pentaho5 CAS 单点登录
项目中添加两个jar包:cas-client-core-3.1.5.jar 和 spring-security-cas-client-2.0.5.RELEASE.jar
并修改项目下的applicationContext-spring-security.xml 文件,可以实现CAS单点登录:
以下出现“http://cas.grandsoft.com.cn” 请替换成自己的CAS地址。
<?xml version="1.0" encoding="UTF-8"?>
<!--+
| Application context containing FilterChainProxy.
+-->
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:pen="http://www.pentaho.com/schema/pentaho-system"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.pentaho.com/schema/pentaho-system
http://www.pentaho.com/schema/pentaho-system.xsd">
<!-- ======================== FILTER CHAIN ======================= -->
<!--
if you wish to use channel security, add "channelProcessingFilter," in
front of "httpSessionContextIntegrationFilter" in the list below
-->
<bean id="filterChainProxy" class="org.springframework.security.util.FilterChainProxy">
<property name="filterInvocationDefinitionSource">
<value>
<![CDATA[CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/webservices/**=securityContextHolderAwareRequestFilterForWS,httpSessionPentahoSessionContextIntegrationFilter,httpSessionContextIntegrationFilter,basicProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilterForWS,filterInvocationInterceptorForWS
/api/**=securityContextHolderAwareRequestFilterForWS,httpSessionPentahoSessionContextIntegrationFilter,httpSessionContextIntegrationFilter,basicProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilterForWS,filterInvocationInterceptorForWS
/plugin/**=securityContextHolderAwareRequestFilterForWS,httpSessionPentahoSessionContextIntegrationFilter,httpSessionContextIntegrationFilter,basicProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilterForWS,filterInvocationInterceptorForWS
/**=securityContextHolderAwareRequestFilter,httpSessionPentahoSessionContextIntegrationFilter,httpSessionContextIntegrationFilter,httpSessionReuseDetectionFilter,casProcessingFilter,logoutFilter,basicProcessingFilter,requestParameterProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
,casSingleSignOutFilter]]>
</value>
</property>
</bean>
<!-- ======================== AUTHENTICATION ======================= -->
<bean id="casProcessingFilter" class="org.springframework.security.ui.cas.CasProcessingFilter" autowire="default" dependency-check="default" lazy-init="default">
<property name="authenticationManager">
<ref bean="authenticationManager"/>
</property>
<property name="authenticationFailureUrl" value="/Home"/>
<property name="defaultTargetUrl" value="/Home"/>
<property name="filterProcessesUrl" value="/j_spring_cas_security_check"/>
</bean>
<bean id="casAuthenticationProvider" class="org.springframework.security.providers.cas.CasAuthenticationProvider">
<property name="userDetailsService">
<ref bean="userDetailsService"/>
</property>
<property name="serviceProperties">
<ref local="serviceProperties"/>
</property>
<property name="ticketValidator">
<ref local="ticketValidator"/>
</property>
<property name="key" value="my_password_for_this_auth_provider_only"/>
</bean>
<bean id="anonymousAuthenticationProvider"
class="org.springframework.security.providers.anonymous.AnonymousAuthenticationProvider">
<property name="key" value="foobar" />
</bean>
<bean id="ticketValidator" class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator" autowire="default" dependency-check="default" lazy-init="default">
<constructor-arg value="http://cas.grandsoft.com.cn" />
</bean>
<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager" autowire="default" dependency-check="default" lazy-init="default">
<property name="providers">
<list>
<!--ref bean="daoAuthenticationProvider" /-->
<ref bean="anonymousAuthenticationProvider"/>
<ref bean="casAuthenticationProvider"/>
