CAS Rest 协议在没有通用服务定义的情况下不起作用
[英]CAS Rest Protocol Does not work without Generic Service Definition
问题描述
I want to use REST Protocol in my services.
我想在我的服务中使用 REST 协议。 For this, I enabled Rest Protocol and trying to get TGT.为此,我启用了 Rest 协议并尝试获取 TGT。 Also, all examples were based on generic service registration which I don't want in prod environment.此外,所有示例都基于我在生产环境中不想要的通用服务注册。
Here is the generic service registry example that should not be used in prod environment. 这是不应该在PROD环境中使用的通用服务注册表的例子。 And I did not use this in my environment:我没有在我的环境中使用它:
{
/*
Generic service definition that applies to https/imaps urls
that wish to register with CAS for authentication.
*/
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^(https|imaps)://.*",
"name" : "HTTPS and IMAPS",
"id" : 10000001,
}
Instead, I have the following one:相反,我有以下一个:
{
"@class": "org.apereo.cas.services.RegexRegisteredService",
// this service will match all the requests contains test in the request url
"serviceId": "^https?:\\/\\/.*test($|\\/).*$",
"name": "Test",
"id": 1,
"description": "Test service",
"evaluationOrder": 2,
"requiredHandlers": [
"java.util.HashSet",
[
"TestHandler"
]
],
"attributeReleasePolicy": {
"@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
},
"properties": {
"@class": "java.util.HashMap",
"jwtAsServiceTicket": {
"@class": "org.apereo.cas.services.DefaultRegisteredServiceProperty",
"values": [
"java.util.HashSet",
[
"true"
]
]
}
}
}
I can not request a ticket granting ticket as explained here :我无法请求授予票证的票证,如下所述:
POST /cas/v1/tickets HTTP/1.0
'Content-type': 'Application/x-www-form-urlencoded'
username=battags&password=password&additionalParam1=paramvalue
I got the following exception:我得到以下异常:
Unauthorized Service Access. Service [] is not found in service registry
When I debug the code, I can see that TGT is created and my registered service works fine.当我调试代码时,我可以看到创建了 TGT 并且我注册的服务工作正常。 An exception is thrown because of the registered service check for againts CAS Server in JWTBuilder :由于在JWTBuilder 中对 CAS 服务器进行了注册服务检查,因此抛出异常:
val registeredService = payload.getRegisteredService() == null
? locateRegisteredService(serviceAudience)
: payload.getRegisteredService();
RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(registeredService);
Here CAS tries to check if service access is allowed.这里 CAS 尝试检查是否允许服务访问。 payload.getRegisteredService returns null and locateRegisteredService is called with serviceAudience, than ensureServiceAccessIsAllowed throws the exception. payload.getRegisteredService 返回 null 并使用 serviceAudience 调用 locateRegisteredService,然后 ensureServiceAccessIsAllowed 抛出异常。
Problem is: serviceAudience is always filled with CAS server prefix which means this there must a service definition that matches with CAS server prefix .问题是: serviceAudience 总是用CAS server prefix 填充,这意味着必须有一个与CAS server prefix匹配的服务定义。 All examples work when I enable generic service definition but when I remove it, TGT does not return because of the above check.当我启用通用服务定义时,所有示例都可以工作,但是当我删除它时,由于上述检查,TGT 不会返回。
Any idea, solution?任何想法,解决方案? I don't want to allow everyone able to create TGT, I can add service definition that only matches with CAS prefix also but first it is better to understand if I miss something or if this is a bug.我不想让每个人都能够创建 TGT,我可以添加仅与 CAS 前缀匹配的服务定义,但首先最好了解我是否遗漏了什么或者这是一个错误。
My Cas version: 6.1.0我的 Cas 版本:6.1.0
My configurations:我的配置:
server.port=8095
server.servlet.context-path=/bouncer
cas.authn.policy.any.tryAll=false
cas.authn.policy.any.enabled=true
cas.serviceRegistry.initFromJson=true
cas.serviceRegistry.json.location=file:/services
My build:我的构建:
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-war-plugin</artifactId>
<version>${maven-war-plugin.version}</version>
<configuration>
<warName>${project.artifactId}</warName>
<failOnMissingWebXml>false</failOnMissingWebXml>
<recompressZippedFiles>false</recompressZippedFiles>
<archive>
<compress>false</compress>
<manifestFile>${manifestFileToUse}</manifestFile>
</archive>
<overlays>
<overlay>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-webapp${app.server}</artifactId>
<excludes>
<exclude>WEB-INF/lib/log4j-api-2.12.1.jar</exclude>
<exclude>WEB-INF/lib/log4j-jcl-2.12.1.jar</exclude>
<exclude>WEB-INF/lib/log4j-jul-2.12.1.jar</exclude>
<exclude>WEB-INF/lib/log4j-slf4j18-impl-2.12.1.jar</exclude>
<exclude>WEB-INF/lib/log4j-web-2.12.1.jar</exclude>
<exclude>WEB-INF/lib/slf4j-api-1.8.0-beta4.jar</exclude>
</excludes>
</overlay>
</overlays>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>${maven-compiler-plugin.version}</version>
</plugin>
</plugins>
<finalName>${project.artifactId}.jar</finalName>
</build>
<dependencies>
<!--START: Extend CAS as WebApp-->
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-webapp${app.server}</artifactId>
<version>${cas.version}</version>
<type>war</type>
<scope>runtime</scope>
</dependency>
<!--END-->
<!--START: Logback Gelf(Graylog Extended Log Format) integration-->
