[英]Single sign-on TicketValidationException
我創建了服務器和客戶端,客戶端沒有配置虛擬目錄“ / EIP”,可以正常使用; 如果配置了虛擬目錄,將出現以下問題:
服務器錯誤信息
ERROR org.jasig.cas.CentralAuthenticationServiceImpl -ServiceTicket ST-11-SLvleOutvxi7VEy53Q07-cas01.example.org with service http://localhost:9999/eip/eip/ does not match supplied service http://localhost:9999/eip/eip/eip/
客戶端錯誤信息
2014-01-25 15:52:56,799 WARN [org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter] - org.jasig.cas.client.validation.TicketValidationException: XXX'ST-2-KORiek3rHflhLctqzGT5-cas01.example.org'XXXXXXXX at org.jasig.cas.client.validation.Cas20ServiceTicketValidator.parseResponseFromServer(Cas20ServiceTicketValidator.java:86) at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:217) at org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:169) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:116) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) at java.lang.Thread.run(Thread.java:662)
我使用的服務端是:cas-server-3.5.2,以下是我對該文件的配置:deployerConfigContext.xml
> xmlns="http://www.springframework.org/schema/beans" > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > xmlns:p="http://www.springframework.org/schema/p" > xmlns:tx="http://www.springframework.org/schema/tx" > xmlns:sec="http://www.springframework.org/schema/security" > xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd > http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.1.xsd > http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> > CentralAuthenticationService service bean | declared in > applicationContext.xml picks up this AuthenticationManager by > reference to its id, | "authenticationManager". Most deployers > will be able to use the default AuthenticationManager | > implementation and so do not need to change the class of this bean. > We include the whole | AuthenticationManager here in the > userConfigContext.xml so that you can see the things you will | need > to change in context. +--> class="org.jasig.cas.authentication.AuthenticationManagerImpl"> > This switch effectively will turn on clearpass. > > > > > --> > AuthenticationManagerImpl considers them in order, finding a > CredentialToPrincipalResolver which | supports the presented > credentials. | | AuthenticationManagerImpl uses these resolvers > for two purposes. First, it uses them to identify the Principal | > attempting to authenticate to CAS /login . In the default > configuration, it is the DefaultCredentialsToPrincipalResolver | > that fills this role. If you are using some other kind of credentials > than UsernamePasswordCredentials, you will need to replace | > DefaultCredentialsToPrincipalResolver with a > CredentialsToPrincipalResolver that supports the credentials you are > | using. | | Second, AuthenticationManagerImpl uses these > resolvers to identify a service requesting a proxy granting ticket. > | In the default configuration, it is the > HttpBasedServiceCredentialsToPrincipalResolver that serves this > purpose. | You will need to change this list if you are > identifying services by something more or other than their callback > URL. +--> > > | UsernamePasswordCredentialsToPrincipalResolver supports the UsernamePasswordCredentials that we use for /login > | by default and produces SimplePrincipal instances conveying the username from the credentials. > | > | If you've changed your LoginFormAction to use credentials other than UsernamePasswordCredentials then you will also > | need to change this bean declaration (or add additional declarations) to declare a CredentialsToPrincipalResolver that > supports the > | Credentials you are using. > +--> > > > > > | HttpBasedServiceCredentialsToPrincipalResolver supports HttpBasedCredentials. It supports the CAS 2.0 approach of > | authenticating services by SSL callback, extracting the callback URL from the Credentials and representing it as a > | SimpleService identified by that callback URL. > | > | If you are representing services by something more or other than an HTTPS URL whereat they are able to > | receive a proxy callback, you will need to change this bean declaration (or add additional declarations). > +--> > class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" > /> > > some Credentials might authenticate, | AuthenticationHandlers > actually authenticate credentials. Here we declare the > AuthenticationHandlers that | authenticate the Principals that the > CredentialsToPrincipalResolvers identified. CAS will try these > handlers in turn | until it finds one that both supports the > Credentials presented and succeeds in authenticating. +--> > > | This is the authentication handler that authenticates services by means of callback via SSL, thereby validating > | a server side SSL certificate. > +--> > p:httpClient-ref="httpClient"/> > | This is the authentication handler declaration that every CAS deployer will need to change before deploying CAS > | into production. The default SimpleTestUsernamePasswordAuthenticationHandler authenticates > UsernamePasswordCredentials > | where the username equals the password. You will need to replace this with an AuthenticationHandler that implements your > | local authentication strategy. You might accomplish this by coding a new such handler and declaring > | edu.someschool.its.cas.MySpecialHandler here, or you might use one of the handlers provided in the adaptors modules. > +--> > > > value="select password from a_user where lower(userName) = lower(?)" /> > > > class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" > /> > --> > > > Management application. Simple deployments can use the in-memory > version. More robust deployments will want to use another option, > such as the Jdbc version. The name of this should remain > "userDetailsService" in order for Spring Security to find it. --> > --> > > > > A real implementation may go against a database or LDAP server. The > id should remain "attributeRepository" though. --> id="attributeRepository" > class="org.jasig.services.persondir.support.StubPersonAttributeDao"> > > > > --> class="org.jasig.services.persondir.support.jdbc.SingleRowJdbcPersonAttributeDao" > id="attributeRepository"> > > > > > > > > > > > > > replace this with the JPA-backed ServiceRegistry DAO The name of this > bean should remain "serviceRegistryDao". --> id="serviceRegistryDao" > class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl"> > > > > > > > > > > > > id > username > idcard > phone > > > > Use the following definition instead of the above to further restrict access > to services within your domain (including subdomains). > Note that example.com must be replaced with the domain you wish to permit. > --> > > > > > > > > --> > > > > > class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" > /> > > > > p:freeMemoryWarnThreshold="10" /> > NOTE > The following ticket registries support SessionMonitor: > * DefaultTicketRegistry > * JpaTicketRegistry > Remove this monitor if you use an unsupported registry. > --> > p:ticketRegistry-ref="ticketRegistry" > p:serviceTicketCountWarnThreshold="5000" > p:sessionCountWarnThreshold="100000" /> > > > > > oracle.jdbc.driver.OracleDriver > > > jdbc:oracle:thin:@10.124.32.56:1521:orcl --> > jdbc:oracle:thin:@192.168.0.13:1522:SERVER10 > jdbc:oracle:thin:@127.0.0.1:1522:work--> > > > gzedieip > > > gzkit > > >
誰知道原因,謝謝
最后解決的問題是客戶端配置,無論程序沒有虛擬目錄,客戶端配置都不需要添加虛擬目錄
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.