1、pom.xml文件添加:

		<!--单点登录-->
		<dependency>
			<groupId>org.pac4j</groupId>
			<artifactId>pac4j-cas</artifactId>
			<version>3.0.2</version>
		</dependency>
		<dependency>
			<groupId>io.buji</groupId>
			<artifactId>buji-pac4j</artifactId>
			<version>4.0.0</version>
			<exclusions>
				<exclusion>
					<artifactId>shiro-web</artifactId>
					<groupId>org.apache.shiro</groupId>
				</exclusion>
			</exclusions>
		</dependency>

2、application.yml文件添加:

#cas配置
cas:
  client-name: demoClient
  #cas服务端前缀,不是登录地址
  server:
    url: http://x.x.x.x/x
  #当前客户端地址,即应用地址(域名)
  project:
    url: http://x.x.x.x

3、ShiroConfig.java

package org.sang.authentication.configuration;
import io.buji.pac4j.filter.CallbackFilter;
import io.buji.pac4j.filter.LogoutFilter;
import io.buji.pac4j.filter.SecurityFilter;
import io.buji.pac4j.subject.Pac4jSubjectFactory;
import org.apache.shiro.spring.LifecycleBeanPostProcessor;
import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.pac4j.core.config.Config;
import org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.DependsOn;
import org.springframework.web.filter.DelegatingFilterProxy;

import javax.servlet.DispatcherType;
import javax.servlet.Filter;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.Map;


@Configuration
public class ShiroConfig {


    /** 项目工程路径 */
    @Value("${cas.project.url}")
    private String projectUrl;

    /** 项目cas服务路径 */
    @Value("${cas.server.url}")
    private String casServerUrl;

    /** 客户端名称 */
    @Value("${cas.client-name}")
    private String clientName;


    @Bean("securityManager")
    public DefaultWebSecurityManager securityManager(Pac4jSubjectFactory subjectFactory, CasRealm casRealm){
        DefaultWebSecurityManager manager = new DefaultWebSecurityManager();
        manager.setRealm(casRealm);
        manager.setSubjectFactory(subjectFactory);
//        manager.setSessionManager(sessionManager);	//去掉session管理
        return manager;
    }

    @Bean
    public CasRealm casRealm(){
        CasRealm realm = new CasRealm();
        // 使用自定义的realm
        realm.setClientName(clientName);
        realm.setCachingEnabled(false);
        //暂时不使用缓存
        realm.setAuthenticationCachingEnabled(false);
        realm.setAuthorizationCachingEnabled(false);
        //realm.setAuthenticationCacheName("authenticationCache");
        //realm.setAuthorizationCacheName("authorizationCache");
        return realm;
    }

    /**
     * 使用 pac4j 的 subjectFactory
     * @return
     */
    @Bean
    public Pac4jSubjectFactory subjectFactory(){
        return new Pac4jSubjectFactory();
    }

    @Bean
    public FilterRegistrationBean filterRegistrationBean() {
        FilterRegistrationBean filterRegistration = new FilterRegistrationBean();
        filterRegistration.setFilter(new DelegatingFilterProxy("shiroFilter"));
        //  该值缺省为false,表示生命周期由SpringApplicationContext管理,设置为true则表示由ServletContainer管理
        filterRegistration.addInitParameter("targetFilterLifecycle", "true");
        filterRegistration.setEnabled(true);
        filterRegistration.addUrlPatterns("/*");
        filterRegistration.setDispatcherTypes(DispatcherType.REQUEST, DispatcherType.FORWARD);
        return filterRegistration;
    }

