Springboot security cas整合方案中不可或缺的校验Filter类或者称为认证Filter类,其内部包含校验器、权限获取等,特开辟新地啃啃
继承结构
- AbstractAuthenticationProcessingFilter
- CasAuthenticationFilter
其中父类AbstractAuthenticationProcessingFilter#doFilter()是模板处理逻辑方法,而子类主要实现了校验方法CasAuthenticationFilter#attemptAuthentication()方法。下面就对这两块进行代码层面的分析
AbstractAuthenticationProcessingFilter#doFilter-处理逻辑
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
//是否需要验证,这里cas子类对其进行了复写
if (!requiresAuthentication(request, response)) {
chain.doFilter(request, response);
return;
}
if (logger.isDebugEnabled()) {
logger.debug("Request is to process authentication");
}
//凭证信息
Authentication authResult;
try {
//调用子类来进行相关的验证操作,供子类复写
authResult = attemptAuthentication(request, response);
if (authResult == null) {
//返回为空,则校验停止
return;
}
//session策略校验,默认不校验
sessionStrategy.onAuthentication(authResult, request, response);
}
catch (InternalAuthenticationServiceException failed) {
logger.error(
"An internal error occurred while trying to authenticate the user.",
failed);
//对其中产生的异常进行页面输出,即直接以页面呈现错误
unsuccessfulAuthentication(request, response, failed);
return;
}
catch (AuthenticationException failed) {
// Authentication failed
//对其中产生的异常进行页面输出,即直接以页面呈现错误
unsuccessfulAuthentication(request, response, failed);
return;
}
// Authentication success
//认证成功后是否还往下走,默认为false
if (continueChainBeforeSuccessfulAuthentication) {
chain.doFilter(request, response);
}
//直接跳转至配置好的登录成功页面,这里cas子类对其进行了复写
successfulAuthentication(request, response, chain, authResult);
}
其中CasAuthenticationFilter对以下方法进行了复写,分别为requiresAuthentication()、successfulAuthentication()、attemptAuthentication()方法
CasAuthenticationFilter#requiresAuthentication-是否校验判断
protected boolean requiresAuthentication(final HttpServletRequest request,
final HttpServletResponse response) {
//是否与设置的登录路径匹配
final boolean serviceTicketRequest = serviceTicketRequest(request, response);
//对含有ticket参数的请求会返回true
final boolean result = serviceTicketRequest || proxyReceptorRequest(request)
|| (proxyTicketRequest(serviceTicketRequest, request));
if (logger.isDebugEnabled()) {
logger.debug("requiresAuthentication = " + result);
}
return result;
}
对login请求以及token请求则返回true表示需要验证
CasAuthenticationFilter#attemptAuthentication-具体校验处理
@Override
public Authentication attemptAuthentication(final HttpServletRequest request,
final HttpServletResponse response) throws AuthenticationException,
IOException {
// if the request is a proxy request process it and return null to indicate the
// request has been processed
//代理服务的请求处理,涉及PGT
if (proxyReceptorRequest(request)) {
logger.debug("Responding to proxy receptor request");
//直接响应输出
CommonUtils.readAndRespondToProxyReceptorRequest(request, response,
this.proxyGrantingTicketStorage);
return null;
}
//判断是否对应指定的请求(login请求),支持ant-style方式
final boolean serviceTicketRequest = serviceTicketRequest(request, response);
//login请求为"_cas_stateful_",非login请求为"_cas_stateless_"
final String username = serviceTicketRequest ? CAS_STATEFUL_IDENTIFIER
: CAS_STATELESS_IDENTIFIER;
//获取ticket
String password = obtainArtifact(request);
//passwprd一般不可为空,这在provider处理类中会抛异常
if (password == null) {
logger.debug("Failed to obtain an artifact (cas ticket)");
password = "";
}
final UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(
username, password);
authRequest.setDetails(authenticationDetailsSource.buildDetails(request));
//通过CasAuthenticationProvider来进行具体的校验,包含ticket验证以及当前用户权限集合获取
return this.getAuthenticationManager().authenticate(authRequest);
}
具体的校验通过CasAuthenticationProvider来实现
CasAuthenticationProvider-cas校验器
cas校验器,看下主要的实现方法
- CasAuthenticationProvider#afterPropertiesSet()
主要是检验必须的属性是否设置public void afterPropertiesSet() throws Exception { //权限获取处理对象 Assert.notNull(this.authenticationUserDetailsService, "An authenticationUserDetailsService must be set"); //ticket校验器 Assert.notNull(this.ticketValidator, "A ticketValidator must be set"); //stateless对应的缓存,默认为NullStatelessTicketCache Assert.notNull(this.statelessTicketCache, "A statelessTicketCache must be set"); //必须设置key Assert.hasText( this.key, "A Key is required so CasAuthenticationProvider can identify tokens it previously authenticated"); //默认为SpringSecurityMessageSource.getAccessor() Assert.notNull(this.messages, "A message source must be set"); } - CasAuthenticationProvider#authenticate
