我正在尝试使用Spring Security为我的Web应用程序设置CAS身份验证。我已按照文档操作并设法将XML配置示例转换为Java配置。但是,我不确定我是否正确地做了所有事情并且考虑到安全性的敏感性,我希望有人确认没有错误。
例如,我如何确定不再有默认配置(例如URL上的自由权限,不同的身份验证管理器和/或提供程序等等)?
我检索当前AuthenticationManager的方式是否正确?
像我做的那样正确配置EntryPoint吗?
我发现了解如何使用WebSecurityConfigurerAdapter相当令人困惑......
这是我的@Cofiguration课程:
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Bean(name="authenticationManager")
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
// TODO Auto-generated method stub
return super.authenticationManagerBean();
}
@Bean
public ServiceProperties serviceProperties() {
final ServiceProperties serviceProperties = new ServiceProperties();
serviceProperties.setService("http://localhost:8088/webapp/login/cas");
return serviceProperties;
}
@Bean
public AuthenticationUserDetailsService<CasAssertionAuthenticationToken> authenticationUserDetailsService() {
return new MyCasAssertionUserDetailsService();
}
@Autowired
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
super.configure(auth);
final CasAuthenticationProvider casAuthenticationProvider = new CasAuthenticationProvider();
casAuthenticationProvider.setServiceProperties(serviceProperties());
casAuthenticationProvider.setAuthenticationUserDetailsService(authenticationUserDetailsService());
casAuthenticationProvider.setTicketValidator(new Cas20ProxyTicketValidator("https://my.cas.server.com/cas"));
casAuthenticationProvider.setKey("MY-KEY");
auth.authenticationProvider(casAuthenticationProvider);
}
@Bean
public CasAuthenticationEntryPoint casEntryPoint() {
final CasAuthenticationEntryPoint casEntryPoint = new CasAuthenticationEntryPoint();
casEntryPoint.setServiceProperties(serviceProperties());
casEntryPoint.setLoginUrl("https://my.cas.server.com/cas/activateAndLogin");
return casEntryPoint;
}
// filter to invoke the CAS server when the user click on "Logout from CAS" in the local logout success page
@Bean
public LogoutFilter requestSSOLogoutToCASServerLogoutFilter() {
final LogoutFilter logoutFilter = new LogoutFilter("https://my.cas.server.com/cas/logout", new SecurityContextLogoutHandler());
logoutFilter.setFilterProcessesUrl("/logout/cas");
return logoutFilter;
}
// filter that receives the request to logout from the CAS server
@Bean
public SingleSignOutFilter singleSignOutFilter() {
return new org.jasig.cas.client.session.SingleSignOutFilter();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
final CasAuthenticationFilter casAuthenticationFilter = new CasAuthenticationFilter();
casAuthenticationFilter.setAuthenticationManager(authenticationManager());
http
.exceptionHandling().authenticationEntryPoint(casEntryPoint())
.and()
.logout()
.logoutSuccessUrl("/cas-logout") // which page to redirect the User after the local log-out succeeded
.permitAll() // all users can logout
.and()
.authorizeRequests()
.anyRequest().authenticated()
.and()
.addFilter(casAuthenticationFilter)
.addFilterBefore(requestSSOLogoutToCASServerLogoutFilter(), LogoutFilter.class)
.addFilterBefore(singleSignOutFilter(), CasAuthenticationFilter.class)
;
}
}