    /**
     * 加载shiroFilter权限控制规则(从数据库读取然后配置)
     * @param shiroFilterFactoryBean
     */
    private void loadShiroFilterChain(ShiroFilterFactoryBean shiroFilterFactoryBean){
        /*下面这些规则配置最好配置到配置文件中 */
        Map<String, String> filterChainDefinitionMap = new LinkedHashMap<>();
        filterChainDefinitionMap.put("/", "securityFilter");
        filterChainDefinitionMap.put("/application/**", "securityFilter");
        filterChainDefinitionMap.put("/index", "securityFilter");
        filterChainDefinitionMap.put("/callback", "callbackFilter");
        filterChainDefinitionMap.put("/logout", "logout");
//        filterChainDefinitionMap.put("/**","anon");
        filterChainDefinitionMap.put("/**", "jwt");	//使用自己的过滤器
        // filterChainDefinitionMap.put("/user/edit/**", "authc,perms[user:edit]");
        shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
    }


    /**
     * shiroFilter
     * @param securityManager
     * @param config
     * @return
     */
    @Bean("shiroFilter")
    public ShiroFilterFactoryBean factory(DefaultWebSecurityManager securityManager, Config config) {
        ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
        // 必须设置 SecurityManager
        shiroFilterFactoryBean.setSecurityManager(securityManager);
        //shiroFilterFactoryBean.setUnauthorizedUrl("/403");
        // 添加casFilter到shiroFilter中
        loadShiroFilterChain(shiroFilterFactoryBean);
        Map<String, Filter> filters = new HashMap<>(4);
        //cas 资源认证拦截器
        SecurityFilter securityFilter = new SecurityFilter();
        securityFilter.setConfig(config);
        securityFilter.setClients(clientName);
        filters.put("securityFilter", securityFilter);
        //cas 认证后回调拦截器
        CallbackFilter callbackFilter = new CallbackFilter();
        callbackFilter.setConfig(config);
        callbackFilter.setDefaultUrl(projectUrl);
        filters.put("callbackFilter", callbackFilter);

        //验证请求拦截器
        filters.put("jwt", new JWTFilter());	//添加自己的过滤器

        // 注销 拦截器
        LogoutFilter logoutFilter = new LogoutFilter();
        logoutFilter.setConfig(config);
        logoutFilter.setCentralLogout(true);
        logoutFilter.setLocalLogout(true);
        logoutFilter.setDefaultUrl(projectUrl + "/callback?client_name=" + clientName);
        filters.put("logout",logoutFilter);
        shiroFilterFactoryBean.setFilters(filters);
        return shiroFilterFactoryBean;
    }


    /**
     * 下面的代码是添加注解支持
     */
    @Bean
    @DependsOn("lifecycleBeanPostProcessor")
    public DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator() {
        DefaultAdvisorAutoProxyCreator defaultAdvisorAutoProxyCreator = new DefaultAdvisorAutoProxyCreator();
        // 强制使用cglib,防止重复代理和可能引起代理出错的问题
        // https://zhuanlan.zhihu.com/p/29161098
        defaultAdvisorAutoProxyCreator.setProxyTargetClass(true);
        return defaultAdvisorAutoProxyCreator;
    }

    @Bean
    public static LifecycleBeanPostProcessor lifecycleBeanPostProcessor() {
        return new LifecycleBeanPostProcessor();
    }

    @Bean
    public AuthorizationAttributeSourceAdvisor authorizationAttributeSourceAdvisor(DefaultWebSecurityManager securityManager) {
        AuthorizationAttributeSourceAdvisor advisor = new AuthorizationAttributeSourceAdvisor();
        advisor.setSecurityManager(securityManager);
        return advisor;
    }


}

4、Pac4jConfig.java

package org.sang.authentication.configuration;

import io.buji.pac4j.context.ShiroSessionStore;
import org.pac4j.cas.config.CasConfiguration;
import org.pac4j.cas.config.CasProtocol;
import org.pac4j.core.config.Config;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;


@Configuration
public class Pac4jConfig {

    /** 地址为:cas地址 */
    @Value("${cas.server.url}")
    private String casServerUrl;

    /** 地址为:验证返回后的项目地址:http://localhost:8081 */
    @Value("${cas.project.url}")
    private String projectUrl;

    /** 相当于一个标志,可以随意 */
    @Value("${cas.client-name}")
    private String clientName;


