个人中心
gpt4 book ai didi

java - 具有 Spring Security 4(java 配置)的 CAS 4 - 在票证授予 SSO 后卡在重定向循环中

转载 作者:塔克拉玛干 更新时间:2023-11-02 08:40:16 24 4
gpt4 key购买 nike

我已经在这个问题上停留了大约几天了。我有一个 CAS 4 应用程序和一个在 Tomcat 8 上运行的 Spring-enabled(MVC 和安全性) web 应用程序。我正在尝试针对 CAS 服务器进行身份验证。所有设置都运行良好,但一旦我似乎通过了身份验证(获得票证)并尝试重定向,我得到了This webpage has a redirect loop,ERR_TOO_MANY_REDIRECTS。我正在使用来自 CAS 4 的默认内存中身份验证(用户:casuser,密码:Mellon)

我试过:

1) 为 casAuthenticationFilter 上下文路径 (/test/j_spring_cas_security_check) 使用了不同的前缀,并在 serviceProperties (serviceProperties.setService("https://OFB25572D8.OKFB.COM:8443/phoenixWeb/test/j_spring_cas_security_check");)

  1. 从自定义 SavedRequestAwareAuthenticationSuccessHandler 重定向到我的 contextRoot 并覆盖

onAuthenticationSuccess(HttpServletRequest 请求, HttpServletResponse响应,Authentication认证)

  1. 转到 Spring MVC 3.2.8Spring Security 3.2.8(有人遇到类似问题并转到旧版本的 Spring)

这里是设置(没有 web.xml,全部使用 Java Config 完成):

SecurityConfig.java

@Configuration
@EnableWebSecurity

public class PhoenixSecurityConfig extends WebSecurityConfigurerAdapter {

     @Bean
    public ServiceProperties serviceProperties() {
        ServiceProperties serviceProperties = new ServiceProperties();
        serviceProperties.setService("https://OFB25572D8.OKFB.COM:8443/phoenixWeb/j_spring_cas_security_check");
        serviceProperties.setSendRenew(false);
        return serviceProperties;
    }

    @Bean
    public CasAuthenticationProvider casAuthenticationProvider() {
        CasAuthenticationProvider casAuthenticationProvider = new CasAuthenticationProvider();
        casAuthenticationProvider.setAuthenticationUserDetailsService(authenticationUserDetailsService());
        casAuthenticationProvider.setServiceProperties(serviceProperties());
        casAuthenticationProvider.setTicketValidator(cas20ServiceTicketValidator());
        casAuthenticationProvider.setKey("phoenixWeb_CAS_ID");
        return casAuthenticationProvider;
    }

    @Bean
    public AuthenticationUserDetailsService authenticationUserDetailsService() {
        return new TestCasAuthenticationUserDetailsService();
    }

    @Bean
    public Cas20ServiceTicketValidator cas20ServiceTicketValidator() {
        return new Cas20ServiceTicketValidator("https://OFB25572D8.OKFB.COM:8443/cas");
    }

    @Bean
    public CasAuthenticationFilter casAuthenticationFilter() throws Exception {
        CasAuthenticationFilter casAuthenticationFilter = new CasAuthenticationFilter();
        casAuthenticationFilter.setAuthenticationManager(authenticationManager());
        casAuthenticationFilter.setAuthenticationSuccessHandler(customSuccessHandler());
        casAuthenticationFilter.setFilterProcessesUrl("/j_spring_cas_security_check");
        return casAuthenticationFilter;
    }

    @Bean
    public SavedRequestAwareAuthenticationSuccessHandler customSuccessHandler() {
        return new CustomRequestHandler();
    }

    @Bean
    public CasAuthenticationEntryPoint casAuthenticationEntryPoint() {
        CasAuthenticationEntryPoint casAuthenticationEntryPoint = new CasAuthenticationEntryPoint();
        casAuthenticationEntryPoint.setLoginUrl("https://OFB25572D8.OKFB.COM:8443/cas/login");
        casAuthenticationEntryPoint.setServiceProperties(serviceProperties());
        return casAuthenticationEntryPoint;
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {

         http
             .addFilter(casAuthenticationFilter());
         http
             .exceptionHandling()
                 .authenticationEntryPoint(casAuthenticationEntryPoint());

        http.authorizeRequests().antMatchers("/**").access("hasRole('ROLE_USER')");
            //.anyRequest().permitAll()
            //.and().csrf().csrfTokenRepository(csrfTokenRepository()).and();
            //.and().csrf().disable()
        //.formLogin()
        //.loginPage("/login")
        //.permitAll();
        //Below is forcing over HTTPS
        //.and().requiresChannel().anyRequest().requiresSecure();

