我正在使用 Spring Security 6.2 在我的应用程序上设置 CAS 身份验证。
文档(https://docs.spring.io/spring-security/reference/servlet/authentication/cas.html)指出:
处理过滤器将构造一个代表服务票证的 UsernamePasswordAuthenticationToken。主体将等于 CasAuthenticationFilter.CAS_STATEFUL_IDENTIFIER,而凭据将是服务票证不透明值。
但是,在 Spring Security 6 版本中,CAS_STATEFUL_IDENTIFIER 成员似乎已经从 CasAuthenticationFilter 类中消失了。
那么,创建此 UsernamePasswordAuthenticationToken 的最佳方法是什么?
对于 Spring Security 6.2 中的 CAS 身份验证,建议使用框架的配置和组件,特别是
CasAuthenticationProvider
,而不是手动创建 UsernamePasswordAuthenticationToken
对象。
这是一个示例:
@Configuration
@EnableWebSecurity
public class CasSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests(authorizeRequests ->
authorizeRequests.anyRequest().authenticated()
)
.casAuthentication(cas ->
cas.serviceProperties(serviceProperties -> /* configure service properties */)
.ticketValidator(ticketValidator())
// Optionally configure a custom AuthenticationSuccessHandler
.authenticationSuccessHandler(myCustomSuccessHandler())
);
}
@Bean
public ServiceProperties serviceProperties() {
ServiceProperties serviceProperties = new ServiceProperties();
// Set properties like service and sendRenew
return serviceProperties;
}
@Bean
public CasAuthenticationProvider casAuthenticationProvider() {
CasAuthenticationProvider provider = new CasAuthenticationProvider();
provider.setServiceProperties(serviceProperties());
provider.setTicketValidator(ticketValidator());
provider.setAuthenticationUserDetailsService(/* userDetailsService */);
// Set key, which is a unique identifier for this provider
provider.setKey("CAS_PROVIDER_LOCAL");
return provider;
}
@Bean
public TicketValidator ticketValidator() {
// Return the CAS ticket validator, e.g., Cas30ServiceTicketValidator
return new Cas30ServiceTicketValidator("https://your-cas-server/cas");
}
// Define other beans and details as needed
}