提示
如果统一认证需要额外JAR包,可以将jar文件放到 ${安装目录}/tomcat8/lib 目录下
一、自定义管理后台SSO脚本
var version = java.lang.System.getProperty("java.version"); if (version.startsWith("1.8.0")) { load("nashorn:mozilla_compat.js"); } //BI服务器地址 var macoHost = "http://bi.xxx.com"; //所有登录完成后跳转到的BI页面 var redirectUrl = request.getParameter("redirectUrl"); if(redirectUrl != null && redirectUrl.length() > 0) { redirectUrl = java.net.URLEncoder.encode(redirectUrl, "utf-8") } //跳到插件页面,做统一认证跳转准备 var urlStr = macoHost+"/plugin/sso/auth.do?userRedirectUrl="+redirectUrl; //检查header, 可以针对不同header做跳转 var userAgent = request.getHeader("User-Agent"); logger.debug("User Agent: "+userAgent); if(userAgent != null && userAgent.indexOf("xapp")>-1){ urlStr = macoHost+"/plugin/sso/appmobile/auth.do?app=xapp&redirectUrl="+redirectUrl; } logger.debug("url str: "+urlStr); result.setSuccess(true); //跳转 response.sendRedirect(urlStr);
二、插件页面: /plugin/sso/auth
var version = java.lang.System.getProperty("java.version"); if (version.startsWith("1.8.0")) { load("nashorn:mozilla_compat.js"); } importPackage(java.lang); importPackage(java.util); importPackage(org.apache.commons.lang3.time); importPackage(org.apache.commons.lang3); importPackage(com.alibaba.fastjson); importPackage(org.apache.commons.codec.binary); importPackage(org.apache.http.impl.client); importPackage(org.apache.http.client.methods); importPackage(org.apache.http); importPackage(com.weibaobiao.command); //BI服务器地址 var macoHost = "http://bi.xxx.com"; //统一认证平台服务器地址 var baseUrl = "https://idms.app.com/ms_oauth"; //统一认证平台相关参数 var client_id="xxx"; var client_secret = "yyy"; //统一认证登录后,跳转回来的地址 var callbackUrl = macoHost+"/plugin/sso/auth.do"; callbackUrl = java.net.URLEncoder.encode(callbackUrl, "utf-8"); //本页面处理完成后,跳到BI的地址,这里设置为后台管理页面,也可以跳到报表页面 var redirectUrl = macoHost+"/workbench/home.do"; //也可以根据参数来处理跳转地址 var viewreport = request.getParameter("viewreport"); logger.warn("viewreport: "+viewreport); if(viewreport != null && viewreport === "1") { var theUrl = request.getParameter("redirectUrl"); logger.warn("theUrl: "+theUrl); if(theUrl != null && theUrl !== "") { redirectUrl = java.net.URLEncoder.encode(theUrl); } } //用户在统一认证页面登录后,会跳转回本页面,并携带一个参数,一般这个参数是code var code = request.getParameter("code"); logger.warn("oauth code: "+code); //错误信息 var error_message = request.getParameter("error_message"); //当前日期 var nowTime = new Date().getTime()+""; logger.warn("nowTime: "+nowTime); var debugObj = new JSONObject(); if(error_message != null && error_message !== ""){ result.setSuccess(false); result.setData(error_message); } else if(code == null || code === "") { //如果code参数是空,就跳转到统一认证的登录页面 //可以用session记录一些参数 var userRedirectUrl = request.getParameter("userRedirectUrl"); logger.warn("userRedirectUrl: "+userRedirectUrl); if(userRedirectUrl != null && userRedirectUrl.length > 0) { request.getSession().setAttribute("userRedirectUrl", userRedirectUrl); } //统一认证的登录页面,自行根据文档调整参数 var goUrl = baseUrl+"/oauth2/authorize?client_id="+client_id+"&response_type=code&redirect_uri="+callbackUrl+"&scope=xxx"+"&redirectUrl="+redirectUrl; logger.warn("OAuth2 url: "+goUrl); response.sendRedirect(goUrl); } else { //如果code参数不为空,说明用户已经在统一认证登录页面登录成功了,需要根据code参数调用统一认证平台的接口获取用户信息 var userRedirectUrl = request.getSession().getAttribute("userRedirectUrl"); request.getSession().setAttribute("userRedirectUrl", null); if(userRedirectUrl != null && userRedirectUrl.length > 0 && userRedirectUrl !