<dependency>
<groupId>de.siegmar</groupId>
<artifactId>logback-gelf</artifactId>
<version>${logback-gelf.version}</version>
<exclusions>
<exclusion>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
</exclusion>
<exclusion>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-core</artifactId>
</exclusion>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<!--END-->
<!--START: Java 11 integration problems, use older logback and slf4j until it is supported-->
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
<version>${logback-classic.version}</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>${slf4j-api.version}</version>
</dependency>
<!--END-->
<!-- TODO: Problem The following two deps are needed for sending traces to zipkin -->
<!-- Problem: https://github.com/spring-cloud/spring-cloud-sleuth/issues/1193 -->
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-sleuth</artifactId>
<version>${cas.version}</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<!--this one is needed, because else an exception will be thrown caused
by: java.lang.NoClassDefFoundError: com/netflix/servo/monitor/Monitors-->
<dependency>
<groupId>com.netflix.servo</groupId>
<artifactId>servo-core</artifactId>
<version>${servo-core.version}</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<!-- START: Support JWT/CAS Protocol: https://apereo.github.io/cas/6.0.x/installation/Configure-ServiceTicket-JWT.html -->
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-token-tickets</artifactId>
<version>${cas.version}</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<!--END-->
<!-- START: REST Endpoints enabled for cli authentications -->
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-rest-tokens</artifactId>
<version>${cas.version}</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<!--END-->
<!-- START: JSON Service Registry Enabled -->
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-json-service-registry</artifactId>
<version>${cas.version}</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
<exclusion>
<groupId>javax.el</groupId>
<artifactId>el-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<!--END-->
<!--START: OIDC Protocol enabled-->
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-oidc</artifactId>
<version>${cas.version}</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<!--END-->
<!--START: Enable consul client -->
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-consul-client</artifactId>
<version>${cas-server-support-consul-client.version}</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<!--END-->
<!--START: Enable Custom Authentication for CAS: https://apereo.github.io/cas/6.0.x/installation/Configuring-Custom-Authentication.html-->
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-core-authentication-api</artifactId>
<version>${cas.version}</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-core-api-configuration-model</artifactId>
<version>${cas.version}</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-core-web-api</artifactId>
<version>${cas.version}</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<!--END-->
<!--START: Enable Logback Support: https://apereo.github.io/cas/6.0.x/logging/Logging-Logback.html#logback-logging-->
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-logback</artifactId>
<version>${cas.version}</version>
<exclusions>
<exclusion>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
</exclusion>
<exclusion>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-core</artifactId>
</exclusion>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
<!-- NotNull annotation comes from this package conflicts with hibarnate for ConsulProperties class-->
<exclusion>
<groupId>edu.washington.cs.types.checker</groupId>
<artifactId>checker-framework</artifactId>
</exclusion>
</exclusions>
</dependency>
<!--END-->
</dependencies>
1 个解决方案
解决方案1
2 已采纳 2019-12-18 14:37:03
Any idea, solution?
You're not missing anything.你没有错过任何东西。 This sounds like a bug to me.这对我来说听起来像是一个错误。 As a workaround, I would add the service definition that matches the CAS prefix for now.作为一种解决方法,我现在将添加与 CAS 前缀匹配的服务定义。
It sounds like this problem likely only manifests itself because you're using this:听起来这个问题很可能只是因为您正在使用它而表现出来:
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-token-tickets</artifactId>
<version>${cas.version}</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
</exclusions>
</dependency>
If you have no need for this, then you can remove it to also remove the problem.如果您不需要这个,那么您可以将其删除以消除问题。 Otherwise for now, your workaround for add service definition that only matches with CAS prefix should do.否则,您现在应该使用仅与 CAS 前缀匹配的添加服务定义的解决方法。
PS You can try to switch to 6.1.2 but I dont think that would at make a difference in this case; PS 您可以尝试切换到6.1.2但我认为在这种情况下不会有所作为; it's a good idea to switch anyway.无论如何切换是个好主意。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.