具有Spring Security 4的CAS 4(java配置)-在票证被授予SSO后卡在重定向循环中
作者:互联网
我已经在这个问题上停留了大约两天了.我有一个CAS 4应用程序和一个在Tomcat 8上运行的支持Spring的(MVC和安全性)Web应用程序.我正在尝试针对CAS服务器进行身份验证.所有设置工作都很好,但是一旦我似乎已通过身份验证(凭票证)并尝试重定向,我就会得到此网页具有重定向循环,ERR_TOO_MANY_REDIRECTS.我正在使用来自CAS 4的默认内存中身份验证(用户:casuser,密码:Mellon)
我努力了:
1)为casAuthenticationFilter上下文路径(/ test / j_spring_cas_security_check)使用不同的前缀,并在serviceProperties中使用匹配的前缀(serviceProperties.setService(“ https://OFB25572D8.OKFB.COM:8443/phoenixWeb/test/j_spring_cas_security_check”); )
>从自定义SavedRequestAwareAuthenticationSuccessHandler重定向到我的contextRoot并覆盖
onAuthenticationSuccess(HttpServletRequest请求,
HttpServletResponse响应,身份验证)
>转到Spring MVC 3.2.8和Spring Security 3.2.8(有人遇到类似的问题,并转到较旧的Spring版本)
这是设置(没有web.xml,所有操作都使用Java Config完成):
SecurityConfig.java
@Configuration
@EnableWebSecurity
public class PhoenixSecurityConfig extends WebSecurityConfigurerAdapter {
@Bean
public ServiceProperties serviceProperties() {
ServiceProperties serviceProperties = new ServiceProperties();
serviceProperties.setService("https://OFB25572D8.OKFB.COM:8443/phoenixWeb/j_spring_cas_security_check");
serviceProperties.setSendRenew(false);
return serviceProperties;
}
@Bean
public CasAuthenticationProvider casAuthenticationProvider() {
CasAuthenticationProvider casAuthenticationProvider = new CasAuthenticationProvider();
casAuthenticationProvider.setAuthenticationUserDetailsService(authenticationUserDetailsService());
casAuthenticationProvider.setServiceProperties(serviceProperties());
casAuthenticationProvider.setTicketValidator(cas20ServiceTicketValidator());
casAuthenticationProvider.setKey("phoenixWeb_CAS_ID");
return casAuthenticationProvider;
}
@Bean
public AuthenticationUserDetailsService authenticationUserDetailsService() {
return new TestCasAuthenticationUserDetailsService();
}
@Bean
public Cas20ServiceTicketValidator cas20ServiceTicketValidator() {
return new Cas20ServiceTicketValidator("https://OFB25572D8.OKFB.COM:8443/cas");
}
@Bean
public CasAuthenticationFilter casAuthenticationFilter() throws Exception {
CasAuthenticationFilter casAuthenticationFilter = new CasAuthenticationFilter();
casAuthenticationFilter.setAuthenticationManager(authenticationManager());
casAuthenticationFilter.setAuthenticationSuccessHandler(customSuccessHandler());
casAuthenticationFilter.setFilterProcessesUrl("/j_spring_cas_security_check");
return casAuthenticationFilter;
}
@Bean
public SavedRequestAwareAuthenticationSuccessHandler customSuccessHandler() {
return new CustomRequestHandler();
}
@Bean
public CasAuthenticationEntryPoint casAuthenticationEntryPoint() {
