- 基于Maven环境进行Spring集成CXF WebService框架
- 安全框架 - Shiro与springMVC整合的注解以及JSP标签
- 安全认证框架Shiro (二)- shiro过滤器工作原理
- shiro安全框架扩展教程--数据对象安全校验(oval框架)
- Java开源安全框架之Apache Shiro
- 在Spring MVC中使用Apache Shiro安全框架
- Spring Boot系列(十五) 安全框架Apache Shiro(二)缓存-EhCache