    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .authenticationProvider(casAuthenticationProvider());
    }

}

TestCasAuthenticationUserDetailsS​​ervice.java

public class TestCasAuthenticationUserDetailsService implements AuthenticationUserDetailsService {
    @Override
    public UserDetails loadUserDetails(Authentication token) throws UsernameNotFoundException {
        List<GrantedAuthority> authorities = new ArrayList<>();
        authorities.add(new SimpleGrantedAuthority("ROLE_USER"));
        return new User("casuser", "Mellon", authorities);
    }
}

pom.xml

<dependencies>
    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-webmvc</artifactId>
        <version>4.2.2.RELEASE</version>
    </dependency> 
    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-orm</artifactId>
        <version>4.2.2.RELEASE</version>
    </dependency>
    <dependency>
        <groupId>org.springframework.data</groupId>
        <artifactId>spring-data-jpa</artifactId>
        <version>1.9.1.RELEASE</version>
    </dependency>
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-web</artifactId>
        <version>4.0.3.RELEASE</version>
    </dependency>
    <dependency>
         <groupId>org.springframework.security</groupId>
         <artifactId>spring-security-config</artifactId>
         <version>4.0.3.RELEASE</version>
    </dependency>
    <dependency>
         <groupId>org.springframework.security</groupId>
         <artifactId>spring-security-ldap</artifactId>
         <version>4.0.3.RELEASE</version>
    </dependency>        
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-cas-client</artifactId>
        <version>3.0.8.RELEASE</version>
    </dependency>   
  </dependencies>

对 Web 应用程序的初始请求

Request URL:https://ofb25572d8.okfb.com:8443/phoenixWeb
Request Method:GET
Status Code:302 Found
Remote Address:10.1.24.71:8443
**Response Headers**
view source
Cache-Control:no-cache, no-store, max-age=0, must-revalidate
Content-Length:0
Date:Wed, 30 Dec 2015 19:20:14 GMT
Expires:0
Location:https://OFB25572D8.OKFB.COM:8443/cas/login?service=https%3A%2F%2FOFB25572D8.OKFB.COM%3A8443%2FphoenixWeb%2Fj_spring_cas_security_check
Pragma:no-cache
Server:Apache-Coyote/1.1
Set-Cookie:JSESSIONID=3BEED4D08DA6EF00EDBCB87B7930D521; Path=/phoenixWeb/; Secure; HttpOnly
Strict-Transport-Security:max-age=31536000 ; includeSubDomains
X-Content-Type-Options:nosniff
X-Frame-Options:DENY
X-XSS-Protection:1; mode=block
**Request Headers**
view source
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
Host:ofb25572d8.okfb.com:8443
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36

