Spring Boot 3.x + Spring Security 6 实战：手把手教你配置CAS客户端实现单点登录（附完整代码）

Spring Boot 3.x与Spring Security 6深度整合现代CAS单点登录实战指南当企业应用系统数量快速增长时传统分散登录方式带来的体验割裂和运维负担日益凸显。最近在技术社区看到不少开发者讨论Spring Security 6的配置变化特别是CAS集成这块遇到不少坑。作为经历过多个企业级SSO项目的老兵今天想分享一套经过生产验证的Spring Boot 3.x Spring Security 6的CAS客户端配置方案。1. 环境准备与依赖配置在开始之前确保你的开发环境满足以下条件JDK 17或更高版本Spring Boot 3.1.5Spring Security 6.1.5Maven 3.8或Gradle 8.0新建项目时建议使用Spring Initializr生成基础骨架特别注意要勾选Spring WebSpring Security然后手动添加CAS客户端依赖。对于Maven项目在pom.xml中添加dependency groupIdorg.springframework.security/groupId artifactIdspring-security-cas/artifactId version6.1.5/version /dependency这里有个关键点Spring Security 6开始许多配置方式发生了本质变化。比如传统的WebSecurityConfigurerAdapter已被移除取而代之的是基于组件的配置风格。这种变化虽然初期需要适应但长期来看使配置更加灵活和模块化。2. 核心配置解析2.1 应用属性配置在application.yml中配置CAS服务端和客户端的基本信息cas: server: base-url: https://sso.example.com/cas login-url: ${cas.server.base-url}/login logout-url: ${cas.server.base-url}/logout validation-url: ${cas.server.base-url}/p3/serviceValidate client: base-url: http://app1.example.com login-path: /login/cas logout-path: /logout/cas home-path: /特别注意Spring Security 6对URL匹配规则做了更严格的校验。如果遇到IllegalArgumentException: Unable to parse configuration attributes错误通常是因为URL格式不符合新规范。2.2 安全配置类实现创建安全配置类时不再继承WebSecurityConfigurerAdapter而是直接定义SecurityFilterChainBeanConfiguration EnableWebSecurity public class SecurityConfig { Autowired private CasAuthenticationProvider casAuthenticationProvider; Autowired private CasAuthenticationEntryPoint authenticationEntryPoint; Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests(auth - auth .requestMatchers(/public/**).permitAll() .anyRequest().authenticated() ) .exceptionHandling(ex - ex .authenticationEntryPoint(authenticationEntryPoint) ) .addFilterBefore(casAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class) .addFilterBefore(singleSignOutFilter(), CasAuthenticationFilter.class); return http.build(); } }这种配置方式更加函数式每个配置项都是独立的lambda表达式提高了代码的可读性和可维护性。3. CAS核心组件实现3.1 认证提供者配置CAS认证提供者是整个流程的核心负责验证CAS服务端返回的ticketBean public CasAuthenticationProvider casAuthenticationProvider( ServiceProperties serviceProperties, TicketValidator ticketValidator, UserDetailsService userDetailsService) { CasAuthenticationProvider provider new CasAuthenticationProvider(); provider.setServiceProperties(serviceProperties); provider.setTicketValidator(ticketValidator); provider.setUserDetailsService(userDetailsService); provider.setAuthenticationUserDetailsService( new CasAuthenticationUserDetailsService() { Override public UserDetails loadUserDetails(Authentication authentication) { return userDetailsService.loadUserByUsername(authentication.getName()); } }); return provider; }性能优化提示在生产环境中建议实现自定义的UserDetailsService结合缓存机制减少对用户存储系统的频繁查询。3.2 Ticket验证器Spring Security 6对ticket验证过程做了优化支持更灵活的验证策略Bean public TicketValidator ticketValidator() { Cas30ProxyTicketValidator validator new Cas30ProxyTicketValidator(casServerBaseUrl); validator.setEncoding(UTF-8); validator.setProxyCallbackUrl(casClientBaseUrl /login/cas); validator.setProxyGrantingTicketStorage(new ProxyGrantingTicketStorageImpl()); return validator; }4. 高级配置与疑难解答4.1 单点注销实现Spring Security 6改进了单点注销的处理机制需要特别注意以下几点Bean public SingleSignOutFilter singleSignOutFilter() { SingleSignOutFilter filter new SingleSignOutFilter(); filter.setCasServerUrlPrefix(casServerBaseUrl); filter.setIgnoreInitConfiguration(true); return filter; } Bean public LogoutFilter logoutFilter() { LogoutFilter filter new LogoutFilter( casServerLogoutUrl, new SecurityContextLogoutHandler() ); filter.setFilterProcessesUrl(/logout/cas); return filter; }常见问题如果遇到注销后会话未清除的情况检查是否配置了正确的SecurityContextLogoutHandler并确保客户端和服务端的注销URL配置一致。4.2 跨域与CSRF配置在前后端分离架构中需要额外处理跨域和CSRF问题Bean public CorsConfigurationSource corsConfigurationSource() { CorsConfiguration configuration new CorsConfiguration(); configuration.setAllowedOrigins(Arrays.asList(https://frontend.example.com)); configuration.setAllowedMethods(Arrays.asList(GET, POST)); configuration.setAllowCredentials(true); UrlBasedCorsConfigurationSource source new UrlBasedCorsConfigurationSource(); source.registerCorsConfiguration(/**, configuration); return source; } Bean public CsrfTokenRepository csrfTokenRepository() { CookieCsrfTokenRepository repository CookieCsrfTokenRepository.withHttpOnlyFalse(); repository.setCookiePath(/); return repository; }5. 生产环境最佳实践在实际项目部署时我们总结了几条重要经验HTTPS强制配置所有CAS相关端点必须启用HTTPS在配置中明确指定https://协议头会话超时策略客户端会话超时应略长于CAS服务端会话超时监控端点保护对Spring Boot Actuator端点实施IP白名单限制日志审计实现自定义的AuthenticationSuccessHandler记录登录事件一个典型的审计日志处理器实现Component public class CasAuditSuccessHandler implements AuthenticationSuccessHandler { private static final Logger logger LoggerFactory.getLogger(CasAuditSuccessHandler.class); Override public void onAuthenticationSuccess( HttpServletRequest request, HttpServletResponse response, Authentication authentication) { String username authentication.getName(); String clientIp request.getRemoteAddr(); String sessionId request.getSession().getId(); logger.info(CAS login success - user: {}, IP: {}, session: {}, username, clientIp, sessionId); // 重定向到原始请求URL或首页 String targetUrl determineTargetUrl(request, response); response.sendRedirect(targetUrl); } }在项目上线前务必进行全面的安全测试包括重放攻击测试Ticket时效性验证注销会话传播测试并发登录场景验证这套配置方案已经在金融和电商领域的多个项目中得到验证能够稳定支持日均百万级的认证请求。特别是在Spring Security 6的新特性加持下系统的安全性和可扩展性都有了显著提升。