CasAuthenticationEntryPoint casAuthenticationEntryPoint = new CasAuthenticationEntryPoint();
casAuthenticationEntryPoint.setLoginUrl("https://OFB25572D8.OKFB.COM:8443/cas/login");
casAuthenticationEntryPoint.setServiceProperties(serviceProperties());
return casAuthenticationEntryPoint;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.addFilter(casAuthenticationFilter());
http
.exceptionHandling()
.authenticationEntryPoint(casAuthenticationEntryPoint());
http.authorizeRequests().antMatchers("/**").access("hasRole('ROLE_USER')");
//.anyRequest().permitAll()
//.and().csrf().csrfTokenRepository(csrfTokenRepository()).and();
//.and().csrf().disable()
//.formLogin()
//.loginPage("/login")
//.permitAll();
//Below is forcing over HTTPS
//.and().requiresChannel().anyRequest().requiresSecure();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.authenticationProvider(casAuthenticationProvider());
}
}
TestCasAuthenticationUserDetailsService.java
public class TestCasAuthenticationUserDetailsService implements AuthenticationUserDetailsService {
@Override
public UserDetails loadUserDetails(Authentication token) throws UsernameNotFoundException {
List<GrantedAuthority> authorities = new ArrayList<>();
authorities.add(new SimpleGrantedAuthority("ROLE_USER"));
return new User("casuser", "Mellon", authorities);
}
}
pom.xml
<dependencies>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>4.2.2.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-orm</artifactId>
<version>4.2.2.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.data</groupId>
<artifactId>spring-data-jpa</artifactId>
<version>1.9.1.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>4.0.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>4.0.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-ldap</artifactId>
<version>4.0.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-cas-client</artifactId>
<version>3.0.8.RELEASE</version>
</dependency>
</dependencies>
对Web应用程序的初始请求
Request URL:https://ofb25572d8.okfb.com:8443/phoenixWeb
Request Method:GET
Status Code:302 Found
Remote Address:10.1.24.71:8443
**Response Headers**
view source
Cache-Control:no-cache, no-store, max-age=0, must-revalidate
Content-Length:0
Date:Wed, 30 Dec 2015 19:20:14 GMT
Expires:0
Location:https://OFB25572D8.OKFB.COM:8443/cas/login?service=https%3A%2F%2FOFB25572D8.OKFB.COM%3A8443%2FphoenixWeb%2Fj_spring_cas_security_check
Pragma:no-cache
Server:Apache-Coyote/1.1
Set-Cookie:JSESSIONID=3BEED4D08DA6EF00EDBCB87B7930D521; Path=/phoenixWeb/; Secure; HttpOnly
Strict-Transport-Security:max-age=31536000 ; includeSubDomains
X-Content-Type-Options:nosniff
X-Frame-Options:DENY
X-XSS-Protection:1; mode=block
