構造CAS客戶端的登入Servlet

cbcgorilla發表於2008-06-12
客戶端Servlet

根據CAS客戶端的Filter我們可以改造出一個具有同樣驗證功能的Servlet出來,改造後的程式碼如下:

public class CasLogin extends HttpServlet {
//*********************************************************************
// Constants
public final static String CAS_FILTER_USER = "edu.yale.its.tp.cas.client.filter.user";

/** Session attribute in which the username is stored */
private ServletConfig config;
private String casLogin,casValidate,casAuthorizedProxy,casServiceUrl,casRenew,casServerName;
private String redirectURL;
private String desktopURL;
private AuthHandler handler;


public void init(ServletConfig config) throws ServletException {
super.init(config);
this.config = config;
try {
// create an instance of the right authentication handler
String handlerName =config.getInitParameter("com.longshine.sso.cas.authHandler");
if (handlerName == null)
throw new ServletException(" [啟動異常] 引數 com.longshine.sso.cas.authHandler 搜尋失敗!");
handler = (AuthHandler) Class.forName(handlerName).newInstance();
if (!(handler instanceof TrustHandler)){
throw new ServletException("unrecognized handler type: " + handlerName);
}else{
String suc = config.getInitParameter("edu.yale.its.tp.cas.casLoginSuccessCode");
AuthCodeRepository.updateSucCode(Integer.parseInt(suc),handler);
}
} catch (InstantiationException ex) {
throw new ServletException(ex.toString());
} catch (ClassNotFoundException ex) {
throw new ServletException(ex.toString());
} catch (IllegalAccessException ex) {
throw new ServletException(ex.toString());
}
//retrieve a relative URL for the CasLogin Servlet
this.casLogin = config.getInitParameter("edu.yale.its.tp.cas.casLogin");
this.casValidate = config.getInitParameter("edu.yale.its.tp.cas.casValidate");
this.casServerName = config.getInitParameter("edu.yale.its.tp.cas.serverName");
this.casServiceUrl = config.getInitParameter("edu.yale.its.tp.cas.client.filter.serviceUrl");
this.casAuthorizedProxy = config.getInitParameter("edu.yale.its.tp.cas.client.filter.authorizedProxy");
this.casRenew = config.getInitParameter("edu.yale.its.tp.cas.client.filter.renew");
this.redirectURL = config.getInitParameter("edu.yale.its.tp.cas.redirectURL");
this.desktopURL = config.getInitParameter("edu.yale.its.tp.cas.desktopURL");
if (casLogin == null || casValidate == null ||
casServerName == null || redirectURL == null ||
desktopURL == null)
throw new ServletException("[啟動異常] 請配置如下必要引數: edu.yale.its.tp.cas.casLogin, "
+ "-casValidate, -serverName, -redirectURL, and -desktopURL ");
}

// *********************************************************************
// Request handling

public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
doGet(request, response);
}

public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {

//avoid caching (in the stupidly numerous ways we must)
response.setHeader("Pragma", "no-cache");
response.setHeader("Cache-Control","no-store");
response.setDateHeader("Expires",-1);
HttpSession session = request.getSession();

// if our attribute's already present, don't do anything
if (session != null && session.getAttribute(CAS_FILTER_USER) != null) {
String username = session.getAttribute(CAS_FILTER_USER).toString();
//使用CAS使用者登入本地系統
loginToClientService(request,response,username);
return;
}

// otherwise, we need to authenticate via CAS
String ticket = request.getParameter("ticket");

// no ticket? abort request processing and redirect
if (ticket == null || ticket.equals("")) {
if (casLogin == null) {
throw new ServletException(
"When CASFilter protects pages that do not receive a 'ticket' "
+ "parameter, it needs a edu.yale.its.tp.cas.client.filter.loginUrl "
+ "filter parameter");
}
response.sendRedirect(
casLogin
+ "?service="
+ getService(request)
+ ((casRenew != null && !casRenew.equals(""))
? "&renew=" + casRenew
: ""));
return;
}

// Yay, ticket! Validate it.
String user = getAuthenticatedUser(request);
if (user == null)
throw new ServletException("Unexpected CAS authentication error");
// Store the authenticated user in the session
if (session != null) // probably unncessary
{
session.setAttribute(CAS_FILTER_USER, user);
//使用CAS使用者登入本地系統
loginToClientService(request,response,user);
}

}

// *********************************************************************
// Utility methods