    /**
     *  pac4j配置
     * @param casClient
     * @param shiroSessionStore
     * @return
     */
    @Bean("authcConfig")
    public Config config(CasClient casClient, ShiroSessionStore shiroSessionStore) {
        Config config = new Config(casClient);
        config.setSessionStore(shiroSessionStore);
        return config;
    }

    /**
     * 自定义存储
     * @return
     */
    @Bean
    public ShiroSessionStore shiroSessionStore(){
        return new ShiroSessionStore();
    }

    /**
     * cas 客户端配置
     * @param casConfig
     * @return
     */
    @Bean
    public CasClient casClient(CasConfiguration casConfig){
        CasClient casClient = new CasClient(casConfig);
        //客户端回调地址
        casClient.setCallbackUrl(projectUrl + "/callback?client_name=" + clientName);
        casClient.setName(clientName);
        return casClient;
    }

    /**
     * 请求cas服务端配置
     * @param
     */
    @Bean
    public CasConfiguration casConfig(){
        final CasConfiguration configuration = new CasConfiguration();
        //CAS server登录地址
        configuration.setLoginUrl(casServerUrl + "/login");
        //CAS 版本,默认为 CAS30,我们使用的是 CAS20
        configuration.setProtocol(CasProtocol.CAS20);
        configuration.setAcceptAnyProxy(true);
        configuration.setPrefixUrl(casServerUrl + "/");
        return configuration;
    }

}

5、CasClient.java

package org.sang.authentication.configuration;

import org.pac4j.cas.config.CasConfiguration;
import org.pac4j.core.context.Pac4jConstants;
import org.pac4j.core.context.WebContext;
import org.pac4j.core.context.session.SessionStore;
import org.pac4j.core.redirect.RedirectAction;
import org.pac4j.core.util.CommonHelper;


public class CasClient extends org.pac4j.cas.client.CasClient {
    public CasClient() {
        super();
    }

    public CasClient(CasConfiguration configuration) {
        super(configuration);
    }

    /*
     * (non-Javadoc)
     * @see org.pac4j.core.client.IndirectClient#getRedirectAction(org.pac4j.core.context.WebContext)
     */

    @Override
    public RedirectAction getRedirectAction(WebContext context) {
        this.init();
        if (getAjaxRequestResolver().isAjax(context)) {
            this.logger.info("AJAX request detected -> returning the appropriate action");
            RedirectAction action = getRedirectActionBuilder().redirect(context);
            this.cleanRequestedUrl(context);
            return getAjaxRequestResolver().buildAjaxResponse(action.getLocation(), context);
        } else {
            final String attemptedAuth = (String)context.getSessionStore().get(context, this.getName() + ATTEMPTED_AUTHENTICATION_SUFFIX);
            if (CommonHelper.isNotBlank(attemptedAuth)) {
                this.cleanAttemptedAuthentication(context);
                this.cleanRequestedUrl(context);
                //这里按自己需求处理,默认是返回了401,我在这边改为跳转到cas登录页面
                //throw HttpAction.unauthorized(context);
                return this.getRedirectActionBuilder().redirect(context);
            } else {
                return this.getRedirectActionBuilder().redirect(context);
            }
        }
    }

    private void cleanRequestedUrl(WebContext context) {
        SessionStore<WebContext> sessionStore = context.getSessionStore();
        if (sessionStore.get(context, Pac4jConstants.REQUESTED_URL) != null) {
            sessionStore.set(context, Pac4jConstants.REQUESTED_URL, "");
        }

    }

    private void cleanAttemptedAuthentication(WebContext context) {
        SessionStore<WebContext> sessionStore = context.getSessionStore();
        if (sessionStore.get(context, this.getName() + ATTEMPTED_AUTHENTICATION_SUFFIX) != null) {
            sessionStore.set(context, this.getName() + ATTEMPTED_AUTHENTICATION_SUFFIX, "");
        }

