CAS票证验证始终失败

时间:2015-12-18 12:53:20

标签: spring-security single-sign-on cas

我成功安装了CAS 4.1并将其配置为使用Active Directory作为后端身份验证。现在的问题是,每次我尝试验证票证时,CAS服务器都会抱怨票证已过期。我为获取和验证票证而采取的步骤如下:

  1. 致电https://sso.domain.net/cas/login?service=https://myservice.domain.net
  2. 我买了一张ST-2-NLOngMHayTl3uCLKn91T-sso.domain.net
  3. 的票
  4. 呼叫验证服务https://sso.domain.net/serviceValidate?ticket=ST-3-zrjAFf1UU95NdzGmCibv-sso.domain.net&service=https://myservice.domain.net
  5. 我收到以下回复:

    <cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas">
      <script/>
      <cas:authenticationFailure code="INVALID_TICKET"> 
       Ticket 'ST-3-zrjAFf1UU95NdzGmCibv-sso.domain.net' not recognized
      </cas:authenticationFailure>
    </cas:serviceResponse>
    

    票证授予日志显示

    2015-12-18 15:28:53,505 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted ticket [ST-3-zrjAFf1UU95NdzGmCibv-sso.domain.net] for service [https://e.domain.net/] for user [castest]>
    2015-12-18 15:28:53,506 INFO  [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
    Dec 18 15:28:53 mk-jas-cas-01 server[24501]:    =============================================================
    Dec 18 15:28:53 mk-jas-cas-01 server[24501]: WHO: castest
    Dec 18 15:28:53 mk-jas-cas-01 server[24501]: WHAT: ST-3-zrjAFf1UU95NdzGmCibv-sso.domain.net for https://e.domain.net/
    Dec 18 15:28:53 mk-jas-cas-01 server[24501]: ACTION: SERVICE_TICKET_CREATED
    Dec 18 15:28:53 mk-jas-cas-01 server[24501]: APPLICATION: CAS
    Dec 18 15:28:53 mk-jas-cas-01 server[24501]: WHEN: Fri Dec 18 15:28:53 AST 2015
    Dec 18 15:28:53 mk-jas-cas-01 server[24501]: CLIENT IP ADDRESS: 10.100.25.89
    Dec 18 15:28:53 mk-jas-cas-01 server[24501]: SERVER IP ADDRESS: 10.10.12.120
    Dec 18 15:28:53 mk-jas-cas-01 server[24501]: =============================================================
    

    验证日志显示

    2015-12-18 15:29:05,633 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <ServiceTicket [ST-3-zrjAFf1UU95NdzGmCibv-sso.domain.net] has expired.>
    Dec 18 15:29:05 mk-jas-cas-01 server[24501]: 2015-12-18 15:29:05,635 INFO [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
    Dec 18 15:29:05 mk-jas-cas-01 server[24501]: =============================================================
    Dec 18 15:29:05 mk-jas-cas-01 server[24501]: WHO: audit:unknown
    Dec 18 15:29:05 mk-jas-cas-01 server[24501]: WHAT: ST-3-zrjAFf1UU95NdzGmCibv-sso.domain.net
    Dec 18 15:29:05 mk-jas-cas-01 server[24501]: ACTION: SERVICE_TICKET_VALIDATE_FAILED
    Dec 18 15:29:05 mk-jas-cas-01 server[24501]: APPLICATION: CAS
    Dec 18 15:29:05 mk-jas-cas-01 server[24501]: WHEN: Fri Dec 18 15:29:05 AST 2015
    Dec 18 15:29:05 mk-jas-cas-01 server[24501]: CLIENT IP ADDRESS: 10.100.25.89
    Dec 18 15:29:05 mk-jas-cas-01 server[24501]: SERVER IP ADDRESS: 10.10.12.120
    Dec 18 15:29:05 mk-jas-cas-01 server[24501]:=============================================================
    

    我使用了来自此StackOverflow entry的相同ticketExpirationPolicy.xml 我得到了相同的结果,我尝试也改为没有过期但得到相同的结果 我当前的ticketExpirationPolicy.xml文件:

    <beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:p="http://www.springframework.org/schema/p"
       xmlns:c="http://www.springframework.org/schema/c" xmlns:util="http://www.springframework.org/schema/util"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
                           http://www.springframework.org/schema/beans/spring-beans.xsd
                           http://www.springframework.org/schema/util
                           http://www.springframework.org/schema/util/spring-util.xsd">
    
    <bean id="serviceTicketExpirationPolicy" class="org.jasig.cas.ticket.support.MultiTimeUseOrTimeoutExpirationPolicy">
        <!-- This argument is the number of times that a ticket can be used before its considered expired. -->
        <constructor-arg
            index="0"
            value="1" />
        <!-- This argument is the time a ticket can exist before its considered expired.  -->
        <constructor-arg
            index="1"
            value="10000" />
    </bean>
    <bean id="grantingTicketExpirationPolicy" class="org.jasig.cas.ticket.support.NeverExpiresExpirationPolicy" />
    </beans>
    

    一个附带问题:我在哪里以及如何定义服务以充当代理?!

1 个答案:

答案 0 :(得分:0)

好吧,我通过将第二个构造函数参数从10000增加到100000来修复它

<!-- This argument is the time a ticket can exist before its considered expired.  -->
<constructor-arg
    index="1"
    value="100000" />