如何在Zuul上实现CAS的单点登录

前言
最近项目跟一个基于CAS的系统对接做单点登录，之前在传统框架做过CAS的对接，本来以为很简单，简单配置一下双方对好账户就完了，但现在系统架构调整为SpringCloud的微服务体系，这让这次对接就不那么简单直接的。本文主要讨论CAS与Zuul上的结合思路。

CAS原理
CAS的基本原理还是挺简单的，如下图所示。

主要就是
1.拦截重定向
2.登录
3.验证
4.获取用户信息
看着挺复杂，但其实框架已经把大部分工作都做好了，封装起来了，正常情况下我们只需要配置一下就ok了，但在微服务的环境下还是挺让人迷惑的。
对了我们用的是CAS3.5版本搭建的测试系统。

实现思路
Zuul作为整个系统的网关，有几样工作特别适合：
1.路由，Zuul的天职
2.负载均衡，Zuul 2.0的性能还是可以期待的
3.日志，由于外部的请求都经过Zuul因此它的日志处理是非常重要和必要的
4.鉴权，同样由于外部服务都经过Zuul，鉴权也是非常合适的，因此对于SpringCloud体系来说做CAS的单点登录的集成Zuul是最合适不过的。

我们Zuul也是基于SpringBoot，因此可以使用Spring Security的套路实现CAS的拦截与验证等工作。
简单的总结一下：
1.将CAS集成放到Zuul上
2.使用Spring Security套餐

但同时我们也知道Zuul还要处理日志，因此要将CAS与Zuul本身的职责协调好，同时我们也都知道Zuul核心是ZuulFilter，而SpringSecurity实质上也是一系列的Filter来处理，把这两套Fillter理清楚是搞定这个问题的先决条件。

下面我们就结合具体代码看看怎么解决这个问题。

实例代码

首先是工程目录，maven的惯例

ps不要在意那个UserLoginInfoCache.java其实就是一个缓存。

然后是POM.xml

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>com.zw.se2</groupId>
    <artifactId>demo-zuul</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <packaging>jar</packaging>

    <name>hy-zuul</name>
    <description>Demo project for Zuul and CAS</description>

    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.0.1.RELEASE</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>

    <properties>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
        <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
        <java.version>1.8</java.version>
        <spring-cloud.version>Finchley.RC1</spring-cloud.version>
    </properties>

    <dependencies>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-starter-config</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-starter-netflix-eureka-client</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-starter-netflix-ribbon</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-starter-netflix-zuul</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-starter-openfeign</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>net.sf.json-lib</groupId>
            <artifactId>json-lib</artifactId>
            <version>2.4</version>
            <classifier>jdk15</classifier>
        </dependency>
        <dependency>
            <groupId>org.springframework.session</groupId>
            <artifactId>spring-session</artifactId>
            <version>1.3.1.RELEASE</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-cas</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-taglibs</artifactId>
        </dependency>
        <dependency>
            <groupId>org.projectlombok</groupId>
            <artifactId>lombok</artifactId>
            <optional>true</optional>
        </dependency>
    </dependencies>

    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>org.springframework.cloud</groupId>
                <artifactId>spring-cloud-dependencies</artifactId>
                <version>${spring-cloud.version}</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>
        </dependencies>
    </dependencyManagement>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>
    <repositories>
        <repository>
            <id>spring-milestones</id>
            <name>Spring Milestones</name>
            <url>https://repo.spring.io/milestone</url>
            <snapshots>
                <enabled>false</enabled>
            </snapshots>
        </repository>
    </repositories>
</project>

接下来是Zuul的配置
application.properties

#默认情况下，敏感的头信息无法经过API网关进行传递,需要开启。解决使用zuul网关后spring session无效问题
zuul.routes.tim-service.sensitiveHeaders="*"
zuul.routes.main-service.path=/main-service/**
zuul.routes.main-service.url=http://localhost:8383 
zuul.routes.main-service.sensitiveHeaders="*"
devMode=false
spring.application.name=demo-zuul-server
#下面那个参数是去掉zuul-prefix参数产生的前缀的，跟path一毛钱关系都没有
zuul.strip-prefix=false
server.port=8085

#将 hystrix 的超时时间禁用掉
hystrix.command.default.execution.timeout.enabled=false
#session存储
spring.session.store-type=none
#日志配置文件路径
logging.config=ext/conf/logback.xml

#CAS服务地址
cas.server.host.url=http://10.0.4.53:8080/cas-server-webapp-3.5.0
#CAS服务登录地址
cas.server.host.login_url=${cas.server.host.url}/login
#应用访问地址
app.server.host.url=http://localhost:8085
#应用登录地址,这个URL不一定非要存在
app.login.url=/cas/login/zuul

