CAS3.5.2 Server登录后返回用户信息详细解决方案

最新推荐文章于 2025-07-02 17:39:30 发布

转载最新推荐文章于 2025-07-02 17:39:30 发布 · 5.2k 阅读

标签

#cas #cas返回用户信息 #cas返回用户属性

javaEE 同时被 3 个专栏收录

27 篇文章

订阅专栏

spring

21 篇文章

订阅专栏

统一认证系统

16 篇文章

订阅专栏

本文介绍如何在CAS中配置自定义返回用户信息，并详细解释了CASServer和CASClient的具体实现步骤。

转载自：http://blog.yoodb.com/yoodb/article/detail/1223

单点登录（Single Sign-On, 简称SSO）是目前比较流行的服务于企业业务整合的解决方案之一，SSO使得在多个应用系统中，用户只需要登录一次就可以访问所有相互信任的应用系统。大家在使用时CAS Server验证成功后会立即跳转到客户端，CAS Server默认只返回账号uid给客户端，如何定义CAS server返回信息到CAS Client客户端（CAS server返回更多用户信息）呢？下面本站素文宅www.yoodb.com本篇文章具体讲解一下怎么实现，仅供大家参考学习。

1、相关接口

首先了解一下相关的几个接口

• Credentials

• Principal

• IPersonAttributeDao

• CredentialsToPrincipalResolver

1）org.jasig.cas.authentication.principal.Credentials接口，在工程中UsernamePasswordCredential 的类就是实现了Credentials接口。这个接口是用来定义我们在登录时输入的认证信息，比如用户名、密码、验证码等，可以理解为用户认证的相关凭据。

2）org.jasig.cas.authentication.principal.Principal接口，主要是用来保存用户认证后的用户信息，信息保存在一个Map集合中。

3）org.jasig.services.persondir.IPersonAttributeDao接口，是用来定义我们需要返回给客户端相关信息的接口，CAS Server默认有提供许多实现，比如

• SingleRowJdbcPersonAttributeDao ： JDBC SQL查询返回信息

• LdapPersonAttributeDao ：查询 LDAP 目录返回信息

• StubPersonAttributeDao ：自定义属性返回信息

等参考源码中的实现，CAS Server提供了各种功能的实现

4）org.jasig.cas.authentication.principal. CredentialsToPrincipalResolver接口，主要是用来把Credentials里面的信息转换到 Principal中，在这接口中有两个方法，具体如下：

Principal resolvePrincipal(Credentials credentials);// 解析Credentials中的信息，返回 Principal 接口

boolean supports(Credentials credentials); //判断Credentials 是否支持 Principal 协议

注意：在3.x版本是CredentialsToPrincipalResolver接口，4.x版本是PrincipalResolver接口

2、CAS Server流程

打开 deployerConfigContext.xml 文件，CAS Server3.5.2版本默认配置了org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver类，它注入一个 attributeRepository 属性，实现IPersonAttributeDao 接口调用getPerson方法，传入principalId参数，也就是调用Credentials 接口的getId() 方法，配置文件详情具体如下：

