使用LDAP身份验证和权限将Spring Web项目移动到Spring和CAS

时间:2012-06-18 17:35:26

标签: java spring spring-mvc spring-security cas

我正在尝试将使用LDAP进行身份验证和授权的Spring Web项目迁移到Spring和CAS。我的项目使用LDAP工作得很好,但现在我必须使用CAS ..一旦我更改了XML文件,一切都停止了。

使用LDAP的XML:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:jdbc="http://www.springframework.org/schema/jdbc"
    xmlns:jee="http://www.springframework.org/schema/jee"

    xsi:schemaLocation="http://www.springframework.org/schema/beans
           http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
           http://www.springframework.org/schema/jdbc
           http://www.springframework.org/schema/jdbc/spring-jdbc-3.1.xsd
           http://www.springframework.org/schema/security
           http://www.springframework.org/schema/security/spring-security-3.1.xsd
           http://www.springframework.org/schema/jee 
           http://www.springframework.org/schema/jee/spring-jee-3.1.xsd
           "
    xmlns="http://www.springframework.org/schema/security">

    <http auto-config="true" use-expressions="true">



        <intercept-url access="hasRole('ROLE_MEMBER_INQUIRY')"
            pattern="/requests/**" />

        <form-login default-target-url="/requests/add.html" />

    </http>

    <authentication-manager>

        <ldap-authentication-provider
            user-search-base="ou=webusers" user-search-filter="(uid={0})">

            <password-compare>

                <password-encoder ref="passwordEncoder">
                </password-encoder>
            </password-compare>
        </ldap-authentication-provider>
    </authentication-manager>

    <beans:bean id="passwordEncoder"
        class="org.springframework.security.authentication.encoding.Md5PasswordEncoder">
    </beans:bean>

    <beans:bean id="contextSource"
        class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">

        <beans:constructor-arg
            value="ldaps://dvldap01.uftwf.dev:636/dc=uftwf,dc=dev" />

        <beans:property name="userDn" value="cn=Manager,dc=uftwf,dc=dev" />

        <beans:property name="password" value="uftwf" />
    </beans:bean>

    <beans:bean id="ldapAuthProvider"
        class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">

        <beans:constructor-arg>

            <beans:bean
                class="org.springframework.security.ldap.authentication.BindAuthenticator">
                <beans:constructor-arg ref="contextSource" />
                <beans:property name="userDnPatterns">
                    <beans:list>
                        <beans:value>
                            uid={0},ou=webusers
                        </beans:value>
                    </beans:list>
                </beans:property>
            </beans:bean>
        </beans:constructor-arg>
        <beans:constructor-arg>
            <beans:bean
                class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
                <beans:constructor-arg ref="contextSource" />
                <beans:constructor-arg value="ou=groups" />
                <beans:property name="groupRoleAttribute" value="ou" />
            </beans:bean>
        </beans:constructor-arg>
    </beans:bean>
    <ldap-server url="ldaps://dvldap01.uftwf.dev:636/dc=uftwf,dc=dev" />
    <beans:bean id="propertyConfigurer"
        class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
        <beans:property name="location" value="classpath:jdbc.properties2" />
    </beans:bean>

    <beans:bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource" 
        > <beans:property name="driverClassName" value="${database.driver}" /> <beans:property 
        name="url" value="${database.url}" /> <beans:property name="username" value="${database.user}" 
        /> <beans:property name="password" value="${database.password}" /> <beans:property 
        name="initialSize" value="5" /> <beans:property name="maxActive" value="10" 
        /> </beans:bean>

    <!-- 
        <beans:bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource" 
        > <beans:property name="driverClassName" value="${database.driver}" /> <beans:property 
        name="url" value="${database.url}" /> <beans:property name="username" value="${database.user}" 
        /> <beans:property name="password" value="${database.password}" /> <beans:property 
        name="initialSize" value="5" /> <beans:property name="maxActive" value="10" 
        /> </beans:bean> 



    <jee:jndi-lookup id="dataSourcejndi" jndi-name="dataSourcejndi"
        lookup-on-startup="false" proxy-interface="javax.sql.DataSource"
        cache="true" resource-ref="true" />



    <beans:bean id="dataSource" class="org.springframework.jndi.JndiObjectFactoryBean"
        lazy-init="true">
        <beans:property name="dataSource" ref="dataSourcejndi" />
    </beans:bean>




    <beans:bean id="dataSource" class="org.springframework.jndi.JndiObjectFactoryBean">
  <beans:property name="jndiName" value="java:dataSourcejndi" /> 
</beans:bean>   



    <beans:bean id="dataSource" class="org.springframework.jndi.JndiObjectFactoryBean">
        <beans:property name="jndiName" value="java:comp/env/jdbc/mi"/>
    </beans:bean>

