Skip to content

L
loginservice
Commit c0315a76 by hzc
Options

sso整合,原来的登陆有问题

parent 320344be
Showing with 363 additions and 90 deletions
pom.xml
......@@ -15,6 +15,7 @@
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.0.4.RELEASE</version>
<relativePath />
</parent>
......@@ -23,6 +24,8 @@
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<java.version>1.8</java.version>
<spring-cloud.version>Finchley.RELEASE</spring-cloud.version>
<hutool.version>5.6.3</hutool.version>
<bcprov-jdk.version>1.66</bcprov-jdk.version>
</properties>
<dependencies>
......@@ -125,6 +128,36 @@
<scope>provided</scope>
</dependency>
<dependency>
<groupId>com.portal.sso</groupId>
<artifactId>portal-sso-client</artifactId>
<version>0.0.1-SNAPSHOT</version>
<scope>system</scope>
<systemPath>${project.basedir}/lib/portal-sso-client-0.0.1-SNAPSHOT.jar</systemPath>
</dependency>
<dependency>
<groupId>com.portal.sso</groupId>
<artifactId>portal-sso-core</artifactId>
<version>0.0.1-SNAPSHOT</version>
<scope>system</scope>
<systemPath>${project.basedir}/lib/portal-sso-core-0.0.1-SNAPSHOT.jar</systemPath>
</dependency>
<dependency>
<groupId>cn.hutool</groupId>
<artifactId>hutool-all</artifactId>
<version>${hutool.version}</version>
</dependency>
<!--国密算法支持包-->
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15to18</artifactId>
<version>${bcprov-jdk.version}</version>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt</artifactId>
<version>0.9.1</version>
</dependency>
</dependencies>
<dependencyManagement>
......@@ -143,6 +176,21 @@
<finalName>mdslogin</finalName>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-war-plugin</artifactId>
<configuration>
<webResources>
<resource>
<directory>${project.basedir}/lib</directory>
<targetPath>WEB-INF/lib</targetPath>
<includes>
<include>**/*.jar</include>
</includes>
</resource>
</webResources>
</configuration>
</plugin>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
......
src/main/java/com/keymobile/proxy/conf/ClientSsoConfig.java 0 → 100644
package com.keymobile.proxy.conf;
import com.keymobile.proxy.model.SsoServerProcesssor;
import com.portal.sso.client.filter.WebAppFilter;
import com.portal.sso.core.config.SsoConfig;
import com.portal.sso.core.server.JwtServerHander;
import com.portal.sso.core.server.RequestServerHandler;
import com.portal.sso.core.server.VerificationTgtServer;
import com.portal.sso.core.server.impl.JwtServerHanderImpl;
import com.portal.sso.core.server.impl.RequestServerHandlerImpl;
import com.portal.sso.core.server.impl.VerificationTgtServerImpl;
import org.springframework.beans.factory.DisposableBean;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
@Configuration
public class ClientSsoConfig implements DisposableBean {
@Autowired
SsoServerProcesssor ssoServerProcesssor;
@Value("${portal.sso.server}")
private String ssoServer;
@Value("${portal.sso.logout.path}")
private String ssoLogoutPath;
@Value("${portal.sso.excluded.paths}")
private String ssoExcludedPaths;
@Bean
public WebAppFilter webAppFilter(){
return new WebAppFilter();
}
@Bean
public RequestServerHandler requestServerHandler(){
return new RequestServerHandlerImpl();
}
@Bean
public VerificationTgtServer verificationTgtServer(){
VerificationTgtServer server = new VerificationTgtServerImpl();
server.setClientAppId(ssoServerProcesssor.getClientAppId());
server.setClientSecret(ssoServerProcesssor.getClientSecret());
server.setJwtServerHander(jwtServerHanderImpl());
return server;
}
@Bean
public JwtServerHander jwtServerHanderImpl(){
return new JwtServerHanderImpl();
}
@Bean
public FilterRegistrationBean PortalSsoFilterRegistration() {
// 注册拦截器
FilterRegistrationBean registration = new FilterRegistrationBean();
registration.setName("WebAppFilter");
registration.setOrder(1);
registration.addUrlPatterns("/*");
registration.setFilter(webAppFilter());
registration.addInitParameter(SsoConfig.SSO_CLIENT_SERVER, ssoServer);
registration.addInitParameter(SsoConfig.SSO_CLIENT_LOGOUT_PATH, ssoLogoutPath);
registration.addInitParameter(SsoConfig.SSO_CLIENT_EXCLUDED_PATHS, ssoExcludedPaths);
