由于CAS 4, SAML 1.1票证验证响应和 SAML2 Google帐户集成是通过cas-server-support-saml模块提供的可选组件。虽然两个功能都需要cas-server-support-saml模块,但它们可以独立部署。
要启用任一功能,必须将cas-server-support-saml模块依赖项添加到 CAS Server Maven Overlay pom.xml文件:
<dependency> <groupId>org.jasig.cas</groupId> <artifactId>cas-server-support-saml</artifactId> <version>4.0.0</version> </dependency>
SAML 1.1票据验证响应配置
除了cas-server-support-saml模块相关性,需要以下4个步骤才能启用SAML 1.1票据验证响应。SAML2 Google帐户整合不需要执行这些步骤。
步骤1:定义samlValidateController bean,并通过cas-servlet.xml中的handlerMappingC bean将其映射到/ samlValidate URL:
<bean id="samlValidateController" class="org.jasig.cas.web.ServiceValidateController" p:validationSpecificationClass="org.jasig.cas.validation.Cas20WithoutProxyingValidationSpecification" p:centralAuthenticationService-ref="centralAuthenticationService" p:proxyHandler-ref="proxy20Handler" p:argumentExtractor-ref="samlArgumentExtractor" p:successView="casSamlServiceSuccessView" p:failureView="casSamlServiceFailureView"/>
<bean id="handlerMappingC" class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping"> <property name="mappings"> <props> ... <prop key="/samlValidate">samlValidateController</prop> ...
步骤2:在web.xml文件中对/ samlValidate URL的servlet映射:
<servlet-mapping> <servlet-name>cas</servlet-name> <url-pattern>/samlValidate</url-pattern> </servlet-mapping>
步骤3:在argumentExtractorsConfiguration.xml文件中复制适当的SAML参数提取器:
<bean id="samlArgumentExtractor" class="org.jasig.cas.support.saml.web.support.SamlArgumentExtractor" />
<util:list id="argumentExtractors"> <ref bean="casArgumentExtractor" /> <ref bean="samlArgumentExtractor" /> </util:list>
第4步: 在uniqueIdGenerators.xml文件中添加SAML ID生成器:
<bean id="samlServiceTicketUniqueIdGenerator" class="org.jasig.cas.support.saml.util.SamlCompliantUniqueTicketIdGenerator"> <constructor-arg index="0" value="https://localhost:8443" /> </bean>
<util:map id="uniqueIdGeneratorsMap"> <entry key="org.jasig.cas.authentication.principal.SimpleWebApplicationServiceImpl" value-ref="serviceTicketUniqueIdGenerator" /> <entry key="org.jasig.cas.support.openid.authentication.principal.OpenIdService" value-ref="serviceTicketUniqueIdGenerator" /> <entry key="org.jasig.cas.support.saml.authentication.principal.SamlService" value-ref="samlServiceTicketUniqueIdGenerator" /> </util:map>
步骤5: 在cas-servlet.xml文件中添加SAML视图:
<bean id="viewResolver" class="org.springframework.web.servlet.view.ResourceBundleViewResolver" p:order="0">
<property name="basenames">
<list>
<value>${cas.viewResolver.basename}</value>
<value>protocol_views</value>
<value>saml_views</value>
</list>
</property>
</bean>SAML2 Google帐户整合
除了cas-server-support-saml模块相关性之外,还需要以下2个步骤才能启用SAML2 Google帐户集成。SAML 1.1票据验证响应不需要这些步骤。
步骤1:在argumentExtractorsConfiguration.xml文件中添加适当的SAML参数提取器:
<bean id="googleAccountsArgumentExtractor" class="org.jasig.cas.support.saml.web.support.GoogleAccountsArgumentExtractor" p:privateKey-ref="privateKeyFactoryBean" p:publicKey-ref="publicKeyFactoryBean" p:httpClient-ref="httpClient" />
<util:list id="argumentExtractors"> <ref bean="casArgumentExtractor" /> <ref bean="googleAccountsArgumentExtractor" /> </util:list>
步骤2:在uniqueIdGenerators.xml文件中的uniqueIdGeneratorsMap bean 中添加一个新生成器 :
<util:map id="uniqueIdGeneratorsMap"> <entry key="org.jasig.cas.authentication.principal.SimpleWebApplicationServiceImpl" value-ref="serviceTicketUniqueIdGenerator" /> <entry key="org.jasig.cas.support.openid.authentication.principal.OpenIdService" value-ref="serviceTicketUniqueIdGenerator" /> <entry key="org.jasig.cas.support.saml.authentication.principal.GoogleAccountsService" value-ref="serviceTicketUniqueIdGenerator" /> </util:map>