</list>
</property>
</bean>
<!-- Automatically receives AuthenticationEvent messages -->
<bean id="loggerListener"
class="org.springframework.security.event.authentication.LoggerListener" />
<bean id="basicProcessingFilter"
class="org.pentaho.platform.web.http.security.PentahoBasicProcessingFilter">
<property name="authenticationManager">
<ref local="authenticationManager" />
</property>
<property name="authenticationEntryPoint">
<ref local="basicProcessingFilterEntryPoint" />
</property>
</bean>
<!-- <bean id="basicAuthPostFilter"
class="org.pentaho.platform.web.http.security.PentahoBasicPostProcessingFilter">
</bean> -->
<bean id="basicProcessingFilterEntryPoint"
class="org.springframework.security.ui.basicauth.BasicProcessingFilterEntryPoint">
<property name="realmName" value="Pentaho Realm" />
</bean>
<!-- custom Pentaho begin -->
<!-- replaces Spring's default ApplicationEventMulticaster; do not change bean id -->
<bean id="applicationEventMulticaster" class="org.pentaho.platform.engine.security.event.OrderedApplicationEventMulticaster" />
<!-- next two beans replace SecurityStartupFilter -->
<bean class="org.pentaho.platform.engine.security.event.PentahoAuthenticationSuccessListener" />
<bean class="org.pentaho.platform.engine.security.event.PentahoSessionStartupAuthenticationSuccessListener" />
<bean id="httpSessionReuseDetectionFilter"
class="org.pentaho.platform.web.http.security.HttpSessionReuseDetectionFilter">
<property name="filterProcessesUrl" value="/j_spring_security_check" />
<property name="sessionReuseDetectedUrl" value="/Login?login_error=2" />
</bean>
<bean id="requestParameterProcessingFilter"
class="org.pentaho.platform.web.http.security.RequestParameterAuthenticationFilter">
<property name="authenticationManager">
<ref local="authenticationManager" />
</property>
<property name="authenticationEntryPoint">
<ref local="requestParameterProcessingFilterEntryPoint" />
</property>
</bean>
<bean id="requestParameterProcessingFilterEntryPoint"
class="org.pentaho.platform.web.http.security.RequestParameterFilterEntryPoint" />
<bean id="httpSessionPentahoSessionContextIntegrationFilter"
class="org.pentaho.platform.web.http.filters.HttpSessionPentahoSessionIntegrationFilter" />
<!-- custom Pentaho end -->
<bean id="anonymousProcessingFilter"
class="org.springframework.security.providers.anonymous.AnonymousProcessingFilter">
<property name="key" value="foobar" />
<property name="userAttribute" value="anonymousUser,Anonymous" />
</bean>
<bean id="httpSessionContextIntegrationFilter"
class="org.springframework.security.context.HttpSessionContextIntegrationFilter" />
<bean id="logoutFilter" class="org.springframework.security.ui.logout.LogoutFilter" autowire="default" dependency-check="default" lazy-init="default">
<constructor-arg value="http://cas.grandsoft.com.cn/logout"/>
<constructor-arg>
<list>
<bean class="org.pentaho.platform.web.http.security.PentahoLogoutHandler"/>
<bean class="org.springframework.security.ui.logout.SecurityContextLogoutHandler"/>
</list>
</constructor-arg>
<property name="filterProcessesUrl" value="/Logout"/>
</bean>
<bean id="securityContextHolderAwareRequestFilter"
class="org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter" />
<bean id="securityContextHolderAwareRequestFilterForWS" class="org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter">
<!-- override so that SavedRequestAwareWrapper is not used -->
<property name="wrapperClass" value="org.springframework.security.wrapper.SecurityContextHolderAwareRequestWrapper" />
</bean>
<!--
===================== HTTP REQUEST SECURITY ====================
-->
<bean id="serviceProperties" class="org.springframework.security.ui.cas.ServiceProperties" autowire="default" dependency-check="default" lazy-init="default">