一旦我按下提交

Request URL:https://ofb25572d8.okfb.com:8443/cas/login;jsessionid=988CBFBD15B4FE7562C8A5D4A3ADBE70?service=https%3A%2F%2FOFB25572D8.OKFB.COM%3A8443%2FphoenixWeb%2Fj_spring_cas_security_check
Request Method:POST
Status Code:302 Found
Remote Address:10.1.24.71:8443
**Response Headers**
view source
Cache-Control:no-cache
Cache-Control:no-store
Content-Length:0
Date:Wed, 30 Dec 2015 19:22:53 GMT
Expires:Thu, 01 Jan 1970 00:00:00 GMT
Location:https://OFB25572D8.OKFB.COM:8443/phoenixWeb/j_spring_cas_security_check?ticket=ST-1-LhfIkMXSX2iTmpRAKaXc-cas01.example.org
Pragma:no-cache
Server:Apache-Coyote/1.1
Set-Cookie:CASPRIVACY=""; Path=/cas/; Secure; HttpOnly
Set-Cookie:TGC=eyJhbGciOiJIUzUxMiJ9.ZXlKaGJHY2lPaUprYVhJaUxDSmxibU1pT2lKQk1USTRRMEpETFVoVE1qVTJJbjAuLndXYV9rNTVNRWVMWHNXdjlCWW1qVGcuVjFGM1VqWF93THVQWFBpbnBUaW9lRWRyS2p0QnNRODJwNG5INnRCZTlUYVJORk00QUprbVlRYlI0c2l3SFpJeHVCc0R6ZkZVdnlSaVhNekpkSURBaXQtazhpNkl2NEhUUjlyVzY1T1E1YmZ6VUEwX3JKOWdvLXNaNE5hTm9WTTNtSGVDalBsdGtFaVVUNXAxWGhYWVh5U25rZlQwaGxXLTJXVEZLZ0U3LXZQLVd2SVNCLTFtaHRjLWl6U2VfUWhrVS00RnZ1QWdOM2lZN2JvTGJ4c3VLMEE5RFBWM2xxZ2xncWtCQld2eW1PMkxKcm5fSGZ6aXdDeDdmS2N2Sjk1UlA1clIxaWs2Sk5VSTk2dEktUEtiS2cuSzl4YjM2aVY0Q0RfRDQtVWhDSzgzUQ.1KHCed4LP-E1VHN8nxTIoligha0yGYP-aAfbuIVkVPbbb2o5PiLdFrS3gbmuGLEApEXJpPcCExOcjYaLRNw8tg; Path=/cas/; Secure; HttpOnly
**Request Headers**
view source
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip, deflate
Accept-Language:en-US,en;q=0.8
Cache-Control:max-age=0
Connection:keep-alive
Content-Length:2894
Content-Type:application/x-www-form-urlencoded
Cookie:JSESSIONID=988CBFBD15B4FE7562C8A5D4A3ADBE70
Host:ofb25572d8.okfb.com:8443
Origin:https://ofb25572d8.okfb.com:8443
Referer:https://ofb25572d8.okfb.com:8443/cas/login?service=https%3A%2F%2FOFB25572D8.OKFB.COM%3A8443%2FphoenixWeb%2Fj_spring_cas_security_check
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
Query String Parameters
view source
view URL encoded
service:https://OFB25572D8.OKFB.COM:8443/phoenixWeb/j_spring_cas_security_check
Form Data
view source
view URL encoded
username:casuser
password:Mellon
lt:LT-1-3c6Q2CbmBx2YdWkQDM9fxHkWnc7AQJ-cas01.example.org