registration.addInitParameter(SsoConfig.SSO_APP_ID, ssoServerProcesssor.getClientAppId());
registration.addInitParameter(SsoConfig.SSO_SERVER_LOGIN_PATHS, ssoServerProcesssor.getLoginPath());
return registration;
}
@Override
public void destroy() throws Exception {
System.out.println("拦截器已执行完毕");
}
}
src/main/java/com/keymobile/proxy/conf/RESTAuthenticationSuccessHandler.java
......@@ -2,6 +2,7 @@ package com.keymobile.proxy.conf;
import com.keymobile.proxy.api.Constants;
import com.keymobile.proxy.util.LogManager;
import org.apache.commons.lang.BooleanUtils;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
......@@ -28,12 +29,16 @@ public class RESTAuthenticationSuccessHandler extends SimpleUrlAuthenticationSuc
@Value("${security.allowRootLogin:true}")
private boolean rootAllowLogin = true;
@Value("${auth-login.adAuth}")
@Value("${portal.ad-auth.enable}")
private Boolean authAdLogin;
@Value("${auth-login.isgo}")
//@Value("${auth-login.isgo}")
@Value("${portal.ad-auth.isgo}")
private Boolean authAdIsgo;
//首页
@Value("${redirect-url.data-platform}")
private String go;
@Override
......@@ -42,12 +47,11 @@ public class RESTAuthenticationSuccessHandler extends SimpleUrlAuthenticationSuc
HttpSession session = request.getSession();
Object csrf_token = session.getAttribute("_csrf");
// session.getAttribute("_csrf");
// String headerName = csrf_token.getHeaderName();
// String parameterName = csrf_token.getParameterName();
clearAuthenticationAttributes(request);
String data = (String) request.getSession().getAttribute("ssoLogin");
String sso = (String) request.getSession().getAttribute("ssoLogin");
String data = (String) request.getSession().getAttribute("loginMsg");
System.out.println("come onAuthenticationSuccess here");
if(null == data){
logger.info("getAttribute('ssoLogin') is null");
......@@ -68,7 +72,15 @@ public class RESTAuthenticationSuccessHandler extends SimpleUrlAuthenticationSuc
returnStatus = "root not allow login";
LogManager.logInfo(Constants.LOG_AUTH_LOGIN_API, "登录", null);
if(authAdIsgo){
System.out.println("ssoMsg="+sso);
if(null==sso || "".equals(sso.trim())){
System.out.println("走登录页面登录");
}else{
System.out.println("走单点登录");
response.sendRedirect(go);
}
if(BooleanUtils.isTrue(authAdIsgo)&&BooleanUtils.isTrue(authAdLogin)){
System.out.println("走AD跳转");
response.sendRedirect("/go");
}
PrintWriter writer = response.getWriter();
......
src/main/java/com/keymobile/proxy/conf/SecurityConfig.java
......@@ -3,6 +3,8 @@ package com.keymobile.proxy.conf;
import com.keymobile.proxy.api.Constants;
import com.keymobile.proxy.service.PortalService;
import com.keymobile.proxy.util.Des;
import com.portal.sso.core.config.SsoConfig;
import org.apache.commons.lang.BooleanUtils;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
......@@ -40,11 +42,7 @@ import java.util.Properties;
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Value("${ad-authenticate.domain}")
private String authDomain;
@Value("${ad-authenticate.provider-url}")
private String providerUrl;
private Logger logger = LoggerFactory.getLogger(SecurityConfig.class);
......@@ -76,9 +74,15 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private PortalService portalService;
@Value("${auth-login.adAuth}")
@Value("${portal.ad-auth.enable}")
private Boolean authAdLogin;
@Value("${portal.sso.enable}")
private Boolean ssoAuth;
@Value("${portal.ad-auth.authenticate.domain}")
private String authDomain;
@Value("${portal.ad-auth.authenticate.provider-url}")
private String providerUrl;
@Autowired
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.jdbcAuthentication().usersByUsernameQuery(usersQuery).authoritiesByUsernameQuery(rolesQuery)
......@@ -87,13 +91,13 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().permitAll();
http.authorizeRequests().anyRequest().permitAll();
http.csrf().disable();
http.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint);
http.formLogin().successHandler(authenticationSuccessHandler);
http.formLogin().failureHandler(authenticationFailureHandler);
http.formLogin().loginPage("/login");
// http.formLogin().loginProcessingUrl("/signin");
