CAS Client for Java 3.1
通过 web.xml 配置 Jasig CAS Client for Java
CAS Client for Java 3.1/3.2 可以通过配置 web.xml 里的 context-params 和 filter init-params。每个 filter 都需要配置一系列的属性(properties)。filters 会查找这些属性:
首先检查 filter 的本地 init-params(local init-params),看是否有相符合的属性名;
其次检查 context 的参数 ,看是否有相符合的属性名;
如果在 filter 的 init-params 和 context 的参数中找到相同的值,则选用 init-params。
同样,filter 的顺序为:
SingleLogOutFilter (if you’re using it)
AuthenticationFilter
TicketValidationFilter (whichever one is chosen)
HttpServletRequestWrapperFilter
AssertionThreadLocalFilter
! 如果使用 serverName 属性,请注意 fragment-URL(#后的 URL)不会发送给服务器。
一一介绍可用的 filters:
org.jasig.cas.client.authentication.AuthenticationFilter
AuthenticationFilter 判断一个用户是否需要验证。如果需要,则重定向到 CAS server。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<!--cas server login url-->
<param-name>casServerLoginUrl</param-name>
<param-value>https://battags.ad.ess.rutgers.edu:8443/cas/login</param-value>
</init-param>
<init-param>
<!--cas server name-->
<param-name>serverName</param-name>
<param-value>http://www.acme-client.com</param-value>
</init-param>
</filter>
Required Properties
Optional Properties :
有 renew , gateway , artifactParameterName , serviceParameterName 。
org.jasig.cas.client.authentication.Saml11AuthenticationFilter
猜测是支持 SAML 1.1 的 authentication filter。
1
2
3
4
5
6
7
8
9
10
11
12
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://battags.ad.ess.rutgers.edu:8443/cas/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://www.acme-client.com</param-value>
</init-param>
</filter>
org.jasig.cas.client.validation.Saml11TicketValidationFilter
使用 SAML 1.1 协议验证 tickets。
1
2
3
4
5
6
7
8
9
10
11
12
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Saml11TicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://battags.ad.ess.rutgers.edu:8443/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://www.acme-client.com</param-value>
</init-param>
</filter>
Required Properties
Optional Properties
redirectAfterValidation (default: true)
useSession (default: true)
exceptionOnValidationFailure (default: true)
tolerance (default: 1000 mSec)
renew (default: false)
org.jasig.cas.client.util.HttpServletRequestWrapperFilter
Wraps an HttpServletRequest so that the getRemoteUser and getPrincipal return the CAS related entries.
包裹 HttpServletRequest,使 getRemoteUser 和 getPrincipal 返回 CAS 相关的入口。
1
2
3
4
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
Required Properties
None
Optional Properties
None
org.jasig.cas.client.util.AssertionThreadLocalFilter
Places the Assertion in a ThreadLocal for portions of the application that need access to it. This is useful when the Web application that this filter “fronts” needs to get the Principal name, but it has no access to the HttpServletRequest, hence making getRemoteUser() call impossible.
把这个 Assertion 放进 ThreadLocal 中,因为有些应用可能需要。比如:当 Web 应用需要拿到 Principal 的名字,但是它无法访问 HttpServletRequest,因此 getRemoteUser() 没有用。
! 没搞懂什么意思,猜测是 CAS Client 应用想要拿到登陆的用户名,但是用户名存储在 CAS Server 上。这个 filter 的作用就是把 Principal 放到 ThreadLocal 变量中。
1
2
3
4
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
e.g. 一份稍完整的 CAS Client for Java 的 web.xml(未使用 SAML 1.1,为 CAS 协议)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4">
<display-name>CAS client demo : application</display-name>
<filter>
<!--配置 AuthenticationFilter-->
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<!--property: 登陆页配置-->
<param-name>casServerLoginUrl</param-name>
<param-value>http://localhost:8080/cas/login</param-value>
</init-param>
<init-param>
<!--property: 部署服务器地址-->
<param-name>serverName</param-name>
<param-value>http://localhost:8080</param-value>
</init-param>
<!-- init-param>
<param-name>service</param-name>
<param-value>http://localhost:8080/default.jsp</param-value>
</init-param-->
</filter>
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas10TicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>http://localhost:8080/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://localhost:8080</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/protected/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>*</url-pattern>
</filter-mapping>
</web-app>
e.g. 使用 SAML 1.1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4">
<display-name>CAS client demo : application</display-name>
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.Saml11AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>http://localhost:8080/cas/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://localhost:8080</param-value>
</init-param>
<init-param>
<param-name>onlyFullyAuthenticated</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Saml11TicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>http://localhost:8080/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://localhost:8080</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/protected/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>*</url-pattern>
</filter-mapping>
</web-app>
配置单点登出 Single Sign Out
! SingleSignOutFilter 会影响到 character encoding。建议显式地配置下 VT Character Encoding Filter 或 Spring Character Encoding Filter 。
CAS 对 Single Sign Out support 的支持,涉及到对一个 filter 和一个 ContextListener 的配置。需要注意的一点是,如果以 Web filters 的形式为 Java 配置 CAS Client,登出的 filter 需要在其他 filters 前面。
PS : Order of Required Filters 全文链接
Order of Required Filters
How to configure the filters is described on the pages above. This section details the order in which the filters should appear:
SingleLogOutFilter (if you’re using it)
AuthenticationFilter
TicketValidationFilter (whichever one is chosen)
HttpServletRequestWrapperFilter
AssertionThreadLocalFilter
1
2
3
<listenerclass>
org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>