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

<?xml version="1.0" encoding="UTF-8"?>
<!--
    Licensed to Jasig under one or more contributor
 license
    agreements. See the NOTICE file distributed
 with this work
    for additional information regarding copyright ownership.
    Jasig licenses this file to you under the Apache
 License,
    Version 2.0 (the "License"); you may not use this file
    except in compliance with the License.  You may
 obtain a
    copy of the License at the following location:
      http://www.apache.org/licenses/LICENSE-2.0
    Unless required by applicable law or agreed to in writing,
    software distributed under the License is distributed on an
    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
    KIND, either express or implied.  See the License for the
    specific language governing permissions and limitations
    under the License.
-->
<!--
| deployerConfigContext.xml centralizes into one file some of the declarative configuration
 that
| all CAS deployers will need to modify.
|
| This file declares some of the Spring-managed JavaBeans that make up
 a CAS deployment. 
| The beans declared in this file are
 instantiated at context initialization time by the Spring
| ContextLoaderListener declared in web.xml.  It finds this file because
 this
| file is among those declared in the
 context parameter "contextConfigLocation".
|
| By far the most common change you will need to make in this file is
 to change the last bean
| declaration to replace the default SimpleTestUsernamePasswordAuthenticationHandler with
| one implementing your approach for authenticating usernames and passwords.
+-->
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:p="http://www.springframework.org/schema/p"
       xmlns:tx="http://www.springframework.org/schema/tx"
       xmlns:sec="http://www.springframework.org/schema/security"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
       http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.1.xsd
       http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<!-- ldap 数据源 -->
<bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">
<property name="pooled" value="false" />
<property name="urls">
<list>
 <value>ldap://127.0.0.1:1389</value>
</list>
</property>
<property name="userDn" value="cn=Directory Manager" />
<property name="password" value="123456" />
<property name="baseEnvironmentProperties">
<map>
<entry>
<key>
<value>java.naming.security.authentication</value>
</key>
<value>simple</value>
<!--<value>none</value> -->
</entry>
</map>
</property>
</bean>
<!--
| This bean declares our AuthenticationManager.  The CentralAuthenticationService service bean
| declared in applicationContext.xml picks up this AuthenticationManager by reference to its id,
| "authenticationManager".  Most deployers will be able to use the default AuthenticationManager
| implementation and so do not need to change the class of this bean.  We include the whole
| AuthenticationManager here in the userConfigContext.xml so that you can see the things you
 will
| need to change in context.
+-->
<bean id="authenticationManager"
class="org.jasig.cas.authentication.AuthenticationManagerImpl">
<!-- Uncomment the metadata populator to allow clearpass to capture and cache the password
     This switch effectively will turn on clearpass.
<property name="authenticationMetaDataPopulators">
   <list>
      <bean class="org.jasig.cas.extension.clearpass.CacheCredentialsMetaDataPopulator">
         <constructor-arg index="0" ref="credentialsCache" />
      </bean>
   </list>
</property>
 -->
<!--
| This is the List of CredentialToPrincipalResolvers that identify what Principal is trying to authenticate.
| The AuthenticationManagerImpl considers them in order, finding a CredentialToPrincipalResolver which
| supports the presented credentials.
|
| AuthenticationManagerImpl uses these resolvers for two purposes.  First, it uses them to
 identify the Principal
| attempting to authenticate to CAS /login .  In the default configuration, it is the DefaultCredentialsToPrincipalResolver
| that fills this role.  If you are using some other kind of credentials than UsernamePasswordCredentials, you will need to replace
| DefaultCredentialsToPrincipalResolver with a CredentialsToPrincipalResolver that supports the credentials you are
| using.
|
| Second, AuthenticationManagerImpl uses these resolvers to identify a service requesting a proxy granting ticket.
| In the default configuration, it is the HttpBasedServiceCredentialsToPrincipalResolver that serves this purpose.
| You will need to change this list if you are identifying services by something more or
 other than their callback URL.
+-->
<property name="credentialsToPrincipalResolvers">
<list>
<!--
| UsernamePasswordCredentialsToPrincipalResolver supports the UsernamePasswordCredentials that we use for /login
| by default and produces SimplePrincipal instances conveying the username from the credentials.
|
| If you've changed your LoginFormAction to use credentials other than UsernamePasswordCredentials then you
 will also
| need to change this bean declaration (or add additional declarations) to declare a CredentialsToPrincipalResolver
 that supports the
| Credentials you are using.
+-->
<bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" >
<property name="attributeRepository" ref="attributeRepository" />
</bean>
<!--
| HttpBasedServiceCredentialsToPrincipalResolver supports HttpBasedCredentials.  It supports the CAS 2.0 approach of
| authenticating services by SSL callback, extracting the callback URL from the Credentials and representing it as a
| SimpleService identified by that callback URL.
|
| If you are representing services by something more or other than an HTTPS URL whereat
 they are able to
| receive a proxy callback, you will need to change this bean declaration (or add additional declarations).
+-->
<bean
class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />
</list>
</property>
<!--
| Whereas CredentialsToPrincipalResolvers identify who it is some Credentials might authenticate,
| AuthenticationHandlers actually authenticate credentials.  Here we declare the AuthenticationHandlers
 that
| authenticate the Principals that the CredentialsToPrincipalResolvers identified.  CAS will try these handlers in turn
| until it finds one that both supports the Credentials presented and succeeds in authenticating.
+-->
<property name="authenticationHandlers">
<list>
<!--
| This is the authentication handler that authenticates services by means of callback via SSL, thereby validating
| a server side SSL certificate.
+-->
<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:httpClient-ref="httpClient" />
<!--
| This is the authentication handler declaration that every CAS deployer will need to change before deploying CAS
| into production.  The default SimpleTestUsernamePasswordAuthenticationHandler authenticates UsernamePasswordCredentials
| where the username equals the password.  You will need to replace this with an AuthenticationHandler that implements your
| local authentication strategy.  You might accomplish this by coding a new such handler
 and declaring
| edu.someschool.its.cas.MySpecialHandler here, or you might use one of the handlers provided in the
 adaptors modules.
+-->
<!-- <bean
class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" />
 -->
<!-- ldap认证 -->
   <bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
<property name="filter" value="uid=%u" />
<property name="searchBase" value="ou=users,dc=CMP"/>
<property name="contextSource" ref="contextSource" />
<!-- <property name="requireAllQueryAttributes" value="true" />
 -->
</bean>  
</list>
</property>
</bean>
<!--
This bean defines the security roles for the Services Management application.  Simple deployments
 can use the in-memory version.
More robust deployments will want to use another option, such as the Jdbc version.
The name of this should remain "userDetailsService" in order for Spring
 Security to find it.
 -->
    <!-- <sec:user name="@@THIS SHOULD BE REPLACED@@" password="notused" authorities="ROLE_ADMIN" />-->
    <sec:user-service id="userDetailsService">
        <sec:user name="@@THIS SHOULD BE REPLACED@@" password="notused" authorities="ROLE_ADMIN" />
    </sec:user-service>
<!--
Bean that defines the attributes that a service may return.  This example uses the Stub/Mock version. 
 A real implementation
may go against a database or LDAP server.  The id should remain "attributeRepository" though.
<bean id="attributeRepository"
class="org.jasig.services.persondir.support.StubPersonAttributeDao">
 -->
  
