我有一个问题,我不知道如何解决。 我在tomcat 8端口8443上配置了CAS v4.2。 我有弹簧安全配置,它正确地重定向到cas,当我在cas中进行身份验证时,在日志中很明显身份验证和故障单生成是正确的。 我已经配置,以便票证的持续时间为2周,如文档中所示。我已经在web.xml中将cas会话从5增加到15,因为它们表示可能出现的错误,但所有这些都导致了相同的错误。 在对自己进行身份验证后,我没有将自己重定向到客户端应用程序的主页,但它显示一条消息"身份验证失败:用户的凭据已过期"
根据版本4.2,我不知道在cas.properties属性中配置我可能做错了什么或可能缺少什么。 如果你能告诉我这个问题可能会继续下去,我将不胜感激。 提前谢谢。
JDK8。 春天4.2.6。 CAS v4.2。 Tomcat8。
弹簧security.xml文件
<security:http entry-point-ref="casEntryPoint" auto-config="true" use-expressions="true">
<security:csrf disabled="false"/>
<security:custom-filter position="FIRST" ref="ajaxSessionFilter"/>
<!-- ACCESO SIN RESTRICCIONES -->
<security:intercept-url pattern="/static/**" access="permitAll"/>
<security:intercept-url pattern="/WEB-INF/views/**" access="permitAll"/>
<security:custom-filter ref="casAuthenticationFilter" after="CAS_FILTER"/>
<security:intercept-url pattern="/**" access="isAuthenticated()" />
</security:http>
<bean id="casServiceProperties" class="org.springframework.security.cas.ServiceProperties"
p:service="http://localhost:8080/aap/j_spring_cas_security_check"
p:sendRenew="false" p:authenticateAllArtifacts="true" />
<bean id="casEntryPoint"
class="org.springframework.security.cas.web.CasAuthenticationEntryPoint"
p:serviceProperties-ref="casServiceProperties" p:loginUrl="https://cas:8443/cas/login" />
<bean id="ajaxSessionFilter" class="com.xxxx.auth.web.filters.ajax.SessionFilter">
<property name="homePage" value="https://cas:8443/cas/login"/>
</bean>
<bean id="casAuthenticationFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter">
<property name="serviceProperties" ref="casServiceProperties"/>
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationFailureHandler">
<bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<property name="defaultFailureUrl" value="/casfailed"/>
</bean>
</property>
<!-- -->
<property name="authenticationSuccessHandler">
<bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">
<property name="defaultTargetUrl" value="/"/>
</bean>
</property>
<property name="proxyGrantingTicketStorage" ref="proxyGrantingTicketStorage" />
</bean>
<bean id="proxyGrantingTicketStorage" class="org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl" />
<bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder"/>
<!-- This filter redirects to the CAS Server to signal Single Logout should be performed -->
<bean id="requestSingleLogoutFilter"
class="org.springframework.security.web.authentication.logout.LogoutFilter"
p:filterProcessesUrl="/j_spring_cas_security_logout">
<constructor-arg value="https://cas:8443/cas/logout" />
<constructor-arg >
<bean
class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
</constructor-arg>
</bean>
<!-- This filter handles a Single Logout Request from the CAS Server -->
<bean id="singleLogoutFilter" class="org.jasig.cas.client.session.SingleSignOutFilter"/>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="casAuthenticationProvider"/>
</security:authentication-manager>
<bean id="casAuthenticationProvider"
class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
<property name="authenticationUserDetailsService">
<bean class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<constructor-arg ref="userDetailService" />
</bean>
</property>
<property name="serviceProperties" ref="casServiceProperties" />
<property name="ticketValidator">
<bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
<constructor-arg index="0" value="https://cas:8443/cas" />
<property name="proxyGrantingTicketStorage" ref="proxyGrantingTicketStorage" />
</bean>
</property>
<property name="key" value="CAS"/>
</bean>
<bean id="userDetailService" class="com.xxx.services.security.userdetails.PSOUserDetailsService"/>
cas.properties
# Decides whether SSO cookie should be created only under secure connections.
tgc.secure=true
# The expiration value of the SSO cookie
tgc.maxAge=1209600
# The name of the SSO cookie
tgc.name=TGC
# The path to which the SSO cookie will be scoped
tgc.path=/cas
# The expiration value of the SSO cookie for long-term authentications
tgc.remember.me.maxAge=1209600
# Decides whether SSO Warning cookie should be created only under secure connections.
warn.cookie.secure=true
# The expiration value of the SSO Warning cookie
warn.cookie.maxAge=1209600
# The name of the SSO Warning cookie
warn.cookie.name=CASPRIVACY
# The path to which the SSO Warning cookie will be scoped
warn.cookie.path=/cas
##
# Single Sign-On Session TGT Timeouts
#
# Inactivity Timeout Policy
tgt.timeout.maxTimeToLiveInSeconds=1209600
# Default Expiration Policy
tgt.maxTimeToLiveInSeconds=28800
tgt.timeToKillInSeconds=7200
##
# Service Ticket Timeout
#
st.timeToKillInSeconds=28800
st.numberOfUses=1
tgc.remember