1. 首頁
  2. 問答
  3. Web服務中的Spring Security CAS實現

Web服務中的Spring Security CAS實現

2012-04-25 95 views
2

我們的團隊一直負責以某種方式保護Web服務,現在我們有其他Web應用程序使用SpringSecurity CAS進行保護,並且我們正在考慮使用此服務來保護Web服務以及。這個想法是,如果用戶通過CAS服務器登錄到其中一個Web應用程序,那麼當Web服務被調用時,它將看到該用戶已經被認證並允許他們使用它。我們不確定這是否是正確的方法,因爲有很多關於使用HMAC或Oauth 2.0的討論,但是考慮到CAS,因爲這是其他所有應用程序所使用的。Web服務中的Spring Security CAS實現

這是我有下面這個教程後至今:

http://www.oudmaijer.com/2009/12/28/spring-3-spring-security-3-cas-3-3-4-integration/

的pom.xml

<dependency> 
    <groupId>org.springframework.security</groupId> 
    <artifactId>spring-security-core</artifactId> 
    <version>3.0.0.RELEASE</version> 
    <optional>false</optional> 
</dependency> 
<dependency> 
    <groupId>org.springframework.security</groupId> 
    <artifactId>spring-security-config</artifactId> 
    <version>3.0.0.RELEASE</version> 
    <scope>compile</scope> 
</dependency> 
<dependency> 
    <groupId>org.springframework.security</groupId> 
    <artifactId>spring-security-cas-client</artifactId> 
    <version>3.0.0.RELEASE</version> 
    <optional>false</optional> 
</dependency>

的web.xml

<?xml version="1.0" encoding="UTF-8"?> 
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
     xmlns="http://java.sun.com/xml/ns/javaee" 
     xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" 
     xsi:schemaLocation="http://java.sun.com/xml/ns/javaee 
     http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" 
     id="WebApp_ID" 
     version="2.5"> 
<display-name>webservice</display-name> 
<listener> 
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> 
</listener> 
<servlet> 
    <servlet-name>service</servlet-name> 
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> 
    <load-on-startup>1</load-on-startup> 
</servlet> 
<servlet-mapping> 
    <servlet-name>service</servlet-name> 
    <url-pattern>/*</url-pattern> 
</servlet-mapping> 
<!-- Start Spring CAS integration --> 
<context-param> 
    <param-name>contextConfigLocation</param-name> 
    <param-value>/WEB-INF/applicationContext-security.xml</param-value> 
</context-param> 
<listener> 
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> 
</listener> 

<filter> 
    <filter-name>springSecurityFilterChain</filter-name> 
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> 
</filter> 
<filter-mapping> 
    <filter-name>springSecurityFilterChain</filter-name> 
    <url-pattern>/*</url-pattern> 
</filter-mapping> 

<welcome-file-list> 
    <welcome-file>index.html</welcome-file> 
    <welcome-file>index.jsp</welcome-file> 
</welcome-file-list> 
<!-- End Spring CAS integration -->

的applicationContext-security.xml文件

<?xml version="1.0" encoding="UTF-8"?> 
<beans xmlns="http://www.springframework.org/schema/beans"  xmlns:security="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd"> 

<!-- 
    Enable security, let the casAuthenticationEntryPoint handle all intercepted urls. 
    The CAS_FILTER needs to be in the right position within the filter chain. 
--> 
<security:http entry-point-ref="casAuthenticationEntryPoint" auto-config="true"> 
    <security:intercept-url pattern="/**" access="ROLE_USER"></security:intercept-url> 
    <security:custom-filter position="CAS_FILTER" ref="casAuthenticationFilter"></security:custom-filter> 
</security:http> 

<!-- 
    Required for the casProcessingFilter, so define it explicitly set and 
    specify an Id Even though the authenticationManager is created by 
    default when namespace based config is used. 
--> 
<security:authentication-manager alias="authenticationManager"> 
    <security:authentication-provider ref="casAuthenticationProvider"></security:authentication-provider> 
</security:authentication-manager> 

<!-- 
    This section is used to configure CAS. The service is the 
    actual redirect that will be triggered after the CAS login sequence. 
--> 
<bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties"> 
    <property name="service" value="http://localhost:8080/service/j_spring_cas_security_check"></property> 
    <property name="sendRenew" value="false"></property> 
</bean> 

    <!-- 
    The CAS filter handles the redirect from the CAS server and starts the ticket validation. 
--> 
<bean id="casAuthenticationFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter"> 
    <property name="authenticationManager" ref="authenticationManager"></property> 
</bean> 

<!-- 
    The entryPoint intercepts all the CAS authentication requests. 
    It redirects to the CAS loginUrl for the CAS login page. 
--> 
<bean id="casAuthenticationEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint"> 
    <property name="loginUrl" value=""></property> 
    <property name="serviceProperties" ref="serviceProperties"></property> 
</bean> 

<!-- 
    Handles the CAS ticket processing. 
--> 
<bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider"> 
    <property name="userDetailsService" ref="userService"></property> 
    <property name="serviceProperties" ref="serviceProperties"></property> 
    <property name="ticketValidator"> 
     <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator"> 
      <constructor-arg index="0" value=""></constructor-arg> 
     </bean> 
    </property> 
    <property name="key" value="cas"></property> 
</bean> 

