提示
如果统一认证需要额外JAR包,可以将jar文件放到 ${安装目录}/tomcat8/lib 目录下
一、自定义管理后台SSO脚本
var version = java.lang.System.getProperty("java.version");
if (version.startsWith("1.8.0")) {
load("nashorn:mozilla_compat.js");
}
//BI服务器地址
var macoHost = "http://bi.xxx.com";
//所有登录完成后跳转到的BI页面
var redirectUrl = request.getParameter("redirectUrl");
if(redirectUrl != null && redirectUrl.length() > 0) {
redirectUrl = java.net.URLEncoder.encode(redirectUrl, "utf-8")
}
//跳到插件页面,做统一认证跳转准备
var urlStr = macoHost+"/plugin/sso/auth.do?userRedirectUrl="+redirectUrl;
//检查header, 可以针对不同header做跳转
var userAgent = request.getHeader("User-Agent");
logger.debug("User Agent: "+userAgent);
if(userAgent != null && userAgent.indexOf("xapp")>-1){
urlStr = macoHost+"/plugin/sso/appmobile/auth.do?app=xapp&redirectUrl="+redirectUrl;
}
logger.debug("url str: "+urlStr);
result.setSuccess(true);
//跳转
response.sendRedirect(urlStr);
二、插件页面: /plugin/sso/auth
var version = java.lang.System.getProperty("java.version");
if (version.startsWith("1.8.0")) {
load("nashorn:mozilla_compat.js");
}
importPackage(java.lang);
importPackage(java.util);
importPackage(org.apache.commons.lang3.time);
importPackage(org.apache.commons.lang3);
importPackage(com.alibaba.fastjson);
importPackage(org.apache.commons.codec.binary);
importPackage(org.apache.http.impl.client);
importPackage(org.apache.http.client.methods);
importPackage(org.apache.http);
importPackage(com.weibaobiao.command);
//BI服务器地址
var macoHost = "http://bi.xxx.com";
//统一认证平台服务器地址
var baseUrl = "https://idms.app.com/ms_oauth";
//统一认证平台相关参数
var client_id="xxx";
var client_secret = "yyy";
//统一认证登录后,跳转回来的地址
var callbackUrl = macoHost+"/plugin/sso/auth.do";
callbackUrl = java.net.URLEncoder.encode(callbackUrl, "utf-8");
//本页面处理完成后,跳到BI的地址,这里设置为后台管理页面,也可以跳到报表页面
var redirectUrl = macoHost+"/workbench/home.do";
//也可以根据参数来处理跳转地址
var viewreport = request.getParameter("viewreport");
logger.warn("viewreport: "+viewreport);
if(viewreport != null && viewreport === "1") {
var theUrl = request.getParameter("redirectUrl");
logger.warn("theUrl: "+theUrl);
if(theUrl != null && theUrl !== "") {
redirectUrl = java.net.URLEncoder.encode(theUrl);
}
}
//用户在统一认证页面登录后,会跳转回本页面,并携带一个参数,一般这个参数是code
var code = request.getParameter("code");
logger.warn("oauth code: "+code);
//错误信息
var error_message = request.getParameter("error_message");
//当前日期
var nowTime = new Date().getTime()+"";
logger.warn("nowTime: "+nowTime);
var debugObj = new JSONObject();
if(error_message != null && error_message !== ""){
result.setSuccess(false);
result.setData(error_message);
} else if(code == null || code === "") {
//如果code参数是空,就跳转到统一认证的登录页面
//可以用session记录一些参数
var userRedirectUrl = request.getParameter("userRedirectUrl");
logger.warn("userRedirectUrl: "+userRedirectUrl);
if(userRedirectUrl != null && userRedirectUrl.length > 0) {
request.getSession().setAttribute("userRedirectUrl", userRedirectUrl);
}
//统一认证的登录页面,自行根据文档调整参数
var goUrl = baseUrl+"/oauth2/authorize?client_id="+client_id+"&response_type=code&redirect_uri="+callbackUrl+"&scope=xxx"+"&redirectUrl="+redirectUrl;
logger.warn("OAuth2 url: "+goUrl);
response.sendRedirect(goUrl);
} else {
//如果code参数不为空,说明用户已经在统一认证登录页面登录成功了,需要根据code参数调用统一认证平台的接口获取用户信息
var userRedirectUrl = request.getSession().getAttribute("userRedirectUrl");
request.getSession().setAttribute("userRedirectUrl", null);
if(userRedirectUrl != null && userRedirectUrl.length > 0 && userRedirectUrl !== "null") {
