CAS实现第三方免登录

(本文的介绍是基于CAS4.0的版本)

今天介绍一下单点登录实现无页面的免登,场景是在微信公众号端(第三方登录),用户点击微信授权后,自动登录企业系统。主要涉及的系统,以及交互如下所示:

登录流程

1

逻辑实现

上面的流程看似复杂,但是我们可以暂时不用看usercenter(用户中心)和微信服务器的交互。这里面主要说一下CAS免登录的接口是如何实现的。还需要说明一点的是,CAS只管登录相关的事情,与第三方系统的交互全部都在usercenter中进行。

HugeAutoLoginController

/**
* 第三方免登录
*
* Created by xuefeihu on 18/4/27.
*
*/
public class HugeAutoLoginController extends AbstractController {

private static final Logger LOGGER = LoggerFactory.getLogger(HugeAutoLoginController.class);

private CentralAuthenticationService centralAuthenticationService;
private CookieRetrievingCookieGenerator ticketGrantingTicketCookieGenerator;
private Md5PasswordEncoder md5PasswordEncoder;
private String casKey = "helloworld";
/**
* 用户中心微信认证URL
*/
private String userWechatUrl;

@Override
protected ModelAndView handleRequestInternal(HttpServletRequest request, HttpServletResponse response) throws Exception {
try {
String username = request.getParameter("username");
String sign = request.getParameter("sign");
final String service = request.getParameter("service");

LOGGER.info("username:" + username +" sign:" +sign+ " service:" +service);

String redirectUrl = userWechatUrl + "?service=" + service;
if (StringUtils.isEmpty(username) || StringUtils.isEmpty(sign) || StringUtils.isEmpty(service)) { // 未通过第三方授权时,跳至usercenter
return new ModelAndView("redirect:" + redirectUrl);
}

LOGGER.info(" my sign+ " + md5PasswordEncoder.encodePassword(username, casKey));
if (!sign.equals(md5PasswordEncoder.encodePassword(username, casKey))) {// 免登接口验证失败,也跳转至usercenter
return new ModelAndView("redirect:" + redirectUrl);
}

HugeCredential credential = new HugeCredential();
credential.setUsername(username);
credential.setAutoLogin(true);
// 生成Ticket
String tgt = centralAuthenticationService.createTicketGrantingTicket(credential);
ticketGrantingTicketCookieGenerator.addCookie(request, response, tgt);
final String serviceTicketId = centralAuthenticationService.grantServiceTicket(
tgt, new SimpleWebApplicationServiceImpl(service), credential);

LOGGER.info("自动登录成功!");
return new ModelAndView("redirect:" + service + "?ticket=" + serviceTicketId);// 需要返回serviceTicket,否则跳转不到cas client的目标页面
} catch (Exception e) {
logger.error("自动登录内部异常, e={}", e);
}
return null;
}

public void setCasKey(String casKey) {
this.casKey = casKey;
}

public void setCentralAuthenticationService(CentralAuthenticationService centralAuthenticationService) {
this.centralAuthenticationService = centralAuthenticationService;
}

public void setMd5PasswordEncoder(Md5PasswordEncoder md5PasswordEncoder) {
this.md5PasswordEncoder = md5PasswordEncoder;
}

public void setTicketGrantingTicketCookieGenerator(CookieRetrievingCookieGenerator ticketGrantingTicketCookieGenerator) {
this.ticketGrantingTicketCookieGenerator = ticketGrantingTicketCookieGenerator;
}

public void setUserWechatUrl(String userWechatUrl) {
this.userWechatUrl = userWechatUrl;
}
}

cas-servlet.xml

<!-- 自定义 Handler Mapping -->
<bean id="handlerMappingB" class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
<property name="mappings">
<props>
<prop key="/hugeAutoLogin">hugeAutoLoginController</prop>
</props>
</property>
<property name="interceptors">
<list>
<ref bean="localeChangeInterceptor" />
</list>
</property>
</bean>

...

<!-- 第三方免登录Controller -->
<bean id="hugeAutoLoginController" class="com.moguhu.cas.controller.HugeAutoLoginController">
<property name="centralAuthenticationService" ref="centralAuthenticationService" />
<property name="ticketGrantingTicketCookieGenerator" ref="ticketGrantingTicketCookieGenerator" />
<property name="md5PasswordEncoder" ref="md5PasswordEncoder" />
<property name="userWechatUrl" value="${usercenter.wechat.authorize}" />
</bean>

web.xml

最后在web.xml中暴露接口:

<servlet-mapping>
<servlet-name>cas</servlet-name>
<url-pattern>/hugeAutoLogin</url-pattern>
</servlet-mapping>

来源: http://moguhu.com/article/detail?articleId=83