        <mvc:annotation-driven />

-->


    <!-- <beans:bean id="dataSource" class="org.springframework.jndi.JndiObjectFactoryBean">
  <beans:property name="jndiName" value="java:dataSourcejndi" /> 
</beans:bean>   
 -->


</beans:beans>

使用CAS的XML:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:sec="http://www.springframework.org/schema/security"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:util="http://www.springframework.org/schema/util"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
                        http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.1.xsd">


                        <http auto-config="true" use-expressions="true">



        <intercept-url access="hasRole('ROLE_MEMBER_INQUIRY')"
            pattern="/requests/**" />

        <form-login default-target-url="/requests/add.html" />

    </http>

    <bean id="securityFilter" class="org.springframework.security.util.FilterChainProxy">
        <sec:filter-chain-map path-type="ant">
            <sec:filter-chain pattern="/images/**" filters="channelProcessingFilter"/>
            <sec:filter-chain pattern="/css/**" filters="channelProcessingFilter"/>
            <sec:filter-chain pattern="/js/**" filters="channelProcessingFilter"/>
            <sec:filter-chain pattern="/403.jsp" filters="channelProcessingFilter"/>
            <sec:filter-chain pattern="/404.jsp" filters="channelProcessingFilter"/>
            <sec:filter-chain pattern="/error.jsp" filters="channelProcessingFilter"/>
            <sec:filter-chain pattern="/**/cas/changePassword.htm*" filters="channelProcessingFilter"/>
            <sec:filter-chain pattern="/**/cas/login.htm*" filters="channelProcessingFilter"/>
            <sec:filter-chain pattern="/**/cas/passwordExpired.htm*" filters="channelProcessingFilter"/>
            <sec:filter-chain pattern="/**/*.html*" filters="channelProcessingFilter"/>
            <sec:filter-chain pattern="/**"
                              filters="channelProcessingFilter,httpSessionContextIntegrationFilter,logoutFilter,casSingleSignOutFilter,casProcessingFilter,securityContextHolderAwareRequestFilter,exceptionTranslationFilter,filterInvocationInterceptor"/>
        </sec:filter-chain-map>
    </bean>

    <!-- this is what hooks up the CAS entry point -->
    <bean id="exceptionTranslationFilter" class="org.springframework.security.ui.ExceptionTranslationFilter">
        <property name="authenticationEntryPoint">
            <ref local="casProcessingFilterEntryPoint"/>
        </property>
    </bean>

    <!-- where do I go when I need authentication from CAS-->
    <bean id="casProcessingFilterEntryPoint" class="org.springframework.security.ui.cas.CasProcessingFilterEntryPoint">
        <property name="loginUrl" value="https://dvjvm11.uftwf.dev:8443/cas-server-webapp/login"/>
        <property name="serviceProperties" ref="serviceProperties"/>
    </bean>

    <!-- defines which roles are allowed to access http resources -->
    <bean id="filterInvocationInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
        <property name="authenticationManager" ref="authenticationManager"/>
        <property name="accessDecisionManager" ref="accessDecisionManager"/>
        <property name="objectDefinitionSource">
            <value>
                PATTERN_TYPE_APACHE_ANT
                **=ROLE_ALLOWED_ROLES_HERE
            </value>
        </property>
    </bean>

    <!-- hooks up CAS ticket validator and user details loader -->
    <bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
        <property name="providers">
            <list>
                <ref bean="casAuthenticationProvider"/>
            </list>
        </property>
    </bean>

    <!-- supporting class for filterInvocationInterceptor -->
    <bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
        <property name="allowIfAllAbstainDecisions" value="false"/>
        <property name="decisionVoters">
            <list>
                <ref local="roleVoter"/>
            </list>
        </property>
    </bean>

    <bean id="roleVoter" class="org.springframework.security.vote.RoleVoter">
        <property name="rolePrefix" value=""/>
    </bean>

    <!-- setup method level security using annotations -->
    <sec:global-method-security jsr250-annotations="enabled" secured-annotations="enabled"/>
    <alias name="authenticationManager" alias="_authenticationManager"/>

    <bean id="passwordEncoder" class="org.springframework.security.providers.encoding.ShaPasswordEncoder"/>

    <!-- which service (application) am I authenticating -->
    <bean id="serviceProperties" class="org.springframework.security.ui.cas.ServiceProperties">
        <property name="service" value="https://dvjvm11.uftwf.dev:8443/cas-server-webapp/j_spring_cas_security_check"/>
        <property name="sendRenew" value="false"/>
    </bean>

    <!-- handles a logout request from the CAS server -->
    <bean id="casSingleSignOutFilter" class="org.jasig.cas.client.session.SingleSignOutFilter"/>