logger.warn("userRedirectUrl: "+userRedirectUrl);
redirectUrl = userRedirectUrl;
}
logger.warn("redirectUrl: "+redirectUrl);
//自行根据文档跳转这里的逻辑
var access_token = null;
try{
//获取access_token
if(true){
debugObj.put("code", code);
var authStr = client_id+ ":"+client_secret;
authStr = ""+new java.lang.String(org.apache.commons.codec.binary.Base64.encodeBase64(authStr.getBytes("utf-8")), "utf-8");
logger.error("Authorization: "+"Basic " + authStr);
var goUrl = baseUrl+"/oauth2/tokens?grant_type=authorization_code&redirect_uri="+callbackUrl+"&code="+code;
logger.warn("Auth code url: "+goUrl);
var httpclient = org.apache.http.impl.client.HttpClients.createDefault();
var post = new HttpPost(goUrl);
post.addHeader("Authorization", "Basic " + authStr);
var resp = httpclient.execute(post);
var status = resp.getStatusLine().getStatusCode();
logger.error("status: "+status);
if (status === 200) {
var entity = resp.getEntity();
var content = org.apache.http.util.EntityUtils.toString(entity);
logger.error("content: "+content);
var respObj = JSON.parseObject(content);
var access_token = respObj.getString("access_token");
//也可以通过字符串处理,获取token
//var access_token = StringUtils.substringBetween(content, "\"access_token\":\"", "\"");
logger.error("access_token: "+access_token);
}
result.setData("["+status+"] "+code);
}
//获取用户信息
if(access_token != null) {
debugObj.put("access_token", access_token);
var goUrl = baseUrl+"/resources/userprofile";
logger.warn("User profile url: "+goUrl);
var httpclient = org.apache.http.impl.client.HttpClients.createDefault();
var post = new HttpGet(goUrl);
post.addHeader("Authorization", access_token);
var resp = httpclient.execute(post);
var status = resp.getStatusLine().getStatusCode();
logger.error("status: "+status);
if (status === 200) {
var entity = resp.getEntity();
var content = org.apache.http.util.EntityUtils.toString(entity);
logger.error("User profile: "+content);
var contentObj = JSON.parseObject(content);
var uid = contentObj.getString("uid");
logger.error("uid: "+uid);
//检查用户是否存在
var userDao = beanService.getBean("userDaoImpl");
var loginUser = userDao.findByUsername(uid);
//如果用户不存在,把用户名切换成小写,再查一次
if(loginUser == null) {
uid = uid.toLowerCase();
loginUser = userDao.findByUsername(uid);
}
logger.error("loginUser: "+loginUser);
//如果用户不存在,显示一个错误信息
if(loginUser == null){
var sb = new StringBuilder();
sb.append("<p>------------------------------------------------------------------------------------------------------------------------------------------------------<p/>");
sb.append("<p>用户不存在<p/>");
sb.append("<p>------------------------------------------------------------------------------------------------------------------------------------------------------<p/>");
response.setContentType("text/html;charset=utf-8");
request.getSession().setAttribute("pageTitle", "DaaS Workbench sccess denied.");
request.getSession().setAttribute("message", sb.toString());
var urlStr = "/view/message.do";
response.sendRedirect(urlStr);
}else{
//如果用户存在,则登录BI,并跳转到指定页面
var userService = beanService.getBean("userServiceImpl");
var uc = new UserCommand();
uc.setUsername(uid);
uc.setPassword(loginUser.getPassword());
userService.userLogin(request, uc, false);
response.sendRedirect(redirectUrl);
logger.error("Redirect to: "+redirectUrl);
}
}
}
}catch(e){
logger.error(e.toString());
}
}
result.setSuccess(true);