spring security整合cas出现的问题

0 0

spring security整合cas出现的问题

在项目中整合了spring security 和 cas spring security的配置文件如下
但是貌似spring security没有起作用.任何一个url都可以随便访问，而且也没有跳转到cas进行验证

  <?xml version="1.0"?>
  

  <beans:beans xmlns="http://www.springframework.org/schema/security"
  

  xmlns:beans="http://www.springframework.org/schema/beans"
  

  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  

  xsi:schemaLocation="http://www.springframework.org/schema/beans
  

  http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
  

  http://www.springframework.org/schema/security
  

  http://www.springframework.org/schema/security/spring-security-3.0.xsd">
  

  <http entry-point-ref="casEntryPoint" auto-config="false">
  

  <intercept-url pattern="/css/**" filters="none"  />
  

  <intercept-url pattern="/images/**" filters="none"  />
  

  <intercept-url pattern="/img/**" filters="none" />
  

  <intercept-url pattern="/views/**" filters="none" />
  

  <intercept-url pattern="/js/**" filters="none"  />
  

  <intercept-url pattern="/index.jsp*" filters="none" />
  

  <intercept-url pattern="/login*" filters="none" />
  

  <intercept-url pattern="/ipone_html/**" filters="none" />
  

  <intercept-url pattern="/html/**" filters="none" />
  

  <intercept-url pattern="/upImg/**" filters="none" />
  

  <intercept-url pattern="/services/**" filters="none" />
  

  <session-management invalid-session-url="/login.do">
  

  <concurrency-control max-sessions="10" error-if-maximum-exceeded="true" />
  

  </session-management>
  

  <custom-filter ref="casFilter" position="CAS_FILTER" />
  

  <custom-filter ref="filterSecurityInterceptor" before="FILTER_SECURITY_INTERCEPTOR" />
  

  <!--         <custom-filter ref="requestSingleLogoutFilter" before="LOGOUT_FILTER" />   -->
  

  <!--         <custom-filter ref="singleLogoutFilter" before="CAS_FILTER" />   -->
  

  </http>
  

  

  <!-- Required for the casProcessingFilter, so define it explicitly set and
  

  specify an Id Even though the authenticationManager is created by default
  

  when namespace based config is used. -->
  

  <authentication-manager alias="authenticationManager" >
  

  <authentication-provider ref="casAuthenticationProvider"/>
  

  </authentication-manager>
  

  

  <!-- CAS认证切入点，声明cas服务器端登录的地址 -->
  

  <beans:bean id="casEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
  

  <beans:property name="loginUrl" value="https://${server}:8443/sso/login"/>
  

  <beans:property name="serviceProperties" ref="serviceProperties"/>
  

  </beans:bean>
  

  

  

  

  <!-- 登录成功后的返回地址 -->
  

  <beans:bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">
  

  <beans:property name="service" value="http://localhost:8080/uCenter/j_spring_cas_security_check"/>
  

  <!-- 若设置为true，则不管用户是否已经经过认证，每次都需要重新登陆-->
  

  <beans:property name="sendRenew" value="false"/>
  

  </beans:bean>
  

  

  

  <!-- cas认证提供器，定义客户端的验证方式 -->
  

  <beans:bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
  

  <!-- 客户端只验证用户名是否合法 -->
  

  <beans:property name="serviceProperties" ref="serviceProperties" />
  

  <beans:property name="ticketValidator" ref="casTicketValidator" />
  

  <beans:property name="key" value="an_id_for_this_auth_provider_only"/>
  

  <beans:property name="authenticationUserDetailsService" ref="casCustomUserDetailsService"></beans:property>
  

  </beans:bean>
  

  

  <beans:bean id="casTicketValidator" class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
  

  <beans:constructor-arg value="https://${server}:8443/sso/login"/>
  

  </beans:bean>
  

  

  <!-- authorities对应 CAS server的 登录属性， 在此设置到spirng security中，用于spring security的验证 -->
  

  <beans:bean id="casCustomUserDetailsService"
  

  class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
  

  <beans:property name="userDetailsService" ref="myUserDetailService" />
  

  </beans:bean>
  

  

  <!-- 自定义的userDetailsService-->
  

  <beans:bean id="myUserDetailService" class="com.balintimes.member.login.security.MyUserDetailService">
  

  </beans:bean>
  

  

  <beans:bean id="casFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter">
  

  <beans:property name="authenticationManager" ref="authenticationManager"/>
  

  <beans:property name="authenticationSuccessHandler" ref="authenticationSuccessHandler"></beans:property>
  

  <beans:property name="authenticationFailureHandler" ref="authenticationFailureHandler"></beans:property>
  

  </beans:bean>
  

  

  <!-- 登录成功处理器 -->
  

  <beans:bean id="authenticationSuccessHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">
  

  <beans:property name="alwaysUseDefaultTargetUrl" value="true"></beans:property>
  

  <beans:property name="defaultTargetUrl" value="/main.do"></beans:property>
  

  </beans:bean>
  

  <!-- 登录失败 -->
  

  <beans:bean id="authenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
  

  <beans:property name="defaultFailureUrl" value="/login.jsp"></beans:property>
  

  </beans:bean>
  

  

  

  <beans:bean id="filterSecurityInterceptor" class="com.balintimes.member.login.security.MyFilterSecurityInterceptor">
  

  <beans:property name="authenticationManager" ref="authenticationManager" />
  

  <beans:property name="accessDecisionManager" ref="accessDecisionManager" />
  

  <beans:property name="securityMetadataSource" ref="securityMetadataSource" />
  

  </beans:bean>
  

  

  <!-- 资源源数据定义，将所有的资源和权限对应关系建立起来    -->
  

  <beans:bean id="securityMetadataSource" init-method="loadResourceDefine" class="com.balintimes.member.login.security.MyInvocationSecurityMetadataSource">
  

  </beans:bean>
  

  <beans:bean id="accessDecisionManager" class="com.balintimes.member.login.security.MyAccessDecisionManager"></beans:bean>
  

  <!-- 服务端注销 -->
  

  <beans:bean id="requestSingleLogoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
  

  <beans:constructor-arg index="0" value="/loginout.do"></beans:constructor-arg>
  

  <beans:constructor-arg index="1">
  

  <beans:bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"></beans:bean>
  

  </beans:constructor-arg>
  

  <beans:property name="filterProcessesUrl" value="/a.do"></beans:property>
  

  </beans:bean>
  

  <!-- 客户端注销 -->
  

  <beans:bean id="singleLogoutFilter" class="org.jasig.cas.client.session.SingleSignOutFilter"></beans:bean>
  

  

  <beans:bean id="accessDeniedHandler" class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
  

  <beans:property name="errorPage" value="/common/accessDeny.jsp" />
  

  </beans:bean>
  

  </beans:beans>

web.xml也增加了spring security的拦截器

  <filter>
  

  <filter-name>springSecurityFilterChain</filter-name>
  

  <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
  

  </filter>
  

  

  <filter-mapping>
  

  <filter-name>springSecurityFilterChain</filter-name>
  

  <url-pattern>/*</url-pattern>
  

  </filter-mapping>

spring

10 years, 7 months ago

lovesid

lovesid 10 years, 7 months ago

spring security整合cas出现的问题

lovesid

Answers

Your Answer