execution:a1757b02-69fc-46c7-a997-1b747ea87038_AAAAIgAAABAyzkQ98n/PaEXy025/kUJZAAAABmFlczEyOFsDrH9p+tpmDRMzL8sfKARNMiwmDEizgxEjXOHgNN0GhRtK8d600V6tEbNFQfoUKKibDDrjJ2YYfimZvArm0AARwzGgiFLV2MIuzs5poUXNXf1Gam6chUrgexNZRu+MKgnh3jTUjzEMGd8BQT/2wYUgbsYktbppTEYfsR1FjIC2rbL4euzaM452Wvdbbb7kyw4hHNWnF6/Gvtf6iQxg14vW7FtDGv5J96E1Cv/FrXpqHffMujN6ZlZs1rz5jonhehVJoWSjIJYQgeq6p9meBdNuzeoLZCyr71vxIT/CBElmIxDr4HDd+u7g3VPDJdZ0FfI+p6LOFH3l97HGwT8AjAKtAlZ+DfPXHXIDbDWeHgw31ke6VHsnjuTR6TG+gc2TkF82WOiZ5PpTS7J/N565hkrgEh7Mx5mH2WSrDUk+5V95ZY78ctZBHyiblT0xVWjZp/eEaDGy6+14IRFRXshkx/x0LkvrLbYsb1J+4tkUo1j959JEjHbLqDsUZUczYSkFXYJVcZGEiVOlgp66i0QpGR7O4ubRtFrA/ZKSAwDsTMaR4uKcORADCPSOOG3R8fUuQAF0UQZtsrsu/C8FBXD16wE81Jy/EDvUwiFpihkmkEoajvDDsYuVguapeWVIloHrAGp8RjzWPcG7mK7bO++/oet5TWm6yG3hvSPVTpR93ETpdfTYlcZneKaM7HRyGx1WbZntK5mgsBzJtqvgJy9mYANRggPpWVFOThMS6BP1Q14HpWA5XUDu4hay8Pulps4K7cRnk1SRjzCFNqYXA/ZI9hVf8+QrShl2T6xS7kdTfI283THixux2WSfyWkoYmN9xhweSw5YOL7zWBxvvcEEP8hOqPLfr1/pxQMFhiAu8xrg1Gbf6BYIX9f/Olp8Zp6MJtzM99TNLcp0Wvoa8Oj4WHB38cuGPppYNA5V7iDycIaEMCzYb+aOQZd455YuLQxpePVD48CTENEocBJGsKQ+dO2zVayRkwtLlB5PgXaJEkqwlFbNxPaImYahv9p/HteNNMS4jc1JsimhOaICOk/u1XG9jRLCRXKeYazKpRfPT8z9KEvVDmncOqSwK8uJqZMLZIaFLPGJzhehp081CToVb50WxJiO1ySYU8e441LrIHGjS4NNoeoIf1MThmXpXGqqeTEaZMP/+XQUF2VhWsZM5k6iYj0227MxYJlObnBCXgYjsv9v4VTa6kCVutUWMYIwdENID6S1fXF8Dqn4RSg3l2TRhGQZMzrylJdLA8K873i1wU7o2neEmL4PPBvHuxCBaIhF2lldcq1MXg+fH4mtRrULk+aTjc9zvWjXZvTqO1nVsWZyxuSG72QCfS5MEDUWqVA3BRkW1RLcQPQs7WxvkUi9MTJN99Gt/X30Kw4ifZk2RpZD8x8DI1HC+stBdY9mgl+8SYtoB6Cxuj/XVPMcZM+iw4sQTlDTqNw0p0Muwmj6sGduh4bjuZX2r+E/L8d3tARy0QtdHht/07Y24QA8If6C9rL7SlSkhhOQQynpI9BOFN/jOf9ya66HPTEVtyutiT+r+5SuawyhwUCvgnRkVxNsFIHIcuvUj10X9VAR0/5rHlTX0pXnMz8zO75nCCVb3yoaOfVKPiAar8bLY20PSwUm4hapMWHrnIwINR64jntyA0byq7zGPH2OiGrv1c/5ky5mhzEG5A9yrWId89kgNd8BjNpL9DJN0+0mCVECULYnSwk5nfJVsuUMFDClEmJ1L06uahTvxS1X0GdWjna36gqiW4uMIpW8czH4IAATqob/iF0f30U8+0I/aNUPGuUimMoeS+fCQM2enu0V8tCwU4oPemCYCrVQGi2ReCMglbQGDnp2IJPhgYN2E6OGndJOSNpc1w9KQF3t5bwnsrScnVj2gf3/GVEUwxRqhH2GA49LiqNLycwoJGZHMz6tK0DZL8FQu7I0S74SLsuFfmbeQwLVj3KMgMOWpLctPCIrn2CVfYvzd1uFZXTfK7s3+uR8Kfh+wSqAoF9c3du3Qb3saFg8AxRQ6A21BzgUgcU8nS5nhoGaGLdunpITtiRBK3DTuEWOnXnuQXU02CW4PbPLNDsiHydvJFmP6nn9Uhi4y1G7XPUrv/s3IkZxW4NsvtTNXC3gqvyWke0zQLNKszYcsIV5v+8POOZLXQpQRA79LN1toLjLvH8snhrgAMYND8NnAFLbgCJMzLvvPLnmWW6oMsIu3IH6irU8Qjk3FkwUOnUoQ1ybqTAdNsmG3RJ7dxM1sDBCRRY67dpbl4/fETYFQGgrYw8YOTeH3KF00w00q8ytyyXGGUOyrxiT1hDqPo+0Ya01q/BkEnhjwIgDSjTI3eoiNy/JS2Y8Yg94OpeTfaTOyRk8MNb6UYg+mx8QOrm8+A2/W5WwC6A050CWcXBOG/GCC94TqL+cQ1iJw8MMLl4ZXYRrY51voeXcWJipoVF3YH/cs+WvL3YfJAQzPgj8HhMiUtM9aMauQFg1Z6wNPndPx6M8p/d8YJqt2v8IamNDWNx/Qx7tAHie3dxids5E8GqmeVqFJ9mitMT2vIT6kmEiw
_eventId:submit
submit:LOGIN