**Request Headers**
view source
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
Host:ofb25572d8.okfb.com:8443
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
一旦我按提交
Request URL:https://ofb25572d8.okfb.com:8443/cas/login;jsessionid=988CBFBD15B4FE7562C8A5D4A3ADBE70?service=https%3A%2F%2FOFB25572D8.OKFB.COM%3A8443%2FphoenixWeb%2Fj_spring_cas_security_check
Request Method:POST
Status Code:302 Found
Remote Address:10.1.24.71:8443
**Response Headers**
view source
Cache-Control:no-cache
Cache-Control:no-store
Content-Length:0
Date:Wed, 30 Dec 2015 19:22:53 GMT
Expires:Thu, 01 Jan 1970 00:00:00 GMT
Location:https://OFB25572D8.OKFB.COM:8443/phoenixWeb/j_spring_cas_security_check?ticket=ST-1-LhfIkMXSX2iTmpRAKaXc-cas01.example.org
Pragma:no-cache
Server:Apache-Coyote/1.1
Set-Cookie:CASPRIVACY=""; Path=/cas/; Secure; HttpOnly
Set-Cookie:TGC=eyJhbGciOiJIUzUxMiJ9.ZXlKaGJHY2lPaUprYVhJaUxDSmxibU1pT2lKQk1USTRRMEpETFVoVE1qVTJJbjAuLndXYV9rNTVNRWVMWHNXdjlCWW1qVGcuVjFGM1VqWF93THVQWFBpbnBUaW9lRWRyS2p0QnNRODJwNG5INnRCZTlUYVJORk00QUprbVlRYlI0c2l3SFpJeHVCc0R6ZkZVdnlSaVhNekpkSURBaXQtazhpNkl2NEhUUjlyVzY1T1E1YmZ6VUEwX3JKOWdvLXNaNE5hTm9WTTNtSGVDalBsdGtFaVVUNXAxWGhYWVh5U25rZlQwaGxXLTJXVEZLZ0U3LXZQLVd2SVNCLTFtaHRjLWl6U2VfUWhrVS00RnZ1QWdOM2lZN2JvTGJ4c3VLMEE5RFBWM2xxZ2xncWtCQld2eW1PMkxKcm5fSGZ6aXdDeDdmS2N2Sjk1UlA1clIxaWs2Sk5VSTk2dEktUEtiS2cuSzl4YjM2aVY0Q0RfRDQtVWhDSzgzUQ.1KHCed4LP-E1VHN8nxTIoligha0yGYP-aAfbuIVkVPbbb2o5PiLdFrS3gbmuGLEApEXJpPcCExOcjYaLRNw8tg; Path=/cas/; Secure; HttpOnly
**Request Headers**
view source
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip, deflate
Accept-Language:en-US,en;q=0.8
Cache-Control:max-age=0
Connection:keep-alive
Content-Length:2894
Content-Type:application/x-www-form-urlencoded
Cookie:JSESSIONID=988CBFBD15B4FE7562C8A5D4A3ADBE70
Host:ofb25572d8.okfb.com:8443
Origin:https://ofb25572d8.okfb.com:8443
Referer:https://ofb25572d8.okfb.com:8443/cas/login?service=https%3A%2F%2FOFB25572D8.OKFB.COM%3A8443%2FphoenixWeb%2Fj_spring_cas_security_check
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
Query String Parameters
view source
view URL encoded
service:https://OFB25572D8.OKFB.COM:8443/phoenixWeb/j_spring_cas_security_check
Form Data
view source
view URL encoded
username:casuser
password:Mellon
lt:LT-1-3c6Q2CbmBx2YdWkQDM9fxHkWnc7AQJ-cas01.example.org