接下来是启动配置bootstrap.yaml

eureka:
  client:
    service-url:
        defaultZone: http://localhost:8797/eureka
spring:
  cloud:
    config:
      uri: http://localhost:8888
      profile: dev
      name: hyConfig

接下来就是cas了
CasProperties.java

package com.zw.se2.hy.zuul.cas.config;

import lombok.Data;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;

/**
 * Created by ZEW on 2018/6/7.
 */
@Data
@Component
public class CasProperties {
    @Value("${cas.server.host.url}")
    private String casServerUrl;

    @Value("${cas.server.host.login_url}")
    private String casServerLoginUrl;

    @Value("${app.server.host.url}")
    private String appServerUrl;

    @Value("${app.login.url}")
    private String appLoginUrl;

}

SecurityConfig.java，这个是配置的核心，其中最核心的就是配置拦截策略和处理过滤器。

package com.zw.se2.hy.zuul.cas.config;

import com.zw.se2.hy.zuul.cas.custom.CustomUserDetailsService;
import org.jasig.cas.client.session.SingleSignOutFilter;
import org.jasig.cas.client.validation.Cas20ServiceTicketValidator;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.cas.ServiceProperties;
import org.springframework.security.cas.authentication.CasAssertionAuthenticationToken;
import org.springframework.security.cas.authentication.CasAuthenticationProvider;
import org.springframework.security.cas.web.CasAuthenticationEntryPoint;
import org.springframework.security.cas.web.CasAuthenticationFilter;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.AuthenticationUserDetailsService;

/**
 * Created by ZEW on 2018/6/7.
 */
@Configuration
@EnableWebSecurity //启用web权限
@EnableGlobalMethodSecurity(prePostEnabled = true) //启用方法验证
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    private CasProperties casProperties;

    /**定义认证用户信息获取来源，密码校验规则等*/
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        super.configure(auth);
        auth.authenticationProvider(casAuthenticationProvider());
    }

    /**定义安全策略*/
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()//配置安全策略
                .antMatchers("/**/api/**").permitAll()
                .antMatchers("/**/**.html").permitAll()
                .anyRequest().authenticated();//定义/请求不需要验证

        http.exceptionHandling().authenticationEntryPoint(casAuthenticationEntryPoint())
                .and()
                .addFilter(casAuthenticationFilter())
                .addFilterBefore(singleSignOutFilter(), CasAuthenticationFilter.class);
//这个地方需要注意，这里禁用是为了照顾需要使用post请求且这个请求是外部系统提供的，没有办法，
//为了安全还是推荐不禁用转而使用csrf-token的模式
        http.csrf().disable(); 
    }

    /**认证的入口*/
    @Bean
    public CasAuthenticationEntryPoint casAuthenticationEntryPoint() {
        CasAuthenticationEntryPoint casAuthenticationEntryPoint = new CasAuthenticationEntryPoint();
        casAuthenticationEntryPoint.setLoginUrl(casProperties.getCasServerLoginUrl());
        casAuthenticationEntryPoint.setServiceProperties(serviceProperties());
        return casAuthenticationEntryPoint;
    }

    /**指定service相关信息*/
    @Bean
    public ServiceProperties serviceProperties() {
        ServiceProperties serviceProperties = new ServiceProperties();
        serviceProperties.setService(casProperties.getAppServerUrl() + casProperties.getAppLoginUrl());
        serviceProperties.setAuthenticateAllArtifacts(true);
        return serviceProperties;
    }

    /**CAS认证过滤器*/
    @Bean
    public CasAuthenticationFilter casAuthenticationFilter() throws Exception {
        CasAuthenticationFilter casAuthenticationFilter = new CasAuthenticationFilter();
        casAuthenticationFilter.setAuthenticationManager(authenticationManager());
        casAuthenticationFilter.setFilterProcessesUrl(casProperties.getAppLoginUrl());
        return casAuthenticationFilter;
    }

    /**cas 认证 Provider*/
    @Bean
    public CasAuthenticationProvider casAuthenticationProvider() {
        CasAuthenticationProvider casAuthenticationProvider = new CasAuthenticationProvider();
       //这里实现了一个自定义的认证服务，其实没有特殊需求可以采用默认的服务 casAuthenticationProvider.setAuthenticationUserDetailsService(customUserDetailsService());

        casAuthenticationProvider.setServiceProperties(serviceProperties());
        casAuthenticationProvider.setTicketValidator(cas20ServiceTicketValidator());
        casAuthenticationProvider.setKey("an_id_for_this_auth_provider_only");
        return casAuthenticationProvider;
    }

