Question

我们正在尝试将现有的Web应用程序从Spring 2.x升级到Spring 3，并相信我们已经处于最后一个问题，然后才能再次运行。我们使用CAS，并且可以访问JASIG CAS登录，但是当我们登录时它会出现404错误。我们的服务器管理员从CAS服务器拉出Catalina日志并且它表明登录成功并且它正在返回到申请。但是在tomcat服务器的调试输出中，它表示匿名用户拒绝访问，我不是。

Web.xml代码段

<context-param>
    <param-name>log4jConfigLocation</param-name> 
    <param-value>/WEB-INF/classes/log4j.properties</param-value> 
</context-param>
<filter>
    <filter-name>springSecurityFilterChain</filter-name> 
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> 
</filter>
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name> 
    <url-pattern>/*</url-pattern> 
</filter-mapping>

的applicationContext.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:task="http://www.springframework.org/schema/task"
xsi:schemaLocation="
        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd
        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">

    <import resource="classpath:edu/umt/brp/spring/run-env.xml"/>


<!-- NEW SECURITY (Begin) -->
<security:http access-denied-page="/myAccessDeniedPage" entry-point-ref="casProcessingFilterEntryPoint">
    <security:port-mappings>
    <!--<security:port-mapping http="8080" https="8081"/> -->
    <security:port-mapping http="8080" https="443"/> 
    </security:port-mappings>


    <security:intercept-url pattern="/infoGriz.html*" access="ROLE_EMPLOYEE" />
    <security:intercept-url pattern="/**/frameset**" access="ROLE_EMPLOYEE" />
<!--        <security:logout logout-url="/logout" logout-success-url="https://logintest.umt.edu/cas/logout" invalidate-session="true"/> -->
    <!--  next line may fix problem --> 
    <security:logout logout-url="/logout" logout-success-url="${casLogoutUrl}" invalidate-session="true"/>
</security:http>     
<security:global-method-security secured-annotations="enabled" jsr250-annotations="enabled" />

<security:authentication-manager alias="authenticationManager">
    <security:authentication-provider ref="casAuthenticationProvider" />
</security:authentication-manager>

<security:ldap-server id="ldapServer" url="${ldapUrl}"/>

<bean id="userService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService">
    <constructor-arg>
        <bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
            <constructor-arg index="0" value="cn=users,dc=umt,dc=edu"/>
            <constructor-arg index="1" value="(uid={0})"/>
            <constructor-arg index="2" ref="ldapServer" />
        </bean>     
    </constructor-arg>
    <constructor-arg>
        <bean class="edu.umt.brp.security.AuthoritiesPopulator">
            <constructor-arg ref="ldapServer" />
            <constructor-arg value="cn=groups,dc=umt,dc=edu" />
            <property name="groupSearchFilter" value="(uniqueMember={0})"/>
            <property name="searchSubtree" value="true"/>

            <property name="grouperServiceUrl" value="${grouperServiceUrl}"/>
            <property name="grouperUser" value="${grouperUser}"/>
            <property name="grouperPass" value="${grouperPass}"/>

        </bean>
    </constructor-arg>
    <property name="userDetailsMapper">
        <bean class="org.springframework.security.ldap.userdetails.PersonContextMapper"/>
    </property>
</bean>

<bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">
    <property name="service" value="${applicationHost}/infoGriz/j_spring_cas_security_check"/> 
    <property name="sendRenew" value="false"/>
</bean> 

<bean id="casProcessingFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter">
    <property name="authenticationManager" ref="authenticationManager"/>
    <property name="authenticationFailureHandler">
        <bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
            <property name="defaultFailureUrl" value="http://www.google.com"/>
        </bean>
    </property>
</bean>

<bean id="casProcessingFilterEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
    <property name="loginUrl" value="${casLoginUrl}"/>
    <property name="serviceProperties" ref="serviceProperties"/>
</bean>

<bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider" >
    <property name="userDetailsService" ref="userService"/>
    <property name="serviceProperties" ref="serviceProperties" />

    <property name="ticketValidator">
        <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
            <constructor-arg index="0" value="${casValidateUrl}" />
        </bean>
    </property>
    <property name="key" value="an_id_for_this_auth_provider_only"/>
</bean>
<!-- NEW SECURITY (End) -->

我们有另一个已经在Spring 3上的Web应用程序，以及我们用作模型的spring security 3.0.2，但两者之间似乎没有任何不同。如果有任何其他文件有帮助，请告诉我。

谢谢，

伊恩

Answer 1

基于Spring Security 3 reference，您还需要将 CAS身份验证过滤器添加到安全配置中：

<security:http ... >
    <security:custom-filter position="CAS_FILTER" ref="casProcessingFilter" />
</security:http>

我的问题是/infoGriz.html*和/infoGriz/j_spring_cas_security_check之间的关系是什么？如果您希望intercept-url标记捕获第二个标记，则不会！[/ p>

Answer 2

如果您使用的是Spring Security 4，请将其添加到xml

<csrf disabled="true"/>

j_spring_security_check 404

2 个答案: