shiro集成spring使用cas单点登录配置

（一）shiro单点登录

配置的主要目的在于将登录页面改为${cas.server}?service=${cas.client}/login的形式，service后面为本地的回调地址。在cas服务器端登录成功后，会生成ticket返回给客户端，客户端的shiro使用ticket最为凭据保存起来。

shiro配置单点登陆后，在注销时原始的cas-client只能删除HttpSession，不能删除shiro的Session，因此未使用shiro的session管理器。

如果想启用shiro的Session管理器，可以参考Shiro & CAS 实现单点登录。

原有的CasRealm在AuthenticationInfo中只保存了用户名作为principal，MyCasRealm中重写了此方法，改为保存用户信息类。

需要在pom增加依赖，shiro-cas会通过依赖传递自动增加cas-client-core-3.2.1的依赖。

<!-- shiro -->

<dependency>

<groupId>org.apache.shiro</groupId>

<artifactId>shiro-spring</artifactId>

<version>1.2.3</version>

</dependency>

<dependency>

<groupId>org.apache.shiro</groupId>

<artifactId>shiro-cas</artifactId>

<version>1.2.3</version>

</dependency>

1234567891011

1、spring-shiro.xml配置

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns=""

xmlns:xsi=""

xmlns:util=""

xmlns:aop=""

xmlns:context=""

xsi:schemaLocation="

" default-lazy-init="false">

<description>Shiro安全配置</description>

<!-- 缓存管理器 -->

<bean id="cacheManager" class="com.whty.framework.base.common.cache.SpringCacheManagerWrapper">

<property name="cacheManager" ref="springCacheManager"/>

</bean>

<!-- Realm实现 -->

<bean id="casRealm" class="com.whty.oim.base.shiro.MyCasRealm">

<property name="cachingEnabled" value="true"/>

<property name="authenticationCachingEnabled" value="true"/>

<property name="authenticationCacheName" value="authenticationCache"/>

<property name="authorizationCachingEnabled" value="true"/>

<property name="authorizationCacheName" value="authorizationCache"/>

<!-- CAS Server -->

<property name="casServerUrlPrefix" value="${cas.server}"/>

<!-- 客户端的回调地址设置，必须和下面的shiro-cas过滤器拦截的地址一致 -->

<property name="casService" value="${cas.client}/login"/>

</bean>

<bean id="casSubjectFactory" class="org.apache.shiro.cas.CasSubjectFactory"/>

<!-- 安全管理器 -->

<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">

<property name="realm" ref="casRealm"/>

<!-- <property name="sessionManager" ref="sessionManager"/> -->

<property name="cacheManager" ref="cacheManager"/>

<!-- sessionMode参数设置为native时，那么shrio就将用户的基本认证信息保存到缺省名称为shiro-activeSessionCache 的Cache中 -->

<!--<property name="sessionMode" value="native" />-->

<property name="subjectFactory" ref="casSubjectFactory"/>

</bean>

<!-- 相当于调用SecurityUtils.setSecurityManager(securityManager) -->

<bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">

<property name="staticMethod" value="org.apache.shiro.SecurityUtils.setSecurityManager"/>

<property name="arguments" ref="securityManager"/>

</bean>

<bean id="casFilter" class="org.apache.shiro.cas.CasFilter">

<!-- 配置验证错误时的失败页面 -->

<property name="failureUrl" value="${cas.client}"/>

</bean>

<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">

<property name="securityManager" ref="securityManager" />

<!-- 设定角色的登录链接，这里为cas登录页面的链接可配置回调地址 -->

<property name="loginUrl" value="${cas.server}?service=${cas.client}/login" />

<property name="successUrl" value="/index" />

<property name="unauthorizedUrl" value="/"/>

<property name="filters">

<util:map>

<!-- <entry key="authc" value-ref="authcFilter"/>

<entry key="captchaFilter" value-ref="captchaFilter"/> -->

<!-- 添加casFilter到shiroFilter -->

<entry key="cas" value-ref="casFilter"/>

</util:map>

</property>

<property name="filterChainDefinitions">

<value>

/logout = logout

/login = cas

/** = user

</value>

</property>

</bean>

<!--保证实现了Shiro内部lifecycle函数的bean执行 -->

<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />

</beans>

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182

2、cas.properties

cas.server=

cas.client=

3、自定义Realm实现

主要修改了CasRealm的doGetAuthenticationInfo()方法，CasRealm默认只保存了username，本系统改为保存ShiroUser对象。

public class MyCasRealm extends CasRealm {

Logger logger = LoggerFactory.getLogger(MyCasRealm.class);

@Autowired

private UcsUserService ucsUserService;

@Autowired

private UcsRoleService ucsRoleService;

@Autowired

private UcsPermissionService ucsPermissionService;

@Value("${domain}")

private String domain;

/**

* 授权查询回调函数, 进行鉴权但缓存中无用户的授权信息时调用.