== "null") { logger.warn("userRedirectUrl: "+userRedirectUrl); redirectUrl = userRedirectUrl; } logger.warn("redirectUrl: "+redirectUrl); //自行根据文档跳转这里的逻辑 var access_token = null; try{ //获取access_token if(true){ debugObj.put("code", code); var authStr = client_id+ ":"+client_secret; authStr = ""+new java.lang.String(org.apache.commons.codec.binary.Base64.encodeBase64(authStr.getBytes("utf-8")), "utf-8"); logger.error("Authorization: "+"Basic " + authStr); var goUrl = baseUrl+"/oauth2/tokens?grant_type=authorization_code&redirect_uri="+callbackUrl+"&code="+code; logger.warn("Auth code url: "+goUrl); var httpclient = org.apache.http.impl.client.HttpClients.createDefault(); var post = new HttpPost(goUrl); post.addHeader("Authorization", "Basic " + authStr); var resp = httpclient.execute(post); var status = resp.getStatusLine().getStatusCode(); logger.error("status: "+status); if (status === 200) { var entity = resp.getEntity(); var content = org.apache.http.util.EntityUtils.toString(entity); logger.error("content: "+content); var respObj = JSON.parseObject(content); var access_token = respObj.getString("access_token"); //也可以通过字符串处理,获取token //var access_token = StringUtils.substringBetween(content, "\"access_token\":\"", "\""); logger.error("access_token: "+access_token); } result.setData("["+status+"] "+code); } //获取用户信息 if(access_token != null) { debugObj.put("access_token", access_token); var goUrl = baseUrl+"/resources/userprofile"; logger.warn("User profile url: "+goUrl); var httpclient = org.apache.http.impl.client.HttpClients.createDefault(); var post = new HttpGet(goUrl); post.addHeader("Authorization", access_token); var resp = httpclient.execute(post); var status = resp.getStatusLine().getStatusCode(); logger.error("status: "+status); if (status === 200) { var entity = resp.getEntity(); var content = org.apache.http.util.EntityUtils.toString(entity); logger.error("User profile: "+content); var contentObj = JSON.parseObject(content); var uid = contentObj.getString("uid"); logger.error("uid: "+uid); //检查用户是否存在 var userDao = beanService.getBean("userDaoImpl"); var loginUser = userDao.findByUsername(uid); //如果用户不存在,把用户名切换成小写,再查一次 if(loginUser == null) { uid = uid.toLowerCase(); loginUser = userDao.findByUsername(uid); } logger.error("loginUser: "+loginUser); //如果用户不存在,显示一个错误信息 if(loginUser == null){ var sb = new StringBuilder(); sb.append("<p>------------------------------------------------------------------------------------------------------------------------------------------------------<p/>"); sb.append("<p>用户不存在<p/>"); sb.append("<p>------------------------------------------------------------------------------------------------------------------------------------------------------<p/>"); response.setContentType("text/html;charset=utf-8"); request.getSession().setAttribute("pageTitle", "DaaS Workbench sccess denied."); request.getSession().setAttribute("message", sb.toString()); var urlStr = "/view/message.do"; response.sendRedirect(urlStr); }else{ //如果用户存在,则登录BI,并跳转到指定页面 var userService = beanService.getBean("userServiceImpl"); var uc = new UserCommand(); uc.setUsername(uid); uc.setPassword(loginUser.getPassword()); userService.userLogin(request, uc, false); response.sendRedirect(redirectUrl); logger.error("Redirect to: "+redirectUrl); } } } }catch(e){ logger.error(e.toString()); } } result.setSuccess(true);