// http.formLogin().loginProcessingUrl("/signin");
http.logout().logoutUrl("/signout");
http.logout().logoutSuccessHandler(logoutSuccessHandler);
http.sessionManagement().maximumSessions(1).expiredUrl("/login");
......@@ -106,68 +110,17 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
AbstractAuthenticationProcessingFilter authenticationFilter = new AbstractAuthenticationProcessingFilter("/ssoauth") {
@Override
public Authentication attemptAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticationException, IOException, ServletException {
String portal_actionURL = httpServletRequest.getParameter("portal_actionURL");
String username = httpServletRequest.getParameter("portal_username");
String portal_password = httpServletRequest.getParameter("portal_password");
String CallBack = httpServletRequest.getParameter("CallBack");
String key = httpServletRequest.getParameter("key");
if(null == username || null == portal_password ||
null == CallBack ||null == key){
httpServletResponse.sendError(200,"sso login url missing request param");
return null;
}
if (authAdLogin) {
Des des = new Des();
String pwd = des.strDec(portal_password, key);
// logger.info("sso login param->userName:"+username+" pwd:"+pwd);
if(!authenticate(username,pwd)){
// httpServletResponse.sendError(200,CallBack+"({'query':{'results':{'postresult':'portal_ssologin_fali'}}});");
PrintWriter writer = httpServletResponse.getWriter();
writer.write(CallBack+"({'query':{'results':{'postresult':'portal_ssologin_fali'}}});");
writer.flush();
writer.close();
return null;
}
}
httpServletRequest.getSession().setAttribute("ssoLogin",CallBack+"({'query':{'results':{'postresult':'portal_ssologin_succeed'}}});");
//
com.keymobile.proxy.model.User user = portalService.getUserByUserId(username);
if (user == null) {
logger.error(username + " is not exit");
// httpServletResponse.sendError(200,CallBack+"({'query':{'results':{'postresult':'portal_ssologin_fali'}}});");
PrintWriter writer = httpServletResponse.getWriter();
writer.write(CallBack+"({'query':{'results':{'postresult':'portal_ssologin_fali'}}});");
writer.flush();
writer.close();
return null;
UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken= null;
if(BooleanUtils.isTrue(ssoAuth)){
//单点登陆
usernamePasswordAuthenticationToken = sendSsoAuth(httpServletRequest, httpServletResponse);
}else{
//Ad
usernamePasswordAuthenticationToken = sendAdAuth(httpServletRequest,httpServletResponse);
}
if (! authAdLogin) {
if (! StringUtils.equals(user.getPassword(), portal_password)) {
logger.error(username + " password is error");
//httpServletResponse.sendError(200,CallBack+"({'query':{'results':{'postresult':'portal_ssologin_fali'}}});");
PrintWriter writer = httpServletResponse.getWriter();
writer.write(CallBack+"({'query':{'results':{'postresult':'portal_ssologin_fali'}}});");
writer.flush();
writer.close();
return null;
}
}
List<GrantedAuthority> authorities = new ArrayList<>();
String userName = user.getUserId() + ":" + user.getId() + ":" + user.getDisname() + ":" + user.getOrgNo();
List<String> authors = portalService.getByUserId(username);
if (! CollectionUtils.isEmpty(authors)) {
for (String author : authors) {
GrantedAuthority authorityInfo = new SimpleGrantedAuthority(Constants.ROLE_PREFIX + author);
authorities.add(authorityInfo);
}
}
return new UsernamePasswordAuthenticationToken(new User(userName, user.getPassword(), authorities), null, authorities);
return usernamePasswordAuthenticationToken;
}
};
authenticationFilter.setAuthenticationManager(authenticationManager());
authenticationFilter.setAuthenticationSuccessHandler(authenticationSuccessHandler);
return authenticationFilter;
......@@ -182,7 +135,7 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
String portal_password = httpServletRequest.getParameter("password");
String CallBack = "";
if(null == username || null == portal_password){
// httpServletResponse.sendError(200,"sso login url missing request param");
// httpServletResponse.sendError(200,"sso login url missing request param");
httpServletResponse.setStatus(401);
PrintWriter writer = httpServletResponse.getWriter();