<!-- 
    The users available for this application. 
--> 
<security:user-service id="userService"> 
    <security:user name="user" password="user" authorities="ROLE_USER"></security:user> 
</security:user-service>

不知道是什麼原因丟失或發生了什麼事情,但是當我在Eclipse啓動我的Tomcat服務器,我得到一個錯誤,如:

ERROR 2012-04-25 09:24:33 Context initialization failed 
java.lang.NoClassDefFoundError: org/springframework/core/convert/support/PropertyTypeDescriptor 
at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:108) 
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1003) 
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:907) 
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:485) 
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456) 
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:291) 
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222) 
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:288) 
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:194) 
at org.springframework.context.support.AbstractApplicationContext.registerBeanPostProcessors(AbstractApplicationContext.java:722) 
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:410) 
at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:276) 
at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:197) 
at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:47) 
at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3843) 
at org.apache.catalina.core.StandardContext.start(StandardContext.java:4342) 
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045) 
at org.apache.catalina.core.StandardHost.start(StandardHost.java:719) 
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045) 
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443) 
at org.apache.catalina.core.StandardService.start(StandardService.java:516) 
at org.apache.catalina.core.StandardServer.start(StandardServer.java:710) 
at org.apache.catalina.startup.Catalina.start(Catalina.java:578) 
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) 
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) 
at java.lang.reflect.Method.invoke(Method.java:597) 
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288) 
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413) 
Caused by: java.lang.ClassNotFoundException: org.springframework.core.convert.support.PropertyTypeDescriptor 
at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1387) 
at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1233) 
at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:316) 
... 29 more 
Apr 25, 2012 9:24:33 AM org.apache.catalina.core.StandardContext listenerStart 
SEVERE: Exception sending context initialized event to listener instance of class org.springframework.web.context.ContextLoaderListener 
java.lang.NoClassDefFoundError: org/springframework/core/convert/support/PropertyTypeDescriptor 
at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:108) 
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1003) 
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:907) 
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:485) 
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456) 
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:291) 
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222) 
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:288) 
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:194) 
at org.springframework.context.support.AbstractApplicationContext.registerBeanPostProcessors(AbstractApplicationContext.java:722) 
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:410) 
at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:276) 
at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:197) 
at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:47) 
at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3843) 
at org.apache.catalina.core.StandardContext.start(StandardContext.java:4342) 
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045) 
at org.apache.catalina.core.StandardHost.start(StandardHost.java:719) 
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045) 
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443) 
at org.apache.catalina.core.StandardService.start(StandardService.java:516) 
at org.apache.catalina.core.StandardServer.start(StandardServer.java:710) 
at org.apache.catalina.startup.Catalina.start(Catalina.java:578) 
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) 
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) 
at java.lang.reflect.Method.invoke(Method.java:597) 
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288) 
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413) 
Caused by: java.lang.ClassNotFoundException: org.springframework.core.convert.support.PropertyTypeDescriptor 
at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1387) 
at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1233) 
at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:316) 
... 29 more 
Apr 25, 2012 9:24:33 AM org.apache.catalina.core.StandardContext start 
SEVERE: Error listenerStart 
Apr 25, 2012 9:24:33 AM org.apache.catalina.core.StandardContext start 
SEVERE: Context [/bannernotifications] startup failed due to previous errors 
Apr 25, 2012 9:24:33 AM org.apache.catalina.core.ApplicationContext log 
INFO: Closing Spring root WebApplicationContext 
Apr 25, 2012 9:24:33 AM org.apache.coyote.http11.Http11Protocol start 
INFO: Starting Coyote HTTP/1.1 on http-8080 
Apr 25, 2012 9:24:33 AM org.apache.jk.common.ChannelSocket init 
INFO: JK: ajp13 listening on /0.0.0.0:8009 
Apr 25, 2012 9:24:33 AM org.apache.jk.server.JkMain start 
INFO: Jk running ID=0 time=0/15 config=null 
Apr 25, 2012 9:24:33 AM org.apache.catalina.startup.Catalina start 
INFO: Server startup in 855 ms

對不起,這很長,但我只是想盡可能多地放在那裏。

由於@ smp7d指出CAS可能不是最好的情況。我發現這一點,

Securing REST and JSON

這正是此Web服務,基於REST的服務和JSON起來,它會在內部,僅訪問內部託管。現在我想這個問題已經從使用CAS轉移到了我們應該怎麼做,標準是什麼?

感謝

來源

2012-04-25 idonaldson

回答

0

看來,你所要求的參考材料...

我可以告訴你,我懷疑這存在在這個時候,當我進行了類似的整合,我不得不去通過代碼真正理解如何爲我們的環境正確設置它。 (因爲它全部是開源的,所以這不應該成爲你的問題。)然後,我們根據我們學到的內容創建了內部文檔。這將是您需要避免嘗試從現有配置中拼湊出工作實現的情況之一。有人需要充分理解實際發生的事情。

至於在CAS認證參與Web服務,您需要實現類似的Restlet東西: https://wiki.jasig.org/display/CASUM/RESTful+API

我建議你徹底評估系統,以決定是否真的需要這樣的解決方案。如果您的「網絡服務」呼叫來自瀏覽器,CAS將通過正常設置來處理它(儘管您必須具有創意才能處理未經身份驗證的情況,因爲您不會重定向到登錄頁面)。

來源

2012-04-25 16:15:36 smp7d

相關問題

 相關問題