execution:a1757b02-69fc-46c7-a997-1b747ea87038_AAAAIgAAABAyzkQ98n/PaEXy025/kUJZAAAABmFlczEyOFsDrH9p+tpmDRMzL8sfKARNMiwmDEizgxEjXOHgNN0GhRtK8d600V6tEbNFQfoUKKibDDrjJ2YYfimZvArm0AARwzGgiFLV2MIuzs5poUXNXf1Gam6chUrgexNZRu+MKgnh3jTUjzEMGd8BQT/2wYUgbsYktbppTEYfsR1FjIC2rbL4euzaM452Wvdbbb7kyw4hHNWnF6/Gvtf6iQxg14vW7FtDGv5J96E1Cv/FrXpqHffMujN6ZlZs1rz5jonhehVJoWSjIJYQgeq6p9meBdNuzeoLZCyr71vxIT/CBElmIxDr4HDd+u7g3VPDJdZ0FfI+p6LOFH3l97HGwT8AjAKtAlZ+DfPXHXIDbDWeHgw31ke6VHsnjuTR6TG+gc2TkF82WOiZ5PpTS7J/N565hkrgEh7Mx5mH2WSrDUk+5V95ZY78ctZBHyiblT0xVWjZp/eEaDGy6+14IRFRXshkx/x0LkvrLbYsb1J+4tkUo1j959JEjHbLqDsUZUczYSkFXYJVcZGEiVOlgp66i0QpGR7O4ubRtFrA/ZKSAwDsTMaR4uKcORADCPSOOG3R8fUuQAF0UQZtsrsu/C8FBXD16wE81Jy/EDvUwiFpihkmkEoajvDDsYuVguapeWVIloHrAGp8RjzWPcG7mK7bO++/oet5TWm6yG3hvSPVTpR93ETpdfTYlcZneKaM7HRyGx1WbZntK5mgsBzJtqvgJy9mYANRggPpWVFOThMS6BP1Q14HpWA5XUDu4hay8Pulps4K7cRnk1SRjzCFNqYXA/ZI9hVf8+QrShl2T6xS7kdTfI283THixux2WSfyWkoYmN9xhweSw5YOL7zWBxvvcEEP8hOqPLfr1/pxQMFhiAu8xrg1Gbf6BYIX9f/Olp8Zp6MJtzM99TNLcp0Wvoa8Oj4WHB38cuGPppYNA5V7iDycIaEMCzYb+aOQZd455YuLQxpePVD48CTENEocBJGsKQ+dO2zVayRkwtLlB5PgXaJEkqwlFbNxPaImYahv9p/HteNNMS4jc1JsimhOaICOk/u1XG9jRLCRXKeYazKpRfPT8z9KEvVDmncOqSwK8uJqZMLZIaFLPGJzhehp081CToVb50WxJiO1ySYU8e441LrIHGjS4NNoeoIf1MThmXpXGqqeTEaZMP/+XQUF2VhWsZM5k6iYj0227MxYJlObnBCXgYjsv9v4VTa6kCVutUWMYIwdENID6S1fXF8Dqn4RSg3l2TRhGQZMzrylJdLA8K873i1wU7o2neEmL4PPBvHuxCBaIhF2lldcq1MXg+fH4mtRrULk+aTjc9zvWjXZvTqO1nVsWZyxuSG72QCfS5MEDUWqVA3BRkW1RLcQPQs7WxvkUi9MTJN99Gt/X30Kw4ifZk2RpZD8x8DI1HC+stBdY9mgl+8SYtoB6Cxuj/XVPMcZM+iw4sQTlDTqNw0p0Muwmj6sGduh4bjuZX2r+E/L8d3tARy0QtdHht/07Y24QA8If6C9rL7SlSkhhOQQynpI9BOFN/jOf9ya66HPTEVtyutiT+r+5SuawyhwUCvgnRkVxNsFIHIcuvUj10X9VAR0/5rHlTX0pXnMz8zO75nCCVb3yoaOfVKPiAar8bLY20PSwUm4hapMWHrnIwINR64jntyA0byq7zGPH2OiGrv1c/5ky5mhzEG5A9yrWId89kgNd8BjNpL9DJN0+0mCVECULYnSwk5nfJVsuUMFDClEmJ1L06uahTvxS1X0GdWjna36gqiW4uMIpW8czH4IAATqob/iF0f30U8+0I/aNUPGuUimMoeS+fCQM2enu0V8tCwU4oPemCYCrVQGi2ReCMglbQGDnp2IJPhgYN2E6OGndJOSNpc1w9KQF3t5bwnsrScnVj2gf3/GVEUwxRqhH2GA49LiqNLycwoJGZHMz6tK0DZL8FQu7I0S74SLsuFfmbeQwLVj3KMgMOWpLctPCIrn2CVfYvzd1uFZXTfK7s3+uR8Kfh+wSqAoF9c3du3Qb3saFg8AxRQ6A21BzgUgcU8nS5nhoGaGLdunpITtiRBK3DTuEWOnXnuQXU02CW4PbPLNDsiHydvJFmP6nn9Uhi4y1G7XPUrv/s3IkZxW4NsvtTNXC3gqvyWke0zQLNKszYcsIV5v+8POOZLXQpQRA79LN1toLjLvH8snhrgAMYND8NnAFLbgCJMzLvvPLnmWW6oMsIu3IH6irU8Qjk3FkwUOnUoQ1ybqTAdNsmG3RJ7dxM1sDBCRRY67dpbl4/fETYFQGgrYw8YOTeH3KF00w00q8ytyyXGGUOyrxiT1hDqPo+0Ya01q/BkEnhjwIgDSjTI3eoiNy/JS2Y8Yg94OpeTfaTOyRk8MNb6UYg+mx8QOrm8+A2/W5WwC6A050CWcXBOG/GCC94TqL+cQ1iJw8MMLl4ZXYRrY51voeXcWJipoVF3YH/cs+WvL3YfJAQzPgj8HhMiUtM9aMauQFg1Z6wNPndPx6M8p/d8YJqt2v8IamNDWNx/Qx7tAHie3dxids5E8GqmeVqFJ9mitMT2vIT6kmEiw
_eventId:submit
submit:LOGIN
票证授予后
Request URL:https://ofb25572d8.okfb.com:8443/phoenixWeb/j_spring_cas_security_check?ticket=ST-1-LhfIkMXSX2iTmpRAKaXc-cas01.example.org
Request Method:GET
Status Code:302 Found
Remote Address:10.1.24.71:8443
**Response Headers**
view source