获得票据后

Request URL:https://ofb25572d8.okfb.com:8443/phoenixWeb/j_spring_cas_security_check?ticket=ST-1-LhfIkMXSX2iTmpRAKaXc-cas01.example.org
Request Method:GET
Status Code:302 Found
Remote Address:10.1.24.71:8443
**Response Headers**
view source
Cache-Control:no-cache, no-store, max-age=0, must-revalidate
Content-Length:0
Date:Wed, 30 Dec 2015 19:24:29 GMT
Expires:0
Location:https://ofb25572d8.okfb.com:8443/phoenixWeb
Pragma:no-cache
Server:Apache-Coyote/1.1
Strict-Transport-Security:max-age=31536000 ; includeSubDomains
X-Content-Type-Options:nosniff
X-Frame-Options:DENY
X-XSS-Protection:1; mode=block
**Request Headers**
view source
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-US,en;q=0.8
Cache-Control:max-age=0
Connection:keep-alive
Cookie:JSESSIONID=3BEED4D08DA6EF00EDBCB87B7930D521
Host:ofb25572d8.okfb.com:8443
Referer:https://ofb25572d8.okfb.com:8443/cas/login?service=https%3A%2F%2FOFB25572D8.OKFB.COM%3A8443%2FphoenixWeb%2Fj_spring_cas_security_check
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
Query String Parameters
view source
view URL encoded
ticket:ST-1-LhfIkMXSX2iTmpRAKaXc-cas01.example.org

当我应该通过身份验证并显示主页时

Request URL:https://ofb25572d8.okfb.com:8443/phoenixWeb
Request Method:GET
Status Code:302 Found
Remote Address:10.1.24.71:8443
**Response Headers**
view source
Cache-Control:no-cache, no-store, max-age=0, must-revalidate
Content-Length:0
Date:Wed, 30 Dec 2015 19:24:29 GMT
Expires:0
Location:https://OFB25572D8.OKFB.COM:8443/cas/login?service=https%3A%2F%2FOFB25572D8.OKFB.COM%3A8443%2FphoenixWeb%2Fj_spring_cas_security_check
Pragma:no-cache
Server:Apache-Coyote/1.1
Set-Cookie:JSESSIONID=9A60C50821E55B52CAA138B9233B305F; Path=/phoenixWeb/; Secure; HttpOnly
Strict-Transport-Security:max-age=31536000 ; includeSubDomains
X-Content-Type-Options:nosniff
X-Frame-Options:DENY
X-XSS-Protection:1; mode=block
**Request Headers**
view source
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-US,en;q=0.8
Cache-Control:max-age=0
Connection:keep-alive
Host:ofb25572d8.okfb.com:8443
Referer:https://ofb25572d8.okfb.com:8443/cas/login?service=https%3A%2F%2FOFB25572D8.OKFB.COM%3A8443%2FphoenixWeb%2Fj_spring_cas_security_check
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36

最佳答案

我终于找到了为什么会出现 Redirect Loop 错误。问题是,当我发出初始请求时,Spring 在 SAVED_REQUEST session 属性中为 servletPath 提供了一个空字符串。

最初的网址是:

https://server:8443/contextPath

我的 Spring Controller 有一个类级别的根映射到 "/"。我的应用程序安全设置是:

http.authorizeRequests().antMatchers("/**").access("hasRole('ROLE_USER')");

因此,考虑到这一点,当我发出初始请求时,servletPath 是一个空字符串 ""(我扩展了 SavedRequestAwareAuthenticationSuccessHandler在成功登录后观察重定向)并且由于没有任何内容映射到 casFilter 试图一遍又一遍地重新验证请求。

如果我在 URL 的末尾使用斜线,一切都会完美无缺:

https://server:8443/contextPath/      //NOTE the slash in the end

因此,对于那些有类似问题的人,所有配置和设置看起来和行为都正确,但仍然会出现重定向循环,请检查您的 RequestMappingsURL正在尝试验证!

关于java - 具有 Spring Security 4(java 配置)的 CAS 4 - 在票证授予 SSO 后卡在重定向循环中,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/34536063/

24 4 0
文章推荐: ios - 为什么我的应用程序因内存压力而终止后不再收到信标通知?
文章推荐: java - whatsapp 和即时消息应用程序如何在没有奥利奥持久通知的情况下在后台工作?
文章推荐: ios - 您可以动态分配 CFBundleDocumentTypes(使用私有(private) API 吗?)
文章推荐: java - 使用 Netty 进行管道流式传输
塔克拉玛干
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
全站热门文章
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com