<bean id="attributeRepository"
class="org.jasig.cas.util.ShiroStubPersonAttributeDao">
<property name="backingMap">
<map>
<entry key="uid" value="uid" />
<entry key="username" value="username"/>
<entry key="password" value="password"/>
<entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
<entry key="groupMembership" value="groupMembership" />
</map>
</property>
</bean>
<!--
Sample, in-memory data store for the
 ServiceRegistry. A real implementation
would probably want to replace this with the JPA-backed ServiceRegistry DAO
The name of this bean should remain "serviceRegistryDao".
 -->
<bean
id="serviceRegistryDao"
        class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl">
            <property name="registeredServices">
                <list>
                    <bean class="org.jasig.cas.services.RegexRegisteredService">
                        <property name="id" value="0" />
                        <property name="name" value="HTTP
 and IMAP" />
                        <property name="description" value="Allows
 HTTP(S) and IMAP(S) protocols" />
                        <property name="serviceId" value="^(https?|imaps?)://.*" />
                        <property name="evaluationOrder" value="10000001" />
                        <property name="ignoreAttributes" value="true"/>
                    </bean>
                    <!--
                    Use the following definition instead of the above to further restrict access
                    to services within your domain (including subdomains).
                    Note that example.com must be replaced with the domain you wish to permit.
                    -->
                    <!--
                    <bean class="org.jasig.cas.services.RegexRegisteredService">
                        <property name="id" value="1" />
                        <property name="name" value="HTTP
 and IMAP on example.com" />
                        <property name="description" value="Allows
 HTTP(S) and IMAP(S) protocols on example.com" />
                        <property name="serviceId" value="^(https?|imaps?)://([A-Za-z0-9_-]+\.)*example\.com/.*" />
                        <property name="evaluationOrder" value="0" />
                    </bean>
                    -->
                </list>
            </property>
        </bean>
  <bean id="auditTrailManager" class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" />
   
  <bean id="healthCheckMonitor" class="org.jasig.cas.monitor.HealthCheckMonitor">
    <property name="monitors">
      <list>
        <bean class="org.jasig.cas.monitor.MemoryMonitor"
            p:freeMemoryWarnThreshold="10" />
        <!--
          NOTE
          The following ticket registries support SessionMonitor:
            * DefaultTicketRegistry
            * JpaTicketRegistry
          Remove this monitor if you use an unsupported
 registry.
        -->
        <bean class="org.jasig.cas.monitor.SessionMonitor"
            p:ticketRegistry-ref="ticketRegistry"
            p:serviceTicketCountWarnThreshold="5000"
            p:sessionCountWarnThreshold="100000" />
      </list>
    </property>
  </bean>
</beans>

新增以及修改内容，具体如下：

<bean id="attributeRepository"
class="org.jasig.cas.util.ShiroStubPersonAttributeDao">
<property name="backingMap">
<map>
<entry key="uid" value="uid" />
<entry key="username" value="username"/>
<entry key="password" value="password"/>
<entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
<entry key="groupMembership" value="groupMembership" />
</map>
</property>
</bean>

调试源码会发现org.jasig.cas.CentralAuthenticationServiceImpl.java类中有判断是否允许客户端获取数据信息，代码如下：

if (!registeredService.isIgnoreAttributes()) {
                final Map<String, Object> attributes = new HashMap<String, Object>();
                for (final String attribute : registeredService.getAllowedAttributes()) {
                    final Object value = principal.getAttributes().get(attribute);
                    if (value != null) {
                        attributes.put(attribute, value);
                    }
                }