Cache-Control:no-cache, no-store, max-age=0, must-revalidate
Content-Length:0
Date:Wed, 30 Dec 2015 19:24:29 GMT
Expires:0
Location:https://ofb25572d8.okfb.com:8443/phoenixWeb
Pragma:no-cache
Server:Apache-Coyote/1.1
Strict-Transport-Security:max-age=31536000 ; includeSubDomains
X-Content-Type-Options:nosniff
X-Frame-Options:DENY
X-XSS-Protection:1; mode=block
**Request Headers**
view source
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-US,en;q=0.8
Cache-Control:max-age=0
Connection:keep-alive
Cookie:JSESSIONID=3BEED4D08DA6EF00EDBCB87B7930D521
Host:ofb25572d8.okfb.com:8443
Referer:https://ofb25572d8.okfb.com:8443/cas/login?service=https%3A%2F%2FOFB25572D8.OKFB.COM%3A8443%2FphoenixWeb%2Fj_spring_cas_security_check
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
Query String Parameters
view source
view URL encoded
ticket:ST-1-LhfIkMXSX2iTmpRAKaXc-cas01.example.org
当我应该通过身份验证并显示主页时
Request URL:https://ofb25572d8.okfb.com:8443/phoenixWeb
Request Method:GET
Status Code:302 Found
Remote Address:10.1.24.71:8443
**Response Headers**
view source
Cache-Control:no-cache, no-store, max-age=0, must-revalidate
Content-Length:0
Date:Wed, 30 Dec 2015 19:24:29 GMT
Expires:0
Location:https://OFB25572D8.OKFB.COM:8443/cas/login?service=https%3A%2F%2FOFB25572D8.OKFB.COM%3A8443%2FphoenixWeb%2Fj_spring_cas_security_check
Pragma:no-cache
Server:Apache-Coyote/1.1
Set-Cookie:JSESSIONID=9A60C50821E55B52CAA138B9233B305F; Path=/phoenixWeb/; Secure; HttpOnly
Strict-Transport-Security:max-age=31536000 ; includeSubDomains
X-Content-Type-Options:nosniff
X-Frame-Options:DENY
X-XSS-Protection:1; mode=block
**Request Headers**
view source
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-US,en;q=0.8
Cache-Control:max-age=0
Connection:keep-alive
Host:ofb25572d8.okfb.com:8443
Referer:https://ofb25572d8.okfb.com:8443/cas/login?service=https%3A%2F%2FOFB25572D8.OKFB.COM%3A8443%2FphoenixWeb%2Fj_spring_cas_security_check
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
解决方法:
我终于能够找出为什么我遇到了重定向循环错误.问题是当我发出初始请求时,Spring在SAVED_REQUEST会话属性中为servletPath提供了一个空字符串.
初始网址为:
https://server:8443/contextPath
我的Spring控制器具有一个类级别的根映射到“ /”.我对该应用程序的安全设置是:
http.authorizeRequests().antMatchers("/**").access("hasRole('ROLE_USER')");
因此,考虑到这一点,当我发出初始请求时,servletPath是一个空字符串“”(我成功扩展了SavedRequestAwareAuthenticationSuccessHandler的名称,以在成功登录后观察重定向),并且由于没有映射到casFilter试图重新进行身份验证一遍又一遍的请求.
如果我在网址末尾使用斜杠,则一切正常:
https://server:8443/contextPath/ //NOTE the slash in the end
因此,对于那些存在类似问题的用户,所有配置和设置的外观和行为均正确,但仍获得重定向循环,请检查您的RequestMappings和您要进行身份验证的URL!
标签:spring-security,single-sign-on,cas,spring,java 来源: https://codeday.me/bug/20191119/2034573.html