    <!-- performs CAS authentication -->
    <bean id="casProcessingFilter" class="org.springframework.security.ui.cas.CasProcessingFilter">
        <property name="authenticationManager" ref="authenticationManager"/>
        <property name="authenticationFailureUrl" value="/403.jsp"/>
        <property name="alwaysUseDefaultTargetUrl" value="false"/>
        <property name="defaultTargetUrl" value="/"/>
    </bean>

    <!-- Does the CAS ticket validation and user details loading -->
    <bean id="casAuthenticationProvider" class="org.springframework.security.providers.cas.CasAuthenticationProvider">
        <property name="userDetailsService" ref="pickYourUserDetailsServiceImplementation"/>
        <property name="serviceProperties" ref="serviceProperties"/>
        <property name="ticketValidator">
            <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
                <constructor-arg index="0" value="https://dvjvm11.uftwf.dev:8443/cas-server-webapp/"/>
            </bean>
        </property>
        <property name="key" value="my_password_for_this_auth_provider_only"/>
    </bean>

    <!-- Log failed authentication attempts to commons-logging -->
    <bean id="loggerListener" class="org.springframework.security.event.authentication.LoggerListener"/>

    <bean id="httpSessionContextIntegrationFilter"
          class="org.springframework.security.context.HttpSessionContextIntegrationFilter"/>

    <bean id="securityContextHolderAwareRequestFilter"
          class="org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter"/>

    <!-- ===================== SSL SWITCHING ==================== -->
    <bean id="channelProcessingFilter" class="org.springframework.security.securechannel.ChannelProcessingFilter">
        <property name="channelDecisionManager" ref="channelDecisionManager"/>
        <property name="filterInvocationDefinitionSource">
            <value>
                PATTERN_TYPE_APACHE_ANT
                **=REQUIRES_SECURE_CHANNEL
            </value>
        </property>
    </bean>

    <bean id="channelDecisionManager" class="org.springframework.security.securechannel.ChannelDecisionManagerImpl">
        <property name="channelProcessors">
            <list>
                <bean class="org.springframework.security.securechannel.SecureChannelProcessor">
                    <property name="entryPoint" ref="channelEntryPoint"/>
                </bean>
                <bean class="org.springframework.security.securechannel.InsecureChannelProcessor">
                    <property name="entryPoint" ref="channelEntryPoint"/>
                </bean>
            </list>
        </property>
    </bean>

    <bean id="channelEntryPoint" class="org.springframework.security.securechannel.RetryWithHttpsEntryPoint">
        <property name="portMapper" ref="portMapper"/>
    </bean>

    <bean id="portMapper" class="org.springframework.security.util.PortMapperImpl">
        <property name="portMappings">
            <map>
                <entry key="80" value="443"/>
                <entry key="8080" value="8443"/>
                <entry key="5580" value="5543"/>
            </map>
        </property>
    </bean>

    <!-- Invoked when the user clicks logout -->
    <bean id="logoutFilter" class="org.springframework.security.ui.logout.LogoutFilter">
        <!-- URL redirected to after logout success -->
        <constructor-arg value="https://dvjvm11.uftwf.dev:8443/cas-server-webapp/logout"/>
        <constructor-arg>
            <list>
                <bean class="org.springframework.security.ui.logout.SecurityContextLogoutHandler">
                    <property name="invalidateHttpSession" value="false"/>
                </bean>
            </list>
        </constructor-arg>
    </bean>

    <bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource"> <property name="driverClassName" value="${database.driver}" /> <property 
        name="url" value="${database.url}" /> <property name="username" value="${database.user}" 
        /> <property name="password" value="${database.password}" /> <property 
        name="initialSize" value="5" /> <property name="maxActive" value="10" 
        /> </bean>

</beans>

有人可以告诉我为什么一切都停止了工作

1 个答案:

答案 0 :(得分:0)

我不确定你为什么使用securityFilter和http标签。我们像这样使用它

<http use-expressions="true" 
    request-matcher="ciRegex"
    auto-config="false"
    disable-url-rewriting="true"
    access-denied-page="/denied.page"
    entry-point-ref="casProcessingFilterEntryPoint">
    [..]
    <intercept-url
        pattern="/.*"
        access="isAuthenticated()" />
    [..]
    <custom-filter ref="casSingleSignOutFilter" before="CAS_FILTER" />
    <custom-filter ref="casAuthenticationFilter" after="CAS_FILTER" />
    <custom-filter ref="sessionRegistryFixFilter" after="SESSION_MANAGEMENT_FILTER" />

    <logout invalidate-session="true" 
        logout-success-url="{cas.url}/logout?service=[..]" />

</http>

Andd将您的调用重定向(如果您请求实际上在“isAuthenticated()”子句后面的somethig)到CAS服务器。

从那时起,它就像描述here

一样