最近在弄springsecurity+cas实现单点登录,但配置完成测试,去发现在cas server端登录成功之后,竟出现了循环重定向问题,我springsecurity配置如下:
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<!-- Spring-Security 的配置 -->
<!-- 配置不过滤的资源(静态资源及登录相关) -->
<security:http pattern="/static/**" security="none"></security:http>
<!-- 注意use-expressions=true.表示开启表达式,否则表达式将不可用. /access-denied.htm , auto-config="true" use-expressions="true"-->
<security:http entry-point-ref="casAuthenticationEntryPoint" auto-config="true" use-expressions="true" access-denied-page="/user/index.htm">
<!--允许所有人访问 access="permitAll"-->
<security:intercept-url pattern="/login.htm" access="permitAll"/>
<security:intercept-url pattern="/regist*.htm" access="permitAll" />
<security:intercept-url pattern="/upload/**" access="permitAll" />
<!--允许IS_AUTHENTICATED_ANONYMOUSLY匿名访问
<security:intercept-url pattern="/index.htm" access="IS_AUTHENTICATED_ANONYMOUSLY" /> -->
<!--允许USER权限访问 hasRole('USER')-->
<security:intercept-url pattern="/user/**" access="hasRole('ROLE_USER')" />
<!--允许USER权限访问-->
<security:intercept-url pattern="/exam/**" access="hasRole('ROLE_USER')" />
<!--允许ROLE权限访问-->
<security:intercept-url pattern="/auth/**" access="hasRole('ROLE_ROLE')" />
<!--允许ADMIN权限访问所有资源-->
<security:intercept-url pattern="/**" access="hasRole('ROLE_ADMIN')" />
<!--**** cas单点 .2015-06-23 by cyj ****-->
<security:custom-filter position="CAS_FILTER" ref="casAuthenticationFilter"></security:custom-filter>
<!--**** cas单点 .2015-06-23 by cyj ****-->
</security:http>
<!--***************************************** CAS TEST 2015-06-23 . by cyj***************************************** -->
<!--
The CAS filter handles the redirect from the CAS server and starts the ticket validation.
-->
<bean id="casAuthenticationFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager"></property>
<property name="authenticationSuccessHandler">
<bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">
<property name="alwaysUseDefaultTargetUrl">
<value>true</value>
</property>
<property name="defaultTargetUrl">
<value>http://localhost:8080/user/index.htm</value>
</property>
</bean>
</property>
</bean>
<!--**** 2015-06-23,CAS TEST ****-->
<security:authentication-manager alias="authenticationManager" erase-credentials="false">
<security:authentication-provider ref="casAuthenticationProvider">
</security:authentication-provider>
</security:authentication-manager>
<!--**** 2015-06-23,CAS TEST ****-->
<!--
Handles the CAS ticket processing.
-->
<bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
<property name="authenticationUserDetailsService" ref="authenticationUserDetailsService"/>
<property name="serviceProperties" ref="serviceProperties"></property>
<property name="ticketValidator">
<bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
<constructor-arg index="0" value="https://localhost:8443/cas-server" /> <!-- //SSO验证地址 -->
</bean>
</property>
<property name="key" value="cas123"></property>
</bean>
<!-- authorities对应 CAS server的 登录属性, 在此设置到spirng security中,用于spring security的验证
<bean id="authenticationUserDetailsService" class="org.springframework.security.cas.userdetails.GrantedAuthorityFromAssertionAttributesUserDetailsService">
<constructor-arg>
<array>
<value>authorities</value>
</array>
</constructor-arg>
</bean>
-->
<bean id="authenticationUserDetailsService" class="com.bms.comm.cas.MyAuthenticationUserDetailsService">
<!-- <constructor-arg>
<array>
<value>authorities</value>
</array>
</constructor-arg> -->
<property name="attributes">
<array>
<value>authorities</value>
</array>
</property>
</bean>
<!--
This section is used to configure CAS. The service is the
actual redirect that will be triggered after the CAS login sequence.
//http://localhost:8088/SpringSecurity 具体应用
// j_spring_cas_security_check spring的虚拟URL,此标志标识使用 CAS authentication upon return from CAS SSO login. -->
<bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">
<property name="service" value="https://localhost:8447/j_spring_cas_security_check"></property>
<property name="sendRenew" value="false"></property>
</bean>
<!--
The entryPoint intercepts all the CAS authentication requests.
It redirects to the CAS loginUrl for the CAS login page.
通过上述的配置,则具体应用在使用的时候,用户认证和授权则无需过问,只需在应用中配置相关的角色访问权限即可。即,只需对下面的红色部分进行修改,
即可以完成应用的认证和授权工作。大大简化了应用和认证与授权的剥离工作
-->
<bean id="casAuthenticationEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
<property name="loginUrl" value="https://localhost:8443/cas-server/login"></property> <!-- //SSO登录地址 -->
<property name="serviceProperties" ref="serviceProperties"></property>
</bean>
</beans>
请大牛帮我看下,看我的配置哪有问题?谢谢!!