#SpringBoot #Vue #CAS #单点登录 #前后端分离

# 前言

因为组里来了新的前端,所以新开的项目就都准备用前后端分离的方式来做,原本还挺爽的,只用写自己接口就完事了,但是到了对接甲方 CAS 的时候就出了问题。

# CAS 认证流程

官网给出的认证流程如下,

TGC,TGT,ST 之类的概念就不说了,网上一搜一大堆,简单来说就是访问网站后没登陆就跳到 cas 认证中心,登录完会在浏览器存一个 cookie 叫 TGC(用来标识你登陆过了,以及后续获取 ticket),跳转到你的服务上,并且 url 后面会携带一个 ticket,也就是 ST,client 接收到这次请求后(一般是通过 filter 拦截地址,而地址默认是 /cas/login,当然也可以自己设置),会把 ticket 发送给 cas server 去验证,验证通过后返回 xml 结构的用户信息。

# 后端流程

前后端分离对接 CAS 的流程一般是前端负责跳转登录页面,并且接收登录之后返回的 ticket,将其传给后端,后端在接收到 ticket 之后进行验证,验证成功后返回给前端一个标识,用来判断接下来的请求是否已经认证。
后端认证的话有两种方式,一种是通过 cas-client-core 或者 Spring Security 进行配置,配置完之后只需要给前端 /login 接口和 /logout 接口即可,当然这个地址也可以用过 setFilterProcessesUrl 来自定义。
另一种方式自己写一个接口,直接请求 CAS Server 的验证票据接口,认证成功后返回给前端一个 token,证明已经认证成功。

# 一、Spring Security 代码实现

# 1. Spring Security 配置

@Configuration  
@EnableWebSecurity  
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)  
public class CasSecurityConfig extends WebSecurityConfigurerAdapter {  
    @Value("${cas.server-host-url}")  
    private String serverHostUrl;  
    @Value("${cas.server-host-login-url}")  
    private String serverHostLoginUrl;  
    @Value("${cas.client-host-url}")  
    private String clientHostUrl;  
    @Autowired  
    private CustomUserDetailsService customUserDetailsService;  
    @Autowired  
    private CustomAuthenticationEntryPoint unAuthenticationEntrypoint;  
    @Autowired  
    private LogoutSuccessHandlerImpl logoutSuccessHandler;  
    @Autowired  
    private CasAuthenticationSuccessHandler casAuthenticationSuccessHandler;  
    @Autowired  
    private JwtAuthenticationTokenFilter authenticationTokenFilter;  
  
  
    @Override  
    protected void configure(HttpSecurity httpSecurity) throws Exception {  
        httpSecurity  
                .cors().disable()  
                .csrf().disable()  
                // 过滤请求  
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()  
                .authorizeRequests()  
                .antMatchers(  
                        HttpMethod.GET,  
                        "/*.html",  
                        "/**/*.js",  
                        "/profile/**",  
                        "/error",  
                        "/api/**",  
                        "/**/*.css",  
                        "/**/*.png",  
                        "/**/*.jpg",  
                        "/**/*.jpeg",  
                        "/**/*.gif",  
                        "/**/*.ico",  
                        "/font/**"  
                ).permitAll()  
                .antMatchers("/swagger-ui.html").anonymous()  
                .antMatchers("/swagger-resources/**").anonymous()  
                .antMatchers("/*/api-docs").anonymous()  
                .antMatchers("/druid/**").anonymous()  
                // 除上面外的所有请求全部需要鉴权认证  
                .anyRequest().authenticated()  
                .and()  
                .headers().frameOptions().disable();  
        httpSecurity.exceptionHandling()  
                .authenticationEntryPoint(unAuthenticationEntrypoint).and()  
                .addFilterAt(casAuthenticationFilter(), CasAuthenticationFilter.class)  
                .addFilterBefore(authenticationTokenFilter, CasAuthenticationFilter.class)  
                .addFilterBefore(logoutFilter(), LogoutFilter.class)  
                .addFilterBefore(singleSignOutFilter(), CasAuthenticationFilter.class);  
    }  
  
