CAS拦截器过滤指定URL

摘要: 当我们将应用系统进行SSO单点登录集成时，配置信息往往设置*表示对全部URL进行拦截。此时如果我们想要对某些特定的URL不进行单点拦截，如：当我们系统需要向第三方系统提供接口服务、或者特定链接引入时，在不登录CAS的情况下系统提供的url在调用的过程中会被CAS拦截过滤。此时，我们则可以通过如下操作，设置不被拦截的URL。

CAS客户端集成web.xml常规配置如下：

<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>http://localhost/cas/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://localhost</param-value>
</init-param>
</filter>

org.jasig.cas.client.authentication.AuthenticationFilter即为 CAS拦截器实现类，该类继承了AbstractCasFilter类。

我们重新定义一个类MyAuthenticationFilter，也继承AbstractCasFilter类，在该类中完全复制AuthenticationFilter类中的内容，并做如下修改：

1.增加excludePaths属性，用于存放要排除过滤的路径

/**
* 存放要排除的路径
*/

private String[] excludePaths;

2.修改initInternal方法、从web.xml配置中解析出要排除过滤的路径

protected void initInternal(final FilterConfig filterConfig) throws ServletException {
if (!isIgnoreInitConfiguration()) {
super.initInternal(filterConfig);
setCasServerLoginUrl(getPropertyFromInitParams(filterConfig, "casServerLoginUrl", null));
log.trace("Loaded CasServerLoginUrl parameter: " + this.casServerLoginUrl);
setRenew(parseBoolean(getPropertyFromInitParams(filterConfig, "renew", "false")));
log.trace("Loaded renew parameter: " + this.renew);
setGateway(parseBoolean(getPropertyFromInitParams(filterConfig, "gateway", "false")));
log.trace("Loaded gateway parameter: " + this.gateway);
final String gatewayStorageClass = getPropertyFromInitParams(filterConfig, "gatewayStorageClass", null);
if (gatewayStorageClass != null) {
try {
this.gatewayStorage = (GatewayResolver) Class.forName(gatewayStorageClass).newInstance();
} catch (final Exception e) {
log.error(e,e);
throw new ServletException(e);
}
}
//cas拦截器过滤修改************begin by wangzhen
// 取出配置的不拦截url  启动时加载
String _excludePaths = getPropertyFromInitParams(filterConfig, "excludePaths", null);
System.out.println("web.xml中配置的不拦截uri："+_excludePaths);
if(CommonUtils.isNotBlank(_excludePaths)){
setExcludePaths(_excludePaths.trim().split(","));
}
//cas拦截器过滤修改************end by wangzhen
}
}

3.修改doFilter方法、判断请求路径是否在过滤路径内。如果在，则跳过

public final void doFilter(final ServletRequest servletRequest, final ServletResponse servletResponse, final FilterChain filterChain) throws IOException, ServletException {
final HttpServletRequest request = (HttpServletRequest) servletRequest;
final HttpServletResponse response = (HttpServletResponse) servletResponse;
final HttpSession session = request.getSession(false);
final Assertion assertion = session != null ? (Assertion) session.getAttribute(CONST_CAS_ASSERTION) : null;
//cas拦截器过滤修改************begin by wangzhen
String uri = request.getRequestURI();
System.out.println("uri："+uri);
boolean isInWhiteList = false;
if(excludePaths!=null && excludePaths.length>0 && uri!=null){
for(String path : excludePaths){
if(CommonUtils.isNotBlank(path)){
isInWhiteList = uri.indexOf(path.trim())>-1;
if(isInWhiteList){
break;
}
}
}
}

if(isInWhiteList){
System.out.println("cas不拦截该uri："+uri);
filterChain.doFilter(request, response);
return;
}
//cas拦截器过滤修改************end by wangzhen

if (assertion != null) {
filterChain.doFilter(request, response);
return;
}
final String serviceUrl = constructServiceUrl(request, response);
final String ticket = CommonUtils.safeGetParameter(request,getArtifactParameterName());
final boolean wasGatewayed = this.gatewayStorage.hasGatewayedAlready(request, serviceUrl);
if (CommonUtils.isNotBlank(ticket) || wasGatewayed) {
filterChain.doFilter(request, response);
return;
}
final String modifiedServiceUrl;
log.debug("no ticket and no assertion found");
if (this.gateway) {
log.debug("setting gateway attribute in session");
modifiedServiceUrl = this.gatewayStorage.storeGatewayInformation(request, serviceUrl);
} else {
modifiedServiceUrl = serviceUrl;
}
if (log.isDebugEnabled()) {
log.debug("Constructed service url: " + modifiedServiceUrl);
}
final String urlToRedirectTo = CommonUtils.constructRedirectUrl(this.casServerLoginUrl, getServiceParameterName(), modifiedServiceUrl, this.renew, this.gateway);
if (log.isDebugEnabled()) {
log.debug("redirecting to \"" + urlToRedirectTo + "\"");
}
response.sendRedirect(urlToRedirectTo);
}

4.修改完以上方法、则web.xml中还需要修改两点，i 拦截器实现类指向我们重写的类MyAuthenticationFilter；ii 增加过滤不拦截URL属性excludePaths；修改后的web.xml配置如下：

<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.MyAuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>http://localhost/cas/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://localhost</param-value>
</init-param>
<init-param>
<description>cas not filter url</description>
<param-name>excludePaths</param-name>
<param-value>interfacesJSON.do,data_json.jsp,soa/service</param-value>
</init-param>
</filter>

此时，我们重新启动服务即可发现，在没有登录cas服务器进行身份认证的情况下，我们设置的不进行拦截的url已经可以正常访问。

注：为了项目的简洁，避免出现org.jasig.cas.client.authentication.MyAuthenticationFilter这种多余的包，可以将该类打成jar包，拷贝到工程lib下即可。

PS：.net客户端过滤改造，原理同样！