CAS和Spring - 经过身份验证但未授权导致重定向循环

时间:2015-03-17 17:51:14

标签: spring-security cas redirect-loop

我使用CAS来确定针对我无法添加的LDAP的身份验证。因此,我使用MySQL来存储每个用户的角色。

我遇到的问题是,当一个人在LDAP中,但在MySQL中没有相应的角色时,我会得到一个重定向循环。应用程序尝试将用户发送回CAS登录,该登录(由于用户已经过身份验证并已获得票证)尝试将他/她发送回页面等等。

我的applicationContext.xml:

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"
        xmlns:sec="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">


        <sec:http entry-point-ref="casEntryPoint">
                <sec:intercept-url pattern="/**" access="ROLE_ODINUSERS,ROLE_ODINSUPERS,ROLE_ODINADMINS" />
                <sec:logout logout-success-url="/cas-logout.jsp" />
                <sec:custom-filter ref="casFilter" after="CAS_FILTER" />
        </sec:http>

        <sec:authentication-manager alias="authenticationManager">
                <sec:authentication-provider ref="casAuthenticationProvider" />
        </sec:authentication-manager>

        <bean id="casFilter"
                class="org.springframework.security.cas.web.CasAuthenticationFilter">
                <property name="authenticationManager" ref="authenticationManager" />
                <property name="authenticationFailureHandler">
                        <bean
                                class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
                                <property name="defaultFailureUrl" value="/cas-failed.jsp" />
                        </bean>
                </property>
                <property name="authenticationSuccessHandler">
                        <bean
                                class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
                                <property name="defaultTargetUrl" value="/" />
                        </bean>
                </property>
                <property name="proxyGrantingTicketStorage" ref="proxyGrantingTicketStorage" />
                <property name="proxyReceptorUrl" value="/secure/receptor" />
        </bean>

        <bean id="casEntryPoint"
                class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
                <property name="loginUrl" value="https://localhost:8443/cas/login" />
                <property name="serviceProperties" ref="serviceProperties" />
        </bean>

        <bean id="casAuthenticationProvider"
                class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
                <property name="userDetailsService" ref="userService" />
                <property name="serviceProperties" ref="serviceProperties" />
                <property name="ticketValidator">
                        <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
                                <constructor-arg index="0"
                                        value="https://localhost:8443/cas" />
                                <property name="proxyGrantingTicketStorage" ref="proxyGrantingTicketStorage" />
                                <property name="proxyCallbackUrl"
                                        value="https://localhost:8443/cas/secure/receptor" />
                        </bean>
                </property>
                <property name="key" value="an_id_for_this_auth_provider_only" />
        </bean>

        <bean id="proxyGrantingTicketStorage"
                class="org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl" />

        <bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">
                <property name="service" value="https://localhost:8443/CASTest/j_spring_cas_security_check" />
                <property name="sendRenew" value="false" />
        </bean>

    <sec:jdbc-user-service id="userService" data-source-ref="dataSource" 
        authorities-by-username-query="select username, role FROM user_authorization WHERE username = ?"
        users-by-username-query="SELECT username, password, enabled FROM user_authentication WHERE username = ?" />

      <bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource">
            <property name="driverClassName">
                <value>com.mysql.jdbc.Driver</value>
            </property>
            <property name="url">
                <value>jdbc:mysql://localhost:3306/user_mgt</value>
            </property>
            <property name="username"><value>root</value></property>
            <property name="password"><value>test</value></property>
        </bean>

        <bean class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler"/>

</beans>

这个重定向循环有优雅的方法吗?也许是一种定义页面以便在用户未经授权的情况下发送给用户的方式,而不是默认将用户发送回登录页面?

1 个答案:

答案 0 :(得分:0)

你可以使用

 <sec:http entry-point-ref="casEntryPoint">
            <sec:intercept-url pattern="/**" access="ROLE_ODINUSERS,ROLE_ODINSUPERS,ROLE_ODINADMINS" />
            <sec:logout logout-success-url="/cas-logout.jsp" />
            <sec:custom-filter ref="casFilter" after="CAS_FILTER" />
            <sec:form-login login-page="/login" authentication-failure-url="/login?error"
        username-parameter="j_username" password-parameter="j_password"
        default-target-url="/somepageaction" />
    </sec:http>
相关问题
最新问题