/**
* 使用CAS伺服器驗證過的安全使用者名稱登入CAS 客戶端系統
* @param request
* @param response
* @param username 使用者名稱
* @throws IOException
* @throws ServletException
*/
private void loginToClientService(HttpServletRequest request,
HttpServletResponse response, String username)
throws IOException,ServletException{
/*
//判斷使用者在本地系統是否存在
if(username == null || username.equals("") || username.trim().length()==0){
response.sendRedirect(redirectURL);
}
else if (((TrustHandler)handler).findUserByName(request, username)){
//根據使用者名稱自動執行登入動作
((TrustHandler)handler).autoLoginWithUsername(request, response, username);
//登入成功後轉向工作桌面
request.getRequestDispatcher(desktopURL).forward(request,response);
}
else{
response.sendRedirect(redirectURL);
}*/
//HttpSession session = request.getSession();
TrustHandler tHandler = (TrustHandler)handler;
String fail = "errCode=";
int code = tHandler.loginWithUsername(request, response, username);
if (code == AuthCodeRepository.getSucCode()){
//登入成功後轉向工作桌面
String module = request.getQueryString();//取字尾引數
//response.sendRedirect("登入成功頁面(success)");
/*
if(session != null){
session.setAttribute("username", username);
}*/
//request.getRequestDispatcher(desktopURL).forward(request,response);
response.sendRedirect(desktopURL+"?"+module);
}else{
//登入失敗後根據錯誤編碼轉向錯誤頁面
fail += Integer.toString(code);
//response.sendRedirect("登入失敗頁面(fail)");
response.sendRedirect(redirectURL+"?"+fail);
}
}

/**
* Converts a ticket parameter to a username, taking into account an
* optionally configured trusted proxy in the tier immediately in front
* of us.
*/
private String getAuthenticatedUser(HttpServletRequest request)
throws ServletException {
ProxyTicketValidator pv = null;
//String SaxParserFactory = System.getProperty("javax.xml.parsers.SAXParserFactory", "org.apache.xerces.jaxp.SAXParserFactoryImpl");
//String DocumentBuilderFactory = System.getProperty("javax.xml.parsers.DocumentBuilderFactory", "org.apache.xerces.jaxp.DocumentBuilderFactoryImpl");
//String TransformaerFactory = System.getProperty("javax.xml.transform.TransformerFactory", "org.apache.xalan.processor.TransformerFactoryImpl");

//System.setProperty("javax.xml.parsers.SAXParserFactory", "org.apache.xerces.jaxp.SAXParserFactoryImpl");
//System.setProperty("javax.xml.parsers.DocumentBuilderFactory", "org.apache.xerces.jaxp.DocumentBuilderFactoryImpl");
//System.setProperty("javax.xml.transform.TransformerFactory", "org.apache.xalan.processor.TransformerFactoryImpl");
try {
//System.out.println("CAS 開始驗證 ticket ==========================");
pv = new ProxyTicketValidator();
pv.setCasValidateUrl(casValidate);
pv.setServiceTicket(request.getParameter("ticket"));
pv.setService(getService(request));
pv.setRenew(Boolean.valueOf(casRenew).booleanValue());
pv.validate();
//System.out.println("CAS 驗證完畢 ticket ==========================");
if (!pv.isAuthenticationSuccesful())
throw new ServletException(
"CAS authentication error: " + pv.getErrorCode() + ": " + pv.getErrorMessage());
if (pv.getProxyList().size() != 0) {
// ticket was proxied
if (casAuthorizedProxy == null) {
throw new ServletException("this page does not accept proxied tickets");
} else {
boolean authorized = false;
String proxy = (String)pv.getProxyList().get(0);
StringTokenizer casProxies =
new StringTokenizer(casAuthorizedProxy);
while (casProxies.hasMoreTokens()) {
if (proxy.equals(casProxies.nextToken())) {
authorized = true;
break;
}
}
if (!authorized) {
throw new ServletException(
"unauthorized top-level proxy: '"
+ pv.getProxyList().get(0)
+ "'");
}
}
}
return pv.getUser();
} catch (SAXException ex) {
String xmlResponse = "";
if (pv != null)
xmlResponse = pv.getResponse();
throw new ServletException(ex + " " + xmlResponse);
} catch (ParserConfigurationException ex) {
throw new ServletException(ex);
} catch (IOException ex) {
throw new ServletException(ex);
}
}

/**
* Returns either the configured service or figures it out for the current
* request. The returned service is URL-encoded.
*/
private String getService(HttpServletRequest request)
throws ServletException {
// ensure we have a server name or service name
if (casServerName == null && casServiceUrl == null)
throw new ServletException(
"need one of the following configuration "
+ "parameters: edu.yale.its.tp.cas.client.filter.serviceUrl or "
+ "edu.yale.its.tp.cas.client.filter.serverName");

// use the given string if it's provided
if (casServiceUrl != null)
return URLEncoder.encode(casServiceUrl);
else
// otherwise, return our best guess at the service
return Util.getService(request, casServerName);
}
}

另外我們僅需要配置一個具有.loginWithUsername(request, response, username);函式的介面,及此Servlet的啟動相關引數就可以實現一個Servlet形式的登入入口,這樣我們在保留此應用原有登入入口的條件下可以增加CAS的SSO功能,不影響原有系統的使用,對原有系統也無需做過多的改動。

[@more@]

來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/8700374/viewspace-1005583/,如需轉載,請註明出處,否則將追究法律責任。

相關文章