Question

我有自己的Jasig CAS服务器：

https://cas.example.com

此外，我有两个连接到此CAS服务器的子域（应用程序），例如：

https://ui.example.com
https://api.example.com

我可以通过以下请求成功为https://ui.example.com创建ST票证：

https://cas.example.com/login?service=https://ui.example.com

响应：

https://cas.example.com/?ticket=ST-5-p5rVK3OWBKPzwAAZteNw-cas.example.com/

但我无法将此票证用于https://api.example.com

https://api.example.com/api/v1.0/account?ticket=ST-5-p5rVK3OWBKPzwAAZteNw-cas.example.com

出现以下错误：

access to this resource is forbidden","errors":[{"field":"BadCredentialsException","message":"\n            Ticket \u0027ST-5-p5rVK3OWBKPzwAAZteNw-cas-dev.cfwdev.com\u0027 does not match supplied service. The original service was \u0027https://ui.example.com/\u0027 and the supplied service was \u0027https://api.example.com/api/v1.0/account

这是我的服务配置：

{
  "@class" : "org.jasig.cas.services.RegexRegisteredService",
  "serviceId" : "^(http?|https?)://.*example.com/.*",
  "name" : "example.com dev
  "theme" : example
  "id" : 20000002,
  "description" : "example.com dev environment",
  "proxyPolicy" : {
    "@class" : "org.jasig.cas.services.RegexMatchingRegisteredServiceProxyPolicy",
    "pattern" : "^(http?|https?)://.*example.com/.*"
  },
  "evaluationOrder" : 2,
  "usernameAttributeProvider" : {
    "@class" : "org.jasig.cas.services.DefaultRegisteredServiceUsernameProvider"
  },
  "logoutType" : "BACK_CHANNEL",
  "attributeReleasePolicy" : {
    "@class" : "org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy",
    "principalAttributesRepository" : {
      "@class" : "org.jasig.cas.authentication.principal.DefaultPrincipalAttributesRepository"
    },
    "authorizedToReleaseCredentialPassword" : false,
    "authorizedToReleaseProxyGrantingTicket" : false
  },
  "accessStrategy" : {
    "@class" : "org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy",
    "enabled" : true,
    "ssoEnabled" : true
  }
}

是否可以签发一个将被这两个子域https://ui.example.com和https://api.example.com接受的ST票证？

Answer 1

使用Jasig CAS是不可能的

CAS服务器跨子域ST票证

1 个答案: