Spring Security结合CAS的配置

在我的几个项目里需要用到单点登录，我选用了CAS，下面给出一个一般性的Spring Security结合CAS的配置文件

<?xml version="1.0"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd http://www.springframework.org/schema/util/spring-util.xsd http://www.springframework.org/schema/util/spring-util-3.0.xsd">

<!--
Enable security, let the casAuthenticationEntryPoint handle all
intercepted urls. The CAS_FILTER needs to be in the right position within
the filter chain.
-->
<security:http auto-config="true" entry-point-ref="casAuthenticationEntryPoint" path-type="regex">
<security:port-mappings>
<security:port-mapping http="${portHttp}" https="${portHttps}"/>
</security:port-mappings>
<security:logout success-handler-ref="simpleUrlLogoutSuccessHandler" />

<security:intercept-url pattern="/.*" requires-channel="https" />
<security:intercept-url pattern="(/admin/){1}\S*" access="ROLE_ADMIN" />
<security:intercept-url pattern="/{1}\S*" access="ROLE_USER, ROLE_ADMIN" />
<security:intercept-url pattern="(/api/ws/){1}\S*" filters="none" />
<security:custom-filter position="CAS_FILTER" ref="casAuthenticationFilter" />
</security:http>

<!--
似乎casFilter与casEntryPoint的功能有重叠。其实，casEntryPoint只是提供认证入口的作用，当没有登录，将跳转到该地址。
The entryPoint intercepts all the CAS authentication requests. It
redirects to the CAS loginUrl for the CAS login page.
-->
<bean id="casAuthenticationEntryPoint"
class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
<property name="loginUrl" value="${casAuthenticationEntryPoint.loginUrl}" />
<property name="serviceProperties" ref="serviceProperties" />
</bean>

<!-- 注销的url是/j_spring_security_logout -->

<!--
The CAS filter handles the redirect from the CAS server and starts the
ticket validation.
casFilter是处理CAS service ticket的。
-->
<bean id="casAuthenticationFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager" />
</bean>

<!--
Required for the casProcessingFilter, so define it explicitly set and
specify an Id Even though the authenticationManager is created by default
when namespace based config is used.
-->
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="casAuthenticationProvider" />
</security:authentication-manager>

<!--
Handles the CAS ticket processing.
-->
<bean id="casAuthenticationProvider"
class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
<property name="serviceProperties" ref="serviceProperties" />
<property name="authenticationUserDetailsService" ref="authenticationUserDetailsService" />
<property name="ticketValidator">
<bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
<constructor-arg index="0" value="${casAuthenticationProvider.casServerUrlPrefix}" />
</bean>
</property>
<property name="key" value="${casAuthenticationProvider.key}" />
</bean>

<!--
你需要添加一个 ServiceProperties bean，到你的application context里。 这表现你的CAS服务。
这里的service必须是一个由CasAuthenticationFilter监控的URL。 这个sendRenew默认是false，但如果你的程序特别敏感就应该设置成true。 这个参数作用是，告诉CAS登录服务，一个单点登录没有到达。 否则，用户需要重新输入 他们的用户名和密码，来获得访问服务的权限。
-->
<bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">
<property name="service" value="${serviceProperties.service}" />
</bean>

<bean id="authenticationUserDetailsService" class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<property name="userDetailsService" ref="jdbcUserDetailsService" />
</bean>
<security:jdbc-user-service data-source-ref="ucDataSource" id="jdbcUserDetailsService" authorities-by-username-query="${jdbcUserDetailsService.authoritiesByUsernameQuery}" />

<bean id="simpleUrlLogoutSuccessHandler" class="org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler">
<property name="alwaysUseDefaultTargetUrl" value="true" />
<property name="defaultTargetUrl" value="${simpleUrlLogoutSuccessHandler.defaultTargetUrl}" />
</bean>

</beans>

附加说明：

这里我使用的是数据库保存授权信息的方式，因此使用了jdbc-user-service：（在我的项目里数据库名叫“uc”，下面给出数据库结构吧）

DROP TABLE IF EXISTS `uc`.`users`;
CREATE TABLE  `uc`.`users` (`username` varchar(32) NOT NULL, `password` varchar(255) NOT NULL DEFAULT '', `enabled` bit(1) NOT NULL DEFAULT b'1', PRIMARY KEY (`username`)) ENGINE=InnoDB DEFAULT CHARSET=utf8;

DROP TABLE IF EXISTS `uc`.`authorities`;
CREATE TABLE  `uc`.`authorities` (`username` varchar(32) NOT NULL, `application_context` varchar(32) NOT NULL, `authority` varchar(32) NOT NULL, PRIMARY KEY (`username`,`authority`,`application_context`)) ENGINE=InnoDB DEFAULT CHARSET=utf8;

DROP TABLE IF EXISTS `uc`.`persistent_logins`;
CREATE TABLE `uc`.`persistent_logins` ( `username` varchar(32) NOT NULL, `series` varchar(255) NOT NULL, `token` varchar(255) NOT NULL, `last_used` datetime NOT NULL, PRIMARY KEY (`series`)) ENGINE=InnoDB DEFAULT CHARSET=utf8;

data-source-ref="ucDataSource"里面的ucDataSource是我项目里Spring
Security保存授权信息的数据库的数据源，到时候换成你自己的就行

顺便吐槽一下这个代码高亮，每一行就不能长点吗

，弄得代码都一坨了