writer.write(CallBack+"({'query':{'results':{'postresult':'portal_ssologin_fali'}}});");
......@@ -191,7 +144,7 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
return null;
}
if (authAdLogin) {
// logger.info("signin login param->userName:"+username+" pwd:"+portal_password);
// logger.info("signin login param->userName:"+username+" pwd:"+portal_password);
if(!authenticate(username,portal_password)){
httpServletResponse.setStatus(401);
......@@ -203,7 +156,7 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
return null;
}
}
httpServletRequest.getSession().setAttribute("ssoLogin","ok");
httpServletRequest.getSession().setAttribute("loginMsg","ok");
com.keymobile.proxy.model.User user = portalService.getUserByUserId(username);
if (user == null) {
logger.error(username + " is not exit");
......@@ -283,4 +236,96 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
}
}
private UsernamePasswordAuthenticationToken sendSsoAuth(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
System.out.println("开始进入单点登录......");
httpServletRequest.getSession().setAttribute("ssoLogin","ssoauth");
String username = httpServletRequest.getAttribute(SsoConfig.SSO_USER_ID).toString();
if(null == username || "".equals(username.trim())){
httpServletResponse.sendError(500,"单点登录异常,无法获取到用户信息");
return null;
}
com.keymobile.proxy.model.User user = portalService.getUserByUserId(username);
if (user == null) {
logger.error(username + " is not exit");
// httpServletResponse.sendError(200,CallBack+"({'query':{'results':{'postresult':'portal_ssologin_fali'}}});");
httpServletResponse.setStatus(401);
PrintWriter writer = httpServletResponse.getWriter();
writer.write("单点登录异常,用户不存在!");
writer.flush();
writer.close();
return null;
}
List<GrantedAuthority> authorities = new ArrayList<>();
String userName = user.getUserId() + ":" + user.getId() + ":" + user.getDisname() + ":" + user.getOrgNo();
List<String> authors = portalService.getByUserId(username);
if (! CollectionUtils.isEmpty(authors)) {
for (String author : authors) {
GrantedAuthority authorityInfo = new SimpleGrantedAuthority(Constants.ROLE_PREFIX + author);
authorities.add(authorityInfo);
}
}
System.out.println("单点登录认证完成......");
return new UsernamePasswordAuthenticationToken(new User(userName, "whatever", authorities), null, authorities);
}
private UsernamePasswordAuthenticationToken sendAdAuth(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
String username = httpServletRequest.getParameter("portal_username");
String portal_password = httpServletRequest.getParameter("portal_password");
String CallBack = httpServletRequest.getParameter("CallBack");
String key = httpServletRequest.getParameter("key");
if(null == username || null == portal_password ||
null == CallBack ||null == key){
httpServletResponse.sendError(200,"sso login url missing request param");
return null;
}
if (authAdLogin) {
Des des = new Des();
String pwd = des.strDec(portal_password, key);
// logger.info("sso login param->userName:"+username+" pwd:"+pwd);
if(!authenticate(username,pwd)){
// httpServletResponse.sendError(200,CallBack+"({'query':{'results':{'postresult':'portal_ssologin_fali'}}});");
PrintWriter writer = httpServletResponse.getWriter();
writer.write(CallBack+"({'query':{'results':{'postresult':'portal_ssologin_fali'}}});");
writer.flush();
writer.close();
return null;
}
}
httpServletRequest.getSession().setAttribute("loginMsg",CallBack+"({'query':{'results':{'postresult':'portal_ssologin_succeed'}}});");
//
com.keymobile.proxy.model.User user = portalService.getUserByUserId(username);
if (user == null) {
logger.error(username + " is not exit");
// httpServletResponse.sendError(200,CallBack+"({'query':{'results':{'postresult':'portal_ssologin_fali'}}});");
PrintWriter writer = httpServletResponse.getWriter();
writer.write(CallBack+"({'query':{'results':{'postresult':'portal_ssologin_fali'}}});");
writer.flush();
writer.close();
return null;
}
if (! authAdLogin) {
if (! StringUtils.equals(user.getPassword(), portal_password)) {
logger.error(username + " password is error");
