通过以下设置,我收到以下Tomcat错误:
HTTP Status 401 - Authentication Failed: cmccormick
type Status report
message Authentication Failed: cmccormick
description This request requires HTTP authentication.
我还尝试使用SSL保护应用,包括需要身份验证的网址,并导致相同的错误(approach I used)。
applicationSecurityContext.xml文件(减去xml标头和架构,SO未正确显示):
<security:http entry-point-ref="casEntryPoint" use-expressions="true" auto-config="false">
<security:anonymous username="guest" granted-authority="ANONYMOUS"/>
<security:intercept-url pattern="/app/resources/**" access="hasAnyRole('ANONYMOUS', 'cm_user')"/>
<security:intercept-url pattern="/app/**" access="hasRole('cm_user')"/>
<security:custom-filter position="CAS_FILTER" ref="casFilter"/>
<security:session-management>
<security:concurrency-control max-sessions="5" error-if-maximum-exceeded="true"/>
</security:session-management>
<!-- <security:logout logout-url="/j_spring_security_logout" logout-success-url="/home" /> -->
</security:http>
<!-- Base URL for the onboarder application. Used for generating links in outgoing emails -->
<bean id="winauthDomain" class="java.lang.String">
<!-- Property obtained from deploytime.properties -->
<constructor-arg value="${winauthDomain}"/>
</bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="casAuthenticationProvider" />
</security:authentication-manager>
<bean id="serviceProperties"
class="org.springframework.security.cas.ServiceProperties">
<property name="service"
value="http://localhost:18080/connmgr/app/j_spring_cas_security_check"/>
<property name="sendRenew" value="false"/>
</bean>
<!-- The CAS filter handles the redirect from the CAS server and starts
the ticket validation. -->
<bean id="casFilter"
class="org.springframework.security.cas.web.CasAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="filterProcessesUrl" value="/app/j_spring_cas_security_check"/>
</bean>
<bean id="casEntryPoint"
class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
<property name="loginUrl" value="https://mcauth01.nexus.commercehub.com:5443/login"/>
<property name="serviceProperties" ref="serviceProperties"/>
</bean>
<bean id="casAuthenticationProvider"
class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
<property name="userDetailsService" ref="userDetailsService"/>
<property name="serviceProperties" ref="serviceProperties" />
<property name="ticketValidator">
<bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
<constructor-arg index="0" value="https://mcauth01.nexus.commercehub.com:5443" />
</bean>
</property>
<property name="key" value="an_id_for_this_auth_provider_only"/>
</bean>
<bean id="permissionConversionService"
class="com.commercehub.connmgmt.misc.security.PermissionConversionServiceImpl"/>
<bean id="userDetailsService"
class="com.commercehub.connmgmt.misc.security.CmUserDetailsService">
<property name="userRepository" ref="userRepository"/>
<property name="permissionConversionService" ref="permissionConversionService"/>
</bean>
<bean id="accessDecisionManager"
class="org.springframework.security.access.vote.AffirmativeBased">
<property name="allowIfAllAbstainDecisions">
<value>false</value>
</property>
<property name="decisionVoters">
<list>
<ref bean="roleVoter"/>
</list>
</property>
</bean>
<bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter">
<property name="rolePrefix" value=""/>
</bean>
<!--
This bean automatically receives AuthenticationEvent messages
from DaoAuthenticationProvider
-->
<bean id="loggerListener"
class="org.springframework.security.access.event.LoggerListener"/>
<!-- Enable JSR250 annotations, disable Spring Security annotations for now -->
<security:global-method-security secured-annotations="disabled"
jsr250-annotations="enabled"
access-decision-manager-ref="accessDecisionManager"/>
答案 0 :(得分:0)
原来问题是遗留配置为受保护的URL指定了一个角色(现在也是https)。这些不可用,因为身份验证通过CAS。
不正确:
<security:intercept-url pattern="/app/**" access="hasRole('cm_user')"/>
正确:
<security:intercept-url pattern="/app/**" access="isAuthenticated()" requires-channel="https"/>