*

* @see org.apache.shiro.realm.AuthorizingRealm#doGetAuthorizationInfo(org.apache.shiro.subject.PrincipalCollection)

*/

@Override

protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {

ShiroUser shiroUser = (ShiroUser) principals.getPrimaryPrincipal();

UcsUser ucsUser = ucsUserService.selectByUsername(shiroUser.loginName);

//把principals放session中 key=userId value=principals

SecurityUtils.getSubject().getSession().setAttribute(String.valueOf(ucsUser.getId()),SecurityUtils.getSubject().getPrincipals());

SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();

//赋予角色

List<UcsRole> ucsRoles = ucsRoleService.selectByUser(ucsUser.getId());

if (!CheckEmptyUtil.isEmpty(ucsRoles)){

for(UcsRole ucsRole:ucsRoles){

info.addRole(ucsRole.getId());

}

}

//赋予权限

// List<UcsPermission> ucsPermissions = ucsPermissionService.selectByUser(ucsUser.getId(), domain);

if (!CheckEmptyUtil.isEmpty(shiroUser.getMenus())){

for(EasyUIMenu permission:shiroUser.getMenus()){

if(UcsBaseConstant.PermissionType.BUTTON.equals(permission.getType()))

info.addStringPermission(permission.getUrl());

}

}

return info;

}

/**

* Authenticates a user and retrieves its information.

*

* @param token the authentication token

* @throws AuthenticationException if there is an error during authentication.

*/

@Override

protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {

CasToken casToken = (CasToken) token;

if (token == null) {

return null;

}

String ticket = (String)casToken.getCredentials();

if (!StringUtils.hasText(ticket)) {

return null;

}

TicketValidator ticketValidator = ensureTicketValidator();

try {

// contact CAS server to validate service ticket

Assertion casAssertion = ticketValidator.validate(ticket, getCasService());

// get principal, user id and attributes

AttributePrincipal casPrincipal = casAssertion.getPrincipal();

String username = casPrincipal.getName();

logger.debug("Validate ticket : {} in CAS server : {} to retrieve user : {}", new Object[]{

ticket, getCasServerUrlPrefix(), username

});

Map<String, Object> attributes = casPrincipal.getAttributes();

// refresh authentication token (user id + remember me)

casToken.setUserId(username);

String rememberMeAttributeName = getRememberMeAttributeName();

String rememberMeStringValue = (String)attributes.get(rememberMeAttributeName);

boolean isRemembered = rememberMeStringValue != null && Boolean.parseBoolean(rememberMeStringValue);

if (isRemembered) {

casToken.setRememberMe(true);

}

// create simple authentication info

// 根据用户名获取账号信息

UcsUser ucsUser = ucsUserService.selectByUsername(username);

List<UcsPermission> ucsPermissions = null;

if (ucsUser != null) {

ucsPermissions = ucsPermissionService.selectByUser(ucsUser.getId(), domain);

} else {

throw new UnknownAccountException();//登录失败

}

//给菜单排序

List<EasyUIMenu> menus = toEasyUIMenu(ucsPermissions);

if(!CheckEmptyUtil.isEmpty(menus)){

Collections.sort(menus);

}

ShiroUser shiroUser = new ShiroUser(ucsUser.getId(), ucsUser.getUsername(), ucsUser.getName(), menus);

return new SimpleAuthenticationInfo(shiroUser, ticket, getName());

} catch (TicketValidationException e) {

throw new CasAuthenticationException("Unable to validate ticket [" + ticket + "]", e);

}

}

private List<EasyUIMenu> toEasyUIMenu(List<UcsPermission> ucsPermissions){

List<EasyUIMenu> menus = new ArrayList<EasyUIMenu>(0);

for (UcsPermission ucsPermission : ucsPermissions) {

menus.add(toEasyUIMenu(ucsPermission));

}

return menus;

}

private EasyUIMenu toEasyUIMenu(UcsPermission ucsPermission){

return new EasyUIMenu(ucsPermission.getId(), ucsPermission.getPid(), ucsPermission.getDomain(), ucsPermission.getName(), ucsPermission.getType(), ucsPermission.getSort(), ucsPermission.getIcon(), ucsPermission.getUrl(), ucsPermission.getDescription(), ucsPermission.getStatus());

}

@Override

public void clearCachedAuthorizationInfo(PrincipalCollection principals) {

super.clearCachedAuthorizationInfo(principals);

}

@Override

public void clearCachedAuthenticationInfo(PrincipalCollection principals) {

super.clearCachedAuthenticationInfo(principals);

}

@Override

public void clearCache(PrincipalCollection principals) {

super.clearCache(principals);

clearAllCache();

}

public void clearAllCachedAuthorizationInfo() {

getAuthorizationCache().clear();

}

public void clearAllCachedAuthenticationInfo() {

getAuthenticationCache().clear();

}

public void clearAllCache() {

clearAllCachedAuthenticationInfo();

clearAllCachedAuthorizationInfo();

}

}

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148

（二）cas登出

在任意一个子系统登出后，cas服务器会向所有发过登录请求的子系统发送一个登出请求，使所有子系统的HttpSession失效。如果使用了shiro的session管理器，需要修改cas客户端代码，在移除HttpSession的时候也移除shiro的Session。

1、web.xml

web.xml中需要加入cas的SingleSignOutFilter实现单点登出功能，该过滤器需要放在shiroFilter之前，spring字符集过滤器之后。在实际使用时发现，SingleSignOutFilter如果放在了spring字符集过滤器之前，数据在传输过程中就会出现乱码。

<!-- 用于单点退出，该过滤器用于实现单点登出功能，可选配置。-->

<listener>

<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>

</listener>

<!-- 该过滤器用于实现单点登出功能，可选配置。 -->

<filter>

<filter-name>CAS Single Sign Out Filter</filter-name>

<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>

</filter>

<filter-mapping>

<filter-name>CAS Single Sign Out Filter</filter-name>

<url-pattern>/*</url-pattern>

</filter-mapping>

12345678910111213

2、登出请求

登出只需要将当前页面跳转到cas服务器的logout页面即可实现登出。如果需要登出后跳转页面，可以加入service参数，并参考第一部分中第四节进行配置。

子系统使用的方法是在后台拼装好登出链接，发送给前台页面，前台页面接受使用el表达式接收。具体实现需要根据每个子系统的不同来自行实现。

@Value("${cas.server}")

private String cas_server;

@Value("${cas.client}")

private String cas_client;

@RequestMapping(value = "/index")

public String index(Model model){

StringBuilder logoutUrl = new StringBuilder();

logoutUrl.append(cas_server);

logoutUrl.append("/logout?service=");

logoutUrl.append(cas_client);

model.addAttribute("logoutUrl", logoutUrl.toString());

return "system/index";

}

1234567891011121314

前台页面：

<script>

var logoutUrl = '${logoutUrl}';

</script>

123

缓存配置（可选）

我使用的ehcache作为shiro的缓存，也可以使用其他的。

spring-cache.xml

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="" xmlns:xsi="" xmlns:aop="" xmlns:context=""

xmlns:jdbc="" xmlns:tx=""

xsi:schemaLocation="

"

default-lazy-init="false">

<bean id="springCacheManager" class="org.springframework.cache.ehcache.EhCacheCacheManager">

<property name="cacheManager" ref="ehcacheManager"/>

</bean>

<!--ehcache-->

<bean id="ehcacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean">

<property name="configLocation" value="classpath:properties/ehcache.xml"/>

</bean>

</beans>

123456789101112131415161718192021

ehcache.xml

<?xml version="1.0" encoding="UTF-8"?>

<ehcache xmlns:xsi=""

xsi:noNamespaceSchemaLocation="ehcache.xsd"

updateCheck="true" monitoring="autodetect"

dynamicConfig="true">

<diskStore path="C:\\ehcache\\cache"/>

<!--<diskStore path="/application/cache"/> -->

<!-- 登录记录缓存 锁定10分钟 -->

<cache name="passwordRetryEhcache"

maxEntriesLocalHeap="2000"

eternal="false"

timeToIdleSeconds="1800"

timeToLiveSeconds="0"

overflowToDisk="false"

statistics="true">

</cache>

<cache name="authorizationCache"

maxEntriesLocalHeap="2000"

eternal="false"

timeToIdleSeconds="3600"

timeToLiveSeconds="0"

overflowToDisk="false"

statistics="true">

</cache>

<cache name="authenticationCache"

maxEntriesLocalHeap="2000"

eternal="false"

timeToIdleSeconds="3600"

timeToLiveSeconds="0"

overflowToDisk="false"

statistics="true">

</cache>

<cache name="shiro-activeSessionCache"

maxEntriesLocalHeap="2000"

eternal="false"

timeToIdleSeconds="3600"

timeToLiveSeconds="0"

overflowToDisk="false"

statistics="true">

</cache>

<defaultCache

maxElementsInMemory="1000"

eternal="false"

timeToIdleSeconds="120"

timeToLiveSeconds="120"

overflowToDisk="true"

maxElementsOnDisk="10000"

diskSpoolBufferSizeMB="30"

diskPersistent="false"

diskExpiryThreadIntervalSeconds="120"

memoryStoreEvictionPolicy="LRU"

statistics="false"

/>

</ehcache>