    @Override  
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {  
        super.configure(auth);  
        auth.authenticationProvider(casAuthenticationProvider());  
    }  
  
    @Bean  
    public CasAuthenticationEntryPoint authenticationEntryPoint() {  
        CasAuthenticationEntryPoint casAuthenticationEntryPoint = new CasAuthenticationEntryPoint();  
        casAuthenticationEntryPoint.setLoginUrl(serverHostLoginUrl);  
        casAuthenticationEntryPoint.setServiceProperties(serviceProperties());  
        return casAuthenticationEntryPoint;  
    }  
  
    @Bean  
    @Override    public AuthenticationManager authenticationManagerBean() throws Exception {  
        return super.authenticationManagerBean();  
    }  
  
    @Bean  
    public ServiceProperties serviceProperties() {  
        ServiceProperties serviceProperties = new ServiceProperties();  
        serviceProperties.setService(clientHostUrl + "/login");  
        serviceProperties.setAuthenticateAllArtifacts(true);  
        return serviceProperties;  
    }  
  
    @Bean  
    public TicketValidator ticketValidator() {  
        return new Cas20ProxyTicketValidator(serverHostUrl);  
    }  
  
    @Bean  
    public CasAuthenticationProvider casAuthenticationProvider() {  
        CasAuthenticationProvider provider = new CasAuthenticationProvider();  
        provider.setServiceProperties(this.serviceProperties());  
        provider.setTicketValidator(this.ticketValidator());  
        provider.setAuthenticationUserDetailsService(customUserDetailsService);  
        provider.setKey("CAS_PROVIDER_KEY");  
        return provider;  
    }  
  
    @Bean  
    public CasAuthenticationFilter casAuthenticationFilter() throws Exception {  
        CasAuthenticationFilter casAuthenticationFilter = new CasAuthenticationFilter();  
        casAuthenticationFilter.setAuthenticationManager(authenticationManager());  
        casAuthenticationFilter.setFilterProcessesUrl("/login");  
        casAuthenticationFilter.setAuthenticationSuccessHandler(casAuthenticationSuccessHandler);  
        return casAuthenticationFilter;  
    }  
  
  
    @Bean  
    public SecurityContextLogoutHandler securityContextLogoutHandler() {  
        return new SecurityContextLogoutHandler();  
    }  
  
    @Bean  
    public LogoutFilter logoutFilter() {  
        LogoutFilter logoutFilter = new LogoutFilter(logoutSuccessHandler,  
                securityContextLogoutHandler());  
        logoutFilter.setFilterProcessesUrl("/logout");  
        return logoutFilter;  
    }  
  
    @Bean  
    public SingleSignOutFilter singleSignOutFilter() {  
        SingleSignOutFilter singleSignOutFilter = new SingleSignOutFilter();  
        singleSignOutFilter.setIgnoreInitConfiguration(true);  
        return singleSignOutFilter;  
    }  
  
}

# 2. 修改登录跳转

因为项目是前后端分离的方式,肯定是不会出现用户自行访问后端接口地址,然后跳转登录页面的情况,所以就需要修改 authenticationEntryPoint,使其返回一个登录地址,让前端去跳转。

@Component  
public class CustomAuthenticationEntryPoint implements AuthenticationEntryPoint {  
  
    // 配置文件中的 CAS 服务器地址  
    @Value("${cas.server-host-login-url}")  
    private String serverHostLoginUrl;  
  
    // 配置文件中的本应用前端地址  
    @Value("${cas.client-host-url}")  
    private String clientHostUrl;  
  
    /**  
     * 处理未登录或登录超时的逻辑,因为项目前后端分离,此处直接返回一串地址,跳转至 CAS 端进行登录,   
     */  
    @Override  
    public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {  
        // 构造未登录情况需要跳转的 login 页面 url  
        // 登录地址(指定的一个后台 controller 接口)  
        String encodeUrl = URLEncoder.encode(clientHostUrl + "/login", "utf-8");  
        // CAS 认证中心页面地址,参数 service 带上登录地址,登录成功后会带上 ticket 跳转回 service 指定的地址  
        String redirectUrl = serverHostLoginUrl + "?service=" + encodeUrl;  
        response.setStatus(HttpServletResponse.SC_OK);  
        response.setHeader("content-type", "application/json;charset=UTF-8");  
        response.setCharacterEncoding("UTF-8");  
        PrintWriter out = response.getWriter();  
        // 返回与前端约定的格式,前端能获取到 redirectUrl 跳转即可  
        Result<String> unauthorized = Result.unauthorized(redirectUrl);  
        out.write(JSON.toJSONString(unauthorized));  
    }  
  