下面配置将ignoreAttributes属性值设置为true，允许客户端获取数据，具体配置如下：

1	`<property name="ignoreAttributes"` `value="true"/>`

重写org.jasig.services.persondir.support.StubPersonAttributeDao类中getPerson方法，实现多用户信息具体代码如下：

package org.jasig.cas.util;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.jasig.services.persondir.IPersonAttributes;
import org.jasig.services.persondir.support.AttributeNamedPersonImpl;
import org.jasig.services.persondir.support.StubPersonAttributeDao;
public class ShiroStubPersonAttributeDao  extends StubPersonAttributeDao{
@Override
    public IPersonAttributes getPerson(String uid) {
         
        Map<String, List<Object>> attributes = new HashMap<String,
 List<Object>>();
        attributes.put("uid", Collections.singletonList((Object)uid));
        attributes.put("username", Collections.singletonList((Object)"www.yoodb.com"));
        attributes.put("password", Collections.singletonList((Object)"123456"));
        return new AttributeNamedPersonImpl(attributes);
    }
}

修改cas-server-webapp工程中路径/cas-server-webapp/src/main/webapp/WEB-INF/view/jsp/protocol/2.0/casServiceValidationSuccess.jsp文件内容，具体如下：

<%--
    Licensed to Jasig under one or more contributor license
    agreements. See the NOTICE file distributed with this work
    for additional information regarding copyright ownership.
    Jasig licenses this file to you under the Apache
 License,
    Version 2.0 (the "License");
 you may not use this file
    except in compliance with the License.  You may obtain a
    copy of the License at the following location:
      http://www.apache.org/licenses/LICENSE-2.0
    Unless required by applicable law or agreed to in writing,
    software distributed under the License is distributed on an
    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
    KIND, either express or implied.  See the License for the
    specific language governing permissions and limitations
    under the License.
  
--%>
<%@ page session="false" %>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<%@ taglib uri="http://java.sun.com/jsp/jstl/functions" prefix="fn" %>
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
<cas:user>${fn:escapeXml(assertion.chainedAuthentications[fn:length(assertion.chainedAuthentications)-1].principal.id)}</cas:user>
<!--pros Begin-->
<c:if test="${fn:length(assertion.chainedAuthentications[fn:length(assertion.chainedAuthentications)-1].principal.attributes)
 > 0}">
         <cas:attributes>
             <c:forEach var="attr" items="${assertion.chainedAuthentications[fn:length(assertion.chainedAuthentications)-1].principal.attributes}">
                 <cas:${fn:escapeXml(attr.key)}>${fn:escapeXml(attr.value)}</cas:${fn:escapeXml(attr.key)}>
             </c:forEach>
         </cas:attributes>
     </c:if>
<!--pros End-->
<c:if test="${not empty pgtIou}">
<cas:proxyGrantingTicket>${pgtIou}</cas:proxyGrantingTicket>
</c:if>
<c:if test="${fn:length(assertion.chainedAuthentications)
 > 1}">
<cas:proxies>
<c:forEach var="proxy" items="${assertion.chainedAuthentications}" varStatus="loopStatus" begin="0" end="${fn:length(assertion.chainedAuthentications)-2}"
step="1">
<cas:proxy>${fn:escapeXml(proxy.principal.id)}</cas:proxy>
</c:forEach>
</cas:proxies>
</c:if>
</cas:authenticationSuccess>
</cas:serviceResponse>

新增内容，具体如下：

<c:if test="${fn:length(assertion.chainedAuthentications[fn:length(assertion.chainedAuthentications)-1].principal.attributes)
 > 0}">
         <cas:attributes>
             <c:forEach var="attr" items="${assertion.chainedAuthentications[fn:length(assertion.chainedAuthentications)-1].principal.attributes}">
                 <cas:${fn:escapeXml(attr.key)}>${fn:escapeXml(attr.value)}</cas:${fn:escapeXml(attr.key)}>
             </c:forEach>
         </cas:attributes>
     </c:if>

3、CAS Client流程

在CAS Client设置信息接收，java可以通过下面的方式获取，代码如下：

AttributePrincipal principal = (AttributePrincipal) request.getUserPrincipal();
Map attributes = principal.getAttributes();
String uid = attributes .get("uid");

CAS Client如果集成了shiro权限控制，由于cas client将casFilter交给了shiroFilter来控制，接受数据信息代码如下：

Subject subject = SecurityUtils.getSubject();
List list = subject.getPrincipals().asList();
String name = (String) list.get(0);//账号
Map<String, Object> info = (Map<String, Object>)list.get(1);//Json串
String uid = (String) info.get("uid");