    /*@Bean
    public UserDetailsService customUserDetailsService(){
        return new CustomUserDetailsService();
    }*/

    /**用户自定义的AuthenticationUserDetailsService*/
    @Bean
    public AuthenticationUserDetailsService<CasAssertionAuthenticationToken> customUserDetailsService(){
        return new CustomUserDetailsService();
    }

    @Bean
    public Cas20ServiceTicketValidator cas20ServiceTicketValidator() {
        return new Cas20ServiceTicketValidator(casProperties.getCasServerUrl());
    }



}

由于涉及业务，自定义的认证服务这里就不贴了，有兴趣的可以参考
参考链接
但是请注意这篇文档在loadUserDetails函数中要对userInfo的权限相关信息赋值，否则就不能通过验证。
代码如下:

UserInfo userInfo = new UserInfo();
       userInfo.setUsername(token.getName());
       userInfo.setName(token.getName());
       Set<AuthorityInfo> authorities = new HashSet<>();
       AuthorityInfo authorityInfo = new AuthorityInfo("CAS");
       authorities.add(authorityInfo);
       userInfo.setAuthorities(authorities);
       userInfo.setAccountNonLocked(true);
       userInfo.setAccountNonExpired(true);
       userInfo.setCredentialsNonExpired(true);

集成完CAS，该处理Zuul本身的过滤器
经过试验CAS的过滤器优先级要高于Zuul的Pre过滤器，这样倒也方便了，只需要处理登录等日志即可。
也就是增加一个post过滤器。
如下所示 LoginResponseFilter.java.

package com.zw.se2.hy.zuul.filter.post;

import com.netflix.zuul.ZuulFilter;
import com.netflix.zuul.context.RequestContext;
import com.zw.se2.hy.zuul.UserLoginInfoCache;
import com.zw.se2.hy.zuul.filter.ConstantPath;
import net.sf.json.JSONArray;
import net.sf.json.JSONObject;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;
import org.springframework.util.StreamUtils;
import org.springframework.web.client.RestTemplate;

import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import java.io.IOException;
import java.io.InputStream;
import java.nio.charset.Charset;

import static org.springframework.util.ReflectionUtils.rethrowRuntimeException;

@Component
public class LoginResponseFilter extends ZuulFilter {
      private static Logger log = LoggerFactory.getLogger("monitor");


    @Override
    public boolean shouldFilter() {
        RequestContext context = RequestContext.getCurrentContext();
        String url = context.getRequest().getRequestURL().toString();
        //只处理登录请求
        return StringUtils.endsWith(url, ConstantPath.LOGIN_PATH);

    }

    @Override
    public Object run() {
        try {
            RequestContext context = RequestContext.getCurrentContext();
            InputStream stream = context.getResponseDataStream();
            String body = StreamUtils.copyToString(stream, Charset.forName("UTF-8"));
            String url = context.getRequest().getRequestURL().toString();

                if (StringUtils.isNotBlank(body)) {
                    //验证响应结果是否为登录成功
                    JSONObject bodyJson = JSONObject.fromObject(body);
                    if (bodyJson.has(ConstantPath.LOGIN_RESPONSE_STATUS)) {
                        String status = bodyJson.getString(ConstantPath.LOGIN_RESPONSE_STATUS);
                        if (StringUtils.equals(status, "200")) {
                            if (bodyJson.has(ConstantPath.LOGIN_RESPONSE_RESULT)) {
                                JSONArray resultArray = bodyJson.getJSONArray(ConstantPath.LOGIN_RESPONSE_RESULT);
                                if (resultArray != null && resultArray.size() > 0) {
                                    JSONObject userObject = resultArray.getJSONObject(0);
                                    processLogin(context, userObject);
                                }
                            }
                        }


                }
            }

            context.setResponseBody(body);
        } catch (IOException e) {
            rethrowRuntimeException(e);
        }
        return null;
    } 

    private void processLogin(RequestContext context, JSONObject userObject) {
        if (userObject.has(ConstantPath.LOGIN_USERNAME)) {
            String userName = userObject.getString(ConstantPath.LOGIN_USERNAME);
            //将用户名存储在session中，判断用户是否登录
            HttpServletRequest request = context.getRequest();
            HttpSession session = request.getSession();
            session.setAttribute("userName", userName);
            session.setMaxInactiveInterval(1800);           
            log.info(">>>用户>>>" + userName + "执行了>>>登录>>>操作);
        }
    }

    @Override
    public String filterType() {
        return "post";
    }

    @Override
    public int filterOrder() {
        return 1;
    }

}

总结

可以看到只要理清思路Zuul和Cas的结合还是挺简单的，关键就是理清思路。