<property name="service" value="http://bi.glodon.com/pentaho/j_spring_cas_security_check"/>
<property name="sendRenew" value="false"/>
</bean>
<bean id="exceptionTranslationFilter" class="org.springframework.security.ui.ExceptionTranslationFilter" autowire="default" dependency-check="default" lazy-init="default">
<property name="authenticationEntryPoint">
<ref local="casProcessingFilterEntryPoint"/>
</property>
<property name="accessDeniedHandler">
<bean class="org.springframework.security.ui.AccessDeniedHandlerImpl" />
</property>
</bean>
<bean id="casSingleSignOutFilter" class="org.jasig.cas.client.session.SingleSignOutFilter">
</bean>
<bean id="casSingleSignOutHttpSessionListener" class="org.jasig.cas.client.session.SingleSignOutHttpSessionListener">
</bean>
<bean id="casProcessingFilterEntryPoint" class="org.springframework.security.ui.cas.CasProcessingFilterEntryPoint" autowire="default" dependency-check="default" lazy-init="default">
<property name="loginUrl" value="http://cas.grandsoft.com.cn/login"/>
<property name="serviceProperties">
<ref local="serviceProperties"/>
</property>
</bean>
<bean id="exceptionTranslationFilterForWS" class="org.springframework.security.ui.ExceptionTranslationFilter">
<property name="authenticationEntryPoint">
<ref local="basicProcessingFilterEntryPoint" />
</property>
<property name="accessDeniedHandler">
<bean class="org.springframework.security.ui.AccessDeniedHandlerImpl" />
</property>
</bean>
<!-- <bean id="authenticationProcessingFilter"
class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter">
<property name="authenticationManager">
<ref local="authenticationManager" />
</property>
<property name="authenticationFailureUrl" value="/Login?login_error=1" />
<property name="defaultTargetUrl" value="/Home" />
<property name="filterProcessesUrl" value="/j_spring_security_check" />
<property name="targetUrlResolver">
<bean id="targetUrlResolver" class="org.springframework.security.ui.TargetUrlResolverImpl">
<property name="justUseSavedRequestOnGet" value="true" />
</bean>
</property>
</bean> -->
<!-- <bean id="authenticationProcessingFilterEntryPoint"
class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
<property name="loginFormUrl" value="/Login" />
<property name="forceHttps" value="false" />
</bean> -->
<bean id="httpRequestAccessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
<property name="allowIfAllAbstainDecisions" value="false" />
<property name="decisionVoters">
<list>
<ref bean="roleVoter" />
</list>
</property>
</bean>
<!--
Note the order that entries are placed against the
objectDefinitionSource is critical. The FilterSecurityInterceptor will
work from the top of the list down to the FIRST pattern that matches
the request URL. Accordingly, you should place MOST SPECIFIC (ie
a/b/c/d.*) expressions first, with LEAST SPECIFIC (ie a/.*)
expressions last
-->
<bean id="filterInvocationInterceptor"
class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
<property name="authenticationManager">
<ref local="authenticationManager" />
</property>
<property name="accessDecisionManager">
<ref local="httpRequestAccessDecisionManager" />
</property>
<property name="objectDefinitionSource">
<value>
<!--
Note - the "=Nobody" below is saying that resource URLs with those
patterns not be available through a web call.
-->
<![CDATA[
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
\A/.*require-js-cfg.js\Z=Anonymous,Authenticated
\A/js/require.js\Z=Anonymous,Authenticated
\A/js/require-cfg.js\Z=Anonymous,Authenticated
\A/content/data-access/resources/gwt/.*css\Z=Anonymous,Authenticated
\A/webcontext.js.*\Z=Anonymous,Authenticated
