使用Grails Spring Security CAS插件重定向循环

时间:2014-01-04 00:29:47

标签: grails redirect spring-security single-sign-on cas

我正在使用涉及CAS服务器的项目与使用单点登录(SSO)的其他基于Spring的项目一起工作,但我收到一个涉及Grails spring-security-cas插件的重定向循环(版本:“:spring -security-CAS:2.0-RC1" )。我看过plugin's documentation。我知道CAS重定向问题看起来很常见,但我还没有找到与此类情况相关的帖子。我是Grails和CAS世界的新手,所以我们提前感谢您向正确的方向发展。

访问grails应用程序上的安全页面最初使用适当的服务参数正确地重定向到CAS服务器登录页面:https:// example.com:8443/cas/login?service = http:// example.com :8080 / grailsapp / j_spring_cas_security_check

问题在用户成功登录并且CAS重定向回服务后发生。 grails应用程序中的j_spring_cas_security_check将重定向回https://example.com:8443/cas登录页面,该页面会看到TGC并重定向回服务j_spring_cas_security_check页面,该页面无限制地重定向[直到浏览器发出重定向循环错误]。看起来每次迭代都会创建新的服务票据。

我的Config.groovy有:

grails.plugin.springsecurity.cas.loginUri = /login
grails.plugin.springsecurity.cas.serviceUrl = http://example.com:8080/grailsapp/j_spring_cas_security_check
grails.plugin.springsecurity.cas.serverUrlPrefix = https://example.com:8443/cas
# we aren't using cas with proxy
# logout details not shown here

根据其他问题/答案尝试了不成功的尝试:

  • 我不认为问题出在cas服务器上:当我直接转到另一个已经使用CAS的项目时,他们会检测到故障单cookie并登录就好了,而无需用户再次进行身份验证。
  • SSL证书是自签名的,已添加到Java的cacert商店。不会发生SSLHandshake或与证书相关的异常等。
  • 这不是一个糟糕的凭据或代理情况,如question 19710841,但我已经尝试将/ j_spring_cas_security_check添加到Annotation staticRules,但仍然获得相同的循环。

cas服务器的日志包括:

=============================================================
WHO: [username: sampleuser]
WHAT: supplied credentials: [username: sampleuser]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Fri Jan 03 23:52:41 GMT 2014
CLIENT IP ADDRESS: XXX.XXX.XXX.XXX
SERVER IP ADDRESS: example.com
=============================================================
=============================================================
WHO: [username: sampleuser]
WHAT: TGT-24-Rttmt5i5raWcV1Z5wZavVopigQc4xeIckEUfMKdG3EwEzI3LUI-cas.service
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Fri Jan 03 23:52:41 GMT 2014
CLIENT IP ADDRESS: XXX.XXX.XXX.XXX
SERVER IP ADDRESS: example.com
=============================================================

INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-77-cneJOIwmnoOdKqkscaiy-cas.service] for service [http://example.com:8080/grailsapp/j_spring_cas_security_check] for user [sampleuser]>

####### FIRST ITERATION OF LOOP BELOW #############

=============================================================
WHO: sampleuser
WHAT: ST-77-cneJOIwmnoOdKqkscaiy-cas.service for http://example.com:8080/grailsapp/j_spring_cas_security_check
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Fri Jan 03 23:52:41 GMT 2014
CLIENT IP ADDRESS: XXX.XXX.XXX.XXX
SERVER IP ADDRESS: example.com
=============================================================
=============================================================
WHO: audit:unknown
WHAT: ST-77-cneJOIwmnoOdKqkscaiy-cas.service
ACTION: SERVICE_TICKET_VALIDATED
APPLICATION: CAS
WHEN: Fri Jan 03 23:52:41 GMT 2014
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: example.com
=============================================================

DEBUG [org.jasig.cas.web.flow.InitialFlowSetupAction] - <Placing service in FlowScope: http://example.com:8080/grailsapp/j_spring_cas_security_check>
INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-78-6qsbaVNNOess4VhGOQE4-cas.service] for service [http://example.com:8080/grailsapp/j_spring_cas_security_check] for user [sampleuser]>

####### SERVICE_TICKET_CREATED and SERVICE_TICKET_VALIDATED LOOP CONTINUES A FEW MORE TIMES BEFORE BROWSER GIVES UP #############

2 个答案:

答案 0 :(得分:2)

问题是在Grails客户端我没有创建userDetailsS​​ervice。我在Grails的services文件夹中实现了一个自定义类(参见http://grails-plugins.github.io/grails-spring-security-core/guide/userDetailsService.html):

public class MyUserDetailsService implements UserDetailsService {
    // Required methods here
}

然后在resources.groovy中引用它:

beans = {
    userDetailsService(MyUserDetailsService)
}

答案 1 :(得分:2)

除了覆盖UserDetailsService我必须在filterProcessesUrl

中配置Config.groovy
grails.plugin.springsecurity.cas.filterProcessesUrl = "/user/login" // same as uri part of serviceUrl
grails.plugin.springsecurity.cas.serviceUrl = "http://yoursite.com/user/login"

CasAuthenticationFilter在CAS上进行身份验证后启动。以下是源代码参考链接:

您还可以查看CasAuthenticationFilter.java 的来源,查看serviceTicketRequestsuper.requiresAuthentication方法。