}

前端设置了全局拦截器后,这样不管请求什么接口,一旦状态码为 401,就会自动跳转到登录地址。

# 3. 实现基于 Jwt 认证

@Component  
public class JwtAuthenticationTokenFilter extends OncePerRequestFilter {  
    @Autowired  
    private TokenService tokenService;  
  
    @Override  
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)  
            throws ServletException, IOException {  
        CasUserInfo casUserInfo = tokenService.getCasUser(request);  
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();  
        if (ObjectUtils.isNotEmpty(casUserInfo) && ObjectUtils.isEmpty(authentication)) {  
            tokenService.verifyToken(casUserInfo);  
            UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(casUserInfo, null, casUserInfo.getAuthorities());  
            authenticationToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));  
            SecurityContextHolder.getContext().setAuthentication(authenticationToken);  
        }  
        chain.doFilter(request, response);  
    }  
}

# 3. 登录成功处理

这一步是为了修改原本的成功跳转,改为生成 JWT token,并存储在 cookie 中。

@Service  
public class CasAuthenticationSuccessHandler extends SavedRequestAwareAuthenticationSuccessHandler {  
   private RequestCache requestCache = new HttpSessionRequestCache();  
  
   @Autowired  
   private TokenService tokenService;  
   @Value("${cas.web-url}")  
   private String webUrl;  
  
   /**  
    * 令牌有效期(默认 30 分钟)  
    */  
   @Value("${token.expireTime}")  
   private int expireTime;  
  
   @Override  
   public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,  
                              Authentication authentication) throws ServletException, IOException {  
      String targetUrlParameter = getTargetUrlParameter();  
      if (isAlwaysUseDefaultTargetUrl()  
            || (targetUrlParameter != null && StringUtils.hasText(request.getParameter(targetUrlParameter)))) {  
         requestCache.removeRequest(request, response);  
         super.onAuthenticationSuccess(request, response, authentication);  
         return;      }  
      clearAuthenticationAttributes(request);  
      CasUserInfo userDetails = (CasUserInfo) authentication.getPrincipal();  
      String token = tokenService.createToken(userDetails);  
      // 往 Cookie 中设置 token  
      Cookie casCookie = new Cookie(Constants.TOKEN, token);  
      casCookie.setMaxAge(expireTime * 60);  
      casCookie.setPath("/");  
      response.addCookie(casCookie);  
      response.setContentType("application/json;charset=utf-8");  
      PrintWriter writer = response.getWriter();  
      writer.write(JSONObject.toJSONString(Result.success("登录成功",null)));  
      // 登录成功后跳转到前端登录页面  
//    getRedirectStrategy().sendRedirect(request, response, webUrl);  
   }  
}

# 4. 单点登出

刚开始对接的时候,不知道是前端使用了异步请求导致后端无法正常重定向,还是本身就不好实现,登出跳转总是出问题,所以干脆改成返回 json,再由前端跳转,和登录的步骤基本一致

@Configuration  
public class LogoutSuccessHandlerImpl implements LogoutSuccessHandler {  
    @Autowired  
    private TokenService tokenService;  
    @Value("${cas.server-host-url}")  
    private String casServerHostUrl;  
    @Value("${cas.client-host-url}")  
    private String casClientHostUrl;  
  
    /**  
     * 退出处理  
     *  
     * @return  
     */  
    @Override  
    @SneakyThrows    
    public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {  
        CasUserInfo casUserInfo=tokenService.getCasUser(request);  
        if (ObjectUtils.isNotEmpty(casUserInfo)) {  
            // 删除用户缓存记录  
            tokenService.delLoginUser(casUserInfo.getToken());  
        }  
        String url = casServerHostUrl + "/logout?service=" + casClientHostUrl;  
        JSONObject jsonObject = new JSONObject();  
        jsonObject.put("logoutUrl", url);  
        ServletUtils.renderString(response, JSON.toJSONString(Result.success("退出成功",jsonObject)));  
//        response.sendRedirect(this.casServerHostUrl + "/logout?service=" + this.casClientHostUrl);  
    }  
}

# 5. 前端工作

前端需要做的是,根据后端返回的 json 跳转到登录页面,还有将登录成功后得到的 ticket 传给后端,以及从 cookie 里拿 token 并放在 header 里面。

# 二、serviceValidate 配置

这种方式就是直接去请求 CAS Server 提供的一个票据验证的接口,后端这边没啥要做的,就是请求接口,解析返回的 xml 数据,并且给前端一个 token 即可。这边直接拿 JeecgBoot 里面的代码看一下。

@Slf4j  
@RestController  
@RequestMapping("/sys/cas/client")  
public class CasClientController {  
  
   @Autowired  
   private ISysUserService sysUserService;  
   @Autowired  
    private ISysDepartService sysDepartService;  
   @Autowired  
    private RedisUtil redisUtil;  
  
   @Value("${cas.prefixUrl}")  
    private String prefixUrl;  
  
  
   @GetMapping("/validateLogin")  
   public Object validateLogin(@RequestParam(name="ticket") String ticket,  
                        @RequestParam(name="service") String service,  
                        HttpServletRequest request,  
                        HttpServletResponse response) throws Exception {  
      Result<JSONObject> result = new Result<>();  
      log.info("Rest api login.");  
      try {  
         String validateUrl = prefixUrl+"/p3/serviceValidate";  
         String res = CasServiceUtil.getStValidate(validateUrl, ticket, service);  
         log.info("res."+res);  
         final String error = XmlUtils.getTextForElement(res, "authenticationFailure");  
         if(StringUtils.isNotEmpty(error)) {  
            throw new Exception(error);  
         }  
         final String principal = XmlUtils.getTextForElement(res, "user");  
         if (StringUtils.isEmpty(principal)) {  
               throw new Exception("No principal was found in the response from the CAS server.");  
           }  
         log.info("-------token----username---"+principal);  
          //1. 校验用户是否有效  
         SysUser sysUser = sysUserService.getUserByName(principal);  
         result = sysUserService.checkUserIsEffective(sysUser);  
         if(!result.isSuccess()) {  
            return result;  
         }  
         String token = JwtUtil.sign(sysUser.getUsername(), sysUser.getPassword());  
         // 设置超时时间  
         redisUtil.set(CommonConstant.PREFIX_USER_TOKEN + token, token);  
         redisUtil.expire(CommonConstant.PREFIX_USER_TOKEN + token, JwtUtil.EXPIRE_TIME*2 / 1000);  
  
         // 获取用户部门信息  
         JSONObject obj = new JSONObject();  
         List<SysDepart> departs = sysDepartService.queryUserDeparts(sysUser.getId());  
         obj.put("departs", departs);  
         if (departs == null || departs.size() == 0) {  
            obj.put("multi_depart", 0);  
         } else if (departs.size() == 1) {  
            sysUserService.updateUserDepart(principal, departs.get(0).getOrgCode());  
            obj.put("multi_depart", 1);  
         } else {  
            obj.put("multi_depart", 2);  
         }  
         obj.put("token", token);  
         obj.put("userInfo", sysUser);  
         result.setResult(obj);  
         result.success("登录成功");  
  
      } catch (Exception e) {  
         //e.printStackTrace();  
         result.error500(e.getMessage());  
      }  
      return new HttpEntity<>(result);  
   }  
  
  
}

需要注意的一点是,不同协议的票据验证地址是不一样的,比如 CAS3.0 的是 /p3/serviceValiate,CAS2.0 的则没有前面的 p3,而 1.0 的地址则是 /validate,并且接收的参数和返回的结构也有一些差别。

更新于