使用 CAS 实施 SSO春季安全

发布于 2024-09-10 14:21:50 字数 2776 浏览 7 评论 0原文

我正在尝试使用 CAS 和 Spring Security 跨多个 Web 应用程序实现 SSO。预期情况:
CAS - http://localhost:8080/cas/
应用程序A受保护的内容 - http://localhost:8081/cas-client1/secure/index.html
App B 受保护的内容 - http://localhost:8081/cas-client2/secure/index.html

1) 当用户访问 cas-client1 时,会提示 CAS 登录表单并触发身份验证。
2)同一个用户访问cas-client2,应该可以识别之前的登录,并且不会提示登录表单

但是,我未能实现步骤2。CAS登录表单仍然提示给用户,因此需要双重登录。我的 Spring Security 配置中是否有任何错误的设置:

  <security:http entry-point-ref="casAuthenticationEntryPoint" auto-config="true">
    <security:intercept-url pattern="/secure/**" access="ROLE_USER" />
    <security:custom-filter position="CAS_FILTER" ref="casAuthenticationFilter" />
  </security:http>

  <bean id="casAuthenticationEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
    <property name="loginUrl" value="http://localhost:8080/cas/login" />
    <property name="serviceProperties" ref="serviceProperties" />
  </bean>

  <bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">
    <!-- http://localhost:8081/cas-client2 for app 2-->
    <property name="service" value="http://localhost:8081/cas-client1/j_spring_cas_security_check" />
  </bean>

  <security:authentication-manager alias="authenticationManager">
    <security:authentication-provider ref="casAuthenticationProvider" />
  </security:authentication-manager>

  <bean id="casAuthenticationFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter">
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="authenticationFailureHandler">
      <bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
        <property name="defaultFailureUrl" value="/casfailed.jsp" />
      </bean>
    </property>
  </bean>

  <bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
    <property name="userDetailsService" ref="userService" />
    <property name="serviceProperties"  ref="serviceProperties" />
    <property name="ticketValidator">
      <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
        <constructor-arg index="0" value="http://localhost:8080/cas" />
      </bean>
    </property>
    <property name="key" value="an_id_for_this_auth_provider_only" />
  </bean>

  <security:user-service id="userService">
    <security:user name="wilson" password="wilson" authorities="ROLE_USER" />
  </security:user-service>

I'm trying to implement SSO across several web applications using CAS and Spring Security. Expected case:
CAS - http:// localhost:8080/cas/
App A protected content - http: //localhost:8081/cas-client1/secure/index.html
App B protected content - http: //localhost:8081/cas-client2/secure/index.html

1) When user access cas-client1, CAS login form will be prompted and trigger authentication.
2) The same user access cas-client2, previous login should be recognized and no login form will be prompted

However, I am failed to implement step 2. CAS login form still prompted to user and therefore requires double login. Is there any wrong setting in my Spring Security configuration:

  <security:http entry-point-ref="casAuthenticationEntryPoint" auto-config="true">
    <security:intercept-url pattern="/secure/**" access="ROLE_USER" />
    <security:custom-filter position="CAS_FILTER" ref="casAuthenticationFilter" />
  </security:http>

  <bean id="casAuthenticationEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
    <property name="loginUrl" value="http://localhost:8080/cas/login" />
    <property name="serviceProperties" ref="serviceProperties" />
  </bean>

  <bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">
    <!-- http://localhost:8081/cas-client2 for app 2-->
    <property name="service" value="http://localhost:8081/cas-client1/j_spring_cas_security_check" />
  </bean>

  <security:authentication-manager alias="authenticationManager">
    <security:authentication-provider ref="casAuthenticationProvider" />
  </security:authentication-manager>

  <bean id="casAuthenticationFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter">
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="authenticationFailureHandler">
      <bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
        <property name="defaultFailureUrl" value="/casfailed.jsp" />
      </bean>
    </property>
  </bean>

  <bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
    <property name="userDetailsService" ref="userService" />
    <property name="serviceProperties"  ref="serviceProperties" />
    <property name="ticketValidator">
      <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
        <constructor-arg index="0" value="http://localhost:8080/cas" />
      </bean>
    </property>
    <property name="key" value="an_id_for_this_auth_provider_only" />
  </bean>

  <security:user-service id="userService">
    <security:user name="wilson" password="wilson" authorities="ROLE_USER" />
  </security:user-service>

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

祁梦 2024-09-17 14:21:50

问题终于解决了。我的 CAS 使用 HTTP,因此需要将安全 cookie 设置为 false。

修改ticketGrantingTicketCookieGenerator.xml

p:cookieSecure="false"

The problem is finally solved. My CAS is using HTTP and therefore need to set secure cookies to false.

Modify ticketGrantingTicketCookieGenerator.xml

p:cookieSecure="false"
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文