校验处理方法,源码如下//此处传过来的authentication类型为UsernamePasswordAuthenticationToken public Authentication authenticate(Authentication authentication) throws AuthenticationException { //此处为true if (!supports(authentication.getClass())) { return null; } if (authentication instanceof UsernamePasswordAuthenticationToken && (!CasAuthenticationFilter.CAS_STATEFUL_IDENTIFIER .equals(authentication.getPrincipal().toString()) && !CasAuthenticationFilter.CAS_STATELESS_IDENTIFIER .equals(authentication.getPrincipal().toString()))) { // UsernamePasswordAuthenticationToken not CAS related return null; } // If an existing CasAuthenticationToken, just check we created it if (authentication instanceof CasAuthenticationToken) { if (this.key.hashCode() == ((CasAuthenticationToken) authentication) .getKeyHash()) { return authentication; } else { throw new BadCredentialsException( messages.getMessage("CasAuthenticationProvider.incorrectKey", "The presented CasAuthenticationToken does not contain the expected key")); } } // Ensure credentials are presented,确保ticket不为空,否则将抛出异常 if ((authentication.getCredentials() == null) || "".equals(authentication.getCredentials())) { throw new BadCredentialsException(messages.getMessage( "CasAuthenticationProvider.noServiceTicket", "Failed to provide a CAS service ticket to validate")); } boolean stateless = false; if (authentication instanceof UsernamePasswordAuthenticationToken && CasAuthenticationFilter.CAS_STATELESS_IDENTIFIER.equals(authentication .getPrincipal())) { stateless = true; } CasAuthenticationToken result = null; //对非login请求的尝试从缓存中获取 if (stateless) { // Try to obtain from cache result = statelessTicketCache.getByTicketId(authentication.getCredentials() .toString()); } if (result == null) { //第一次校验则用ticketValidator去cas服务端进行ticket校验 result = this.authenticateNow(authentication); result.setDetails(authentication.getDetails()); } //对非login请求的castoken进行缓存 if (stateless) { // Add to cache statelessTicketCache.putTicketInCache(result); } return result; } - CasAuthenticationProvider#authenticateNow
实际的校验处理方法,源码如下private CasAuthenticationToken authenticateNow(final Authentication authentication) throws AuthenticationException { try { //TicketValidator一般只需要设置casServerUrlPrefix前缀,实际的请求全路径如下,以Cas20ServiceTicketValidator为例 //https://example.casserver.com/cas/serviceValidator?service=https://example.casclient.com/ final Assertion assertion = this.ticketValidator.validate(authentication .getCredentials().toString(), getServiceUrl(authentication)); //调用authenticationUserDetailsService获取当前用户所拥有的权限 final UserDetails userDetails = loadUserByAssertion(assertion); userDetailsChecker.check(userDetails); //组装成CasAuthenticationToken来保存校验信息,供保存至spring的安全上下文中 return new CasAuthenticationToken(this.key, userDetails, authentication.getCredentials(), authoritiesMapper.mapAuthorities(userDetails.getAuthorities()), userDetails, assertion); } catch (final TicketValidationException e) { //ticket校验失败则抛出异常,此异常会被父类获取而调用failerhandler将错误写向页面 throw new BadCredentialsException(e.getMessage(), e); } }
- CasAuthenticationProvider的必要属性含义
- authenticationUserDetailsService-权限获取对象
- ticketValidator-ticket校验器,其中需要设置cas服务端的校验地址前缀
casServerUrlPrefix- key-设置唯一标识
- CasAuthenticationProvider校验过程中如果ticket为空或者ticket校验失败都会由
AbstractAuthenticationProcessingFilter类抓取并将错误信息写入到页面中,从而关于ticket的异常信息都会显示至前端页面- CasAuthenticationProvider校验成功后会生成
CasAuthenticationToken,且设置authenticated为true并保存至spring的安全上下文中,这在FilterSecurityInterceptorFilter类会有所作用
CasAuthenticationFilter#successfulAuthentication-校验成功处理
protected final void successfulAuthentication(HttpServletRequest request,
HttpServletResponse response, FilterChain chain, Authentication authResult)
throws IOException, ServletException {
//如果请求含有ticket参数,返回true
//login请求则直接返回false从而调用父类的successfulAuthentication()来直接响应页面
boolean continueFilterChain = proxyTicketRequest(
serviceTicketRequest(request, response), request);
if (!continueFilterChain) {
super.successfulAuthentication(request, response, chain, authResult);
return;
}
if (logger.isDebugEnabled()) {
logger.debug("Authentication success. Updating SecurityContextHolder to contain: "
+ authResult);
}
//保存Authentication凭证信息
SecurityContextHolder.getContext().setAuthentication(authResult);
// Fire event
if (this.eventPublisher != null) {
eventPublisher.publishEvent(new InteractiveAuthenticationSuccessEvent(
authResult, this.getClass()));
}
//往下继续走
chain.doFilter(request, response);
}
小结
CasAuthenticationFilter的放行策略:非登录请求;非代理接收请求;非ticket请求
对登录请求的成功处理是直接跳转至指定的页面,可通过
SimpleUrlAuthenticationSuccessHandler#setDefaultTargetUrl(String url)设置;
对非登录请求比如token请求的操作将保存校验通过的Authentication对象至SecurityContextHolder.getContext()上下文中再放行CasAuthenticationProvider校验过程中如果ticket为空或者ticket校验失败都会由
AbstractAuthenticationProcessingFilter类抓取并将错误信息写入到页面中,从而关于ticket的异常信息都会显示至前端页面
温馨提示:cas服务端登录成功后的service路径不要为login请求,避免token没拿到就被拦截从而输出错误页面其中对ticket进行校验的是
CasAuthenticationProvider对象,包括ticket校验以及权限获取