\A/content/common-ui/resources/web/cache/cache-service.js.*\Z=Anonymous,Authenticated
\A/cacheexpirationservice.*\Z=Anonymous,Authenticated
\A/js/theme.*\Z=Anonymous,Authenticated
\A/content/common-ui/resources/themes/.*\Z=Anonymous,Authenticated
\A/content/common-ui/resources/web/dojo/djconfig.js.*\Z=Anonymous,Authenticated
\A/content/pentaho-mobile/resources/.*\Z=Anonymous,Authenticated
\A/docs/.*\Z=Anonymous,Authenticated
\A/mantlelogin/.*\Z=Anonymous,Authenticated
\A/mantle/mantleloginservice/*\Z=Anonymous,Authenticated
\A/mantle/.*\Z=Authenticated
\A/welcome/.*\Z=Anonymous,Authenticated
\A/public/.*\Z=Anonymous,Authenticated
\A/login.*\Z=Anonymous,Authenticated
\A/ping/alive.gif.*\Z=Anonymous,Authenticated
\A/j_spring_security_check.*\Z=Anonymous,Authenticated
\A/getimage.*\Z=Anonymous,Authenticated
\A/getresource.*\Z=Anonymous,Authenticated
\A/admin.*\Z=Admin
\A/auditreport.*\Z=Admin
\A/auditreportlist.*\Z=Admin
\A/versioncontrol.*\Z=Admin
\A/propertieseditor.*\Z=Admin
\A/propertiespanel.*\Z=Admin
\A/subscriptionadmin.*\Z=Admin
\A/resetrepository.*\Z=Admin
\A/viewaction.*solution.admin.*\Z=Admin
\A/scheduleradmin.*\Z=Admin
\A/publish.*\Z=Admin
\A/logout.*\Z=Anonymous
\A/solutionrepositoryservice.*component=delete.*solution=system.*\Z=Nobody
\A/solutionrepositoryservice.*solution=system.*component=delete.*\Z=Nobody
.*system.*pentaho.xml.*=Nobody
.*system.*applicationcontext.*.xml.*=Nobody
.*system.*pentahoobjects.spring.xml.*=Nobody
.*system.*pentahosystemconfig.xml.*=Nobody
.*system.*adminplugins.xml.*=Nobody
.*system.*plugin.properties.*=Nobody
.*system.*sessionstartupactions.xml.*=Nobody
.*system.*systemlisteners.xml.*=Nobody
.*system.*hibernate.*=Nobody
.*system.*birt/.*=Nobody
.*system.*dialects/.*=Nobody
.*system.*google/.*=Nobody
.*system.*jasperreports/.*=Nobody
.*system.*kettle/.*=Nobody
.*system.*logs/.*=Nobody
.*system.*mondrian/.*=Nobody
.*system.*quartz/.*=Nobody
.*system.*simple-jndi/.*=Nobody
.*system.*smtp-email/.*=Nobody
.*system.*ui/.*=Nobody
.*system.*\.\./.*=Nobody
\A/.*\Z=Authenticated
]]>
</value>
</property>
</bean>
<bean id="filterInvocationInterceptorForWS" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
<property name="authenticationManager">
<ref local="authenticationManager" />
</property>
<property name="accessDecisionManager">
<ref local="httpRequestAccessDecisionManager" />
</property>
<!-- allow anyone to see the wsdl of various services -->
<property name="objectDefinitionSource">
<value>
<![CDATA[CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
\A/webservices/unifiedrepository\?wsdl.*\Z=Anonymous,Authenticated
\A/webservices/userrolelistservice\?wsdl.*\Z=Anonymous,Authenticated
\A/webservices/userroleservice\?wsdl.*\Z=Anonymous,Authenticated
\A/webservices/authorizationpolicy\?wsdl.*\Z=Anonymous,Authenticated
\A/webservices/rolebindingdao\?wsdl.*\Z=Anonymous,Authenticated
\A/webservices/scheduler\?wsdl.*\Z=Anonymous,Authenticated
\A/webservices/repositorysync\?wsdl.*\Z=Anonymous,Authenticated
\A/webservices/datasourcemgmtservice\?wsdl.*\Z=Anonymous,Authenticated
\A/webservices/.*\Z=Authenticated
\A/api/.*require-js-cfg.js\Z=Anonymous,Authenticated
\A/api/.*\Z=Authenticated
\A/plugin/.*\Z=Authenticated
]]>
</value>
</property>
</bean>
<bean id="defaultRole" class="java.lang.String">
<constructor-arg value="Authenticated" />
</bean>
<bean id="anonymousRole" class="java.lang.String">
<constructor-arg value="Anonymous" />
</bean>
<!-- used by ExtraRolesUserRoleListServiceDecorator beans -->
<bean id="extraRoles" class="org.springframework.beans.factory.config.ListFactoryBean">
<property name="sourceList">
<list>
<ref bean="defaultRole" />
<ref bean="anonymousRole" />
</list>
</property>
</bean>
</beans>