    }


}

6、CasRealm.java

认证逻辑:统一认证页面,输入用户名、密码,cas服务端进行认证,此时传给doGetAuthenticationInfo方法中的authenticationToken是由cas服务单返回的,进行登录认证;登录认证成功后,回调项目地址http://x.x.x.x,匹配@GetMapping({"/", “”, “/index”}),执行LoginController.java中的login方法;进入系统,之后的每次请求所携带token,是由login方法中生成,发给前端,以后请求时携带的JWTToken,传给doGetAuthenticationInfo方法中的authenticationToken,进行token验证。

package org.sang.authentication.configuration;


import io.buji.pac4j.realm.Pac4jRealm;
import io.buji.pac4j.subject.Pac4jPrincipal;
import io.buji.pac4j.token.Pac4jToken;
import org.apache.commons.lang3.StringUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.SimplePrincipalCollection;
import org.pac4j.core.profile.CommonProfile;
import org.sang.authentication.manager.UserManager;
import org.sang.bean.User;
import org.springframework.beans.factory.annotation.Autowired;


import java.util.List;
import java.util.Set;

/**
 * 认证与授权
 * @author ltq
 **/
public class CasRealm extends Pac4jRealm {

    private String clientName;

    public String getClientName() {
        return clientName;
    }

    public void setClientName(String clientName) {
        this.clientName = clientName;
    }

    @Autowired
    private UserManager userManager;

    /**
     * 认证
     * @param authenticationToken
     * @return
     * @throws AuthenticationException
     */
    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
//        System.out.println(authenticationToken.getClass().getName());
        if (!(authenticationToken instanceof JWTToken)) {
            final Pac4jToken pac4jToken = (Pac4jToken) authenticationToken;
            final List<CommonProfile> commonProfileList = pac4jToken.getProfiles();
            final CommonProfile commonProfile = commonProfileList.get(0);
            System.out.println("单点登录返回的信息" + commonProfile.toString());
            //todo
            final Pac4jPrincipal principal = new Pac4jPrincipal(commonProfileList, getPrincipalNameAttribute());
            final PrincipalCollection principalCollection = new SimplePrincipalCollection(principal, getName());
            return new SimpleAuthenticationInfo(principalCollection, commonProfileList.hashCode());
        } else {
            // 这里的 token是从 JWTFilter 的 executeLogin 方法传递过来的,已经经过了解密
//            System.out.println(authenticationToken.getCredentials());
            String token = (String)authenticationToken.getCredentials();
            String userId = JWTUtil.getUserIdFromToken(token);

            if (StringUtils.isBlank(userId)) {
                throw new AuthenticationException("token校验不同过");
            }

            User user = userManager.getUserByUserId(userId);
            if (user == null) {
                throw new AuthenticationException("用户名或密码错误");
            }
            if (!JWTUtil.verify(token, userId, user.getPassword())) {
                throw new AuthenticationException("token校验不通过");
            }
            return new SimpleAuthenticationInfo(token, token, getName());
        }
    }

    /**
     * 授权/验权(todo 后续有权限在此增加)
     * @param principals
     * @return
     */
    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
//        System.out.println(principals);
        String userId = JWTUtil.getUserIdFromToken(principals.toString());
        SimpleAuthorizationInfo authInfo = new SimpleAuthorizationInfo();

        //获取用户角色集合
        Set<String> roleSet = userManager.getUserRoles(userId);
        authInfo.setRoles(roleSet);

        //获取用户权限集合
        Set<String> permissionSet = userManager.getUserPermissions(userId);
        authInfo.setStringPermissions(permissionSet);

        return authInfo;
    }
}

7、LoginController.java

package org.sang.authentication.controller;


import io.buji.pac4j.subject.Pac4jPrincipal;
import org.sang.authentication.configuration.JWTToken;
import org.sang.authentication.configuration.JWTUtil;
import org.sang.authentication.manager.UserManager;
import org.sang.authentication.propertites.LearningProperty;
import org.sang.authentication.tools.DateUtil;
import org.sang.authentication.tools.LearningUtil;
import org.sang.bean.User;
import org.sang.authentication.tools.MD5Utils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.*;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.net.URLEncoder;
import java.time.LocalDateTime;
import java.util.*;



@RestController
public class LoginController {


    @Autowired
    private UserManager userManager;
    @Autowired
    private LearningProperty learningProperty;


    /**
     * 生成前端需要的用户信息
     * @param jwtToken token
     * @param userId userId
     * @return userInfo
     */
    private HashMap<String, Object> generateUserInfo(JWTToken jwtToken, String userId) {

        HashMap<String, Object> userInfo = new HashMap<>();

        userInfo.put("token", jwtToken.getToken());
        userInfo.put("expireTime", jwtToken.getExpireAt());

        Set<String> roles = this.userManager.getUserRoles(userId);
        userInfo.put("roles", roles);

        return userInfo;
    }


    /**
     * 登录认证
     * @return 登录结果
     */
    @GetMapping({"/", "", "/index"})
    public void login(HttpServletRequest request, HttpServletResponse response) throws ClassCastException {

        Pac4jPrincipal principal = (Pac4jPrincipal)request.getUserPrincipal();
        String userId = (String)principal.getProfile().getAttribute("uid");
        String cn = (String)principal.getProfile().getAttribute("cn");
        
        /*
        根据统一认证返回信息确定用户角色,并一同写入数据库
        略
        */

        String pwd = userManager.getPasswordByUserId(userId);
        String token = LearningUtil.encryptToken(JWTUtil.sign(userId, pwd));
        LocalDateTime expireTime = LocalDateTime.now().plusSeconds(learningProperty.getShiro().getJwtTimeOut());
        String expireTimeStr = DateUtil.formatFullTime(expireTime);
        JWTToken jwtToken = new JWTToken(token, expireTimeStr);

        HashMap<String, Object> userInfo = this.generateUserInfo(jwtToken, userId);



        try {
            cn = URLEncoder.encode(cn,"utf-8");//使url中汉字正常显示


            Set<String> set = (HashSet<String>)userInfo.get("roles");
            String role = set.iterator().next();

//重定向到前端登录页面,http://前端服务器地址:前端项目端口(前端部署到nginx后nginx配置端口) + "/"(注意/是前端路由中登录页面的path,并且与nginx.conf文件中的location后的/一致)+ 返回给前端的数据。
注意:前端服务器地址与前端项目中config/index.js配置的  host: 'x.x.x.x',保持一致。
            response.sendRedirect("http://x.x.x.x:9527/"+"?userId="+userId+"&userName="+cn+
                    "&token="+userInfo.get("token")+"&roles="+role+"&expireTime="+userInfo.get("expireTime"));
        } catch (Exception e) {
            System.out.println("LoginController中的异常");
            e.printStackTrace();
        }

    }


}

8、前端Login.vue页面

将前端登录后的跳转逻辑挂载到mounted中自动执行。

<template>

</template>

<script>
  import {mapMutations} from 'vuex'


  export default{

    methods: {

      ...mapMutations({
        setToken: 'account/setToken',
        setExpireTime: 'account/setExpireTime',
        setUserId: 'account/setUserId',
        setUserName: 'account/setUserName',
        setRoles: 'account/setRoles',
      }),

    },
    mounted: function () {
    
      this.setToken(this.$route.query.token);
      this.setExpireTime(this.$route.query.expireTime);
      this.setUserId(this.$route.query.userId);
      this.setUserName(this.$route.query.userName);
      this.setRoles(this.$route.query.roles);

      if (this.$route.query.roles.toString() === 'student') {
        this.$router.push('/StudentCourseList');
      } else if (this.$route.query.roles.toString() === 'teacher') {
        this.$router.push('/courseManage');
      }

    },

  }
</script>

<style>
 
</style>

借鉴:
一个简单的集成了shiro+cas+pac4j的springboot项目,实现单点登录及单点退出
https://gitee.com/bmlvy/single_sign_on
spring boot 2.0 集成 shiro 和 pac4j cas单点登录
https://www.cnblogs.com/suiyueqiannian/p/9359597.html
CAS单点登录-客户端集成(shiro、springboot、jwt、pac4j)(十)https://blog.csdn.net/u010475041/article/details/78140643

Logo

前往低代码交流专区

更多推荐