//httpServletResponse.sendError(200,CallBack+"({'query':{'results':{'postresult':'portal_ssologin_fali'}}});");
PrintWriter writer = httpServletResponse.getWriter();
writer.write(CallBack+"({'query':{'results':{'postresult':'portal_ssologin_fali'}}});");
writer.flush();
writer.close();
return null;
}
}
List<GrantedAuthority> authorities = new ArrayList<>();
String userName = user.getUserId() + ":" + user.getId() + ":" + user.getDisname() + ":" + user.getOrgNo();
List<String> authors = portalService.getByUserId(username);
if (! CollectionUtils.isEmpty(authors)) {
for (String author : authors) {
GrantedAuthority authorityInfo = new SimpleGrantedAuthority(Constants.ROLE_PREFIX + author);
authorities.add(authorityInfo);
}
}
return new UsernamePasswordAuthenticationToken(new User(userName, user.getPassword(), authorities), null, authorities);
}
}
\ No newline at end of file
src/main/java/com/keymobile/proxy/model/SsoServerProcesssor.java 0 → 100644
package com.keymobile.proxy.model;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;
@Component
public class SsoServerProcesssor {
@Value("${portal.sso.appid}")
private String clientAppId;
@Value("${portal.sso.secret}")
private String clientSecret;
@Value("${portal.sso.login.path}")
private String loginPath;
public String getClientAppId() {
return clientAppId;
}
public void setClientAppId(String clientAppId) {
this.clientAppId = clientAppId;
}
public String getClientSecret() {
return clientSecret;
}
public void setClientSecret(String clientSecret) {
this.clientSecret = clientSecret;
}
public String getLoginPath() {
return loginPath;
}
public void setLoginPath(String loginPath) {
this.loginPath = loginPath;
}
}
src/main/resources/application-local.yml
......@@ -9,8 +9,8 @@ spring:
redis:
namespace: hyycdev
redis:
host: 127.0.0.1
port: 6379
host: 139.198.127.54
port: 9379
# session:
# store-type: redis
# redis:
......@@ -37,7 +37,7 @@ eureka:
region: default
registryFetchIntervalSeconds: 5
serviceUrl:
defaultZone: http://127.0.0.1:9000/eureka/ #http://localhost:8081/eureka/
defaultZone: http://192.168.0.230:7081/eureka/ #http://localhost:8081/eureka/
zuul:
prefix: /api
......@@ -53,13 +53,33 @@ logging:
com.keymobile.proxy: info
config: classpath:logback-custom.xml
redirect-url:
indicator: http://139.198.127.54:18580/hndb/view/index
ad-authenticate:
domain: hntobacco.com
provider-url: ldap://hntobacco.com:389
#ad-authenticate:
# domain: hntobacco.com
# provider-url: ldap://hntobacco.com:389
auth-login:
adAuth: false
isgo: true
\ No newline at end of file
#auth-login:
# adAuth: false
# isgo: true
# ssoAuth: true #ture走单点认证,,false就走原来的AD
redirect-url:
data-platform: http://192.168.0.216:9090/center-home/view/index #sso登陆后跳转地址
indicator: http://139.198.127.54:18580/hndb/view/index #AD登陆后跳转的地址
portal:
sso:
enable: true #是否开启
server: http://10.72.66.65/sso-server
appid: sj_sjzt
secret: b14ec16eac588f44cdb95aae477652db
logout:
path: /logout
login:
path: http://login.hntobacco.com
excluded:
paths: /api/auth/sessionInfo
ad-auth:
enable: false #是否AD认证 优先级低于sso
isgo: false #AD是否跳转
authenticate:
domain: hntobacco.com
provider-url: ldap://hntobacco.com:389
\ No newline at end of file
src/main/resources/application-test.yml
......@@ -61,4 +61,35 @@ redirect-url:
security:
permit: false
authUser: root
authPwd: pwd
\ No newline at end of file
authPwd:
portal:
ad-authenticate:
enable: false
domain: hntobacco.com
provider-url: ldap://hntobacco.com:389
success-redirect: true
success-url: http://10.72.0.117/hndb/view/index
error-url: http://10.72.0.117/hndb/
sso-authenticate:
enable: true
server: http://10.72.66.65/sso-server
appid: sj_dbgl
secret: 1b9d159ec247b18057fe6e3f53188c1a
excluded:
paths: /api/auth/sessionInfo,/api/auth/signin
logout:
path: /logout
login:
path: http://login.hntobacco.com
success-redirect: true
success-url:http://10.72.0.117/hndb/view/index
error-url:http://10.72.0.117/hndb/
pwd-authenticate:
enable: false
logout:
path: /logout
login:
path: http://10.72.0.117/api/auth/signin
success-redirect: true
success-url: http://10.72.0.117/hndb/view/index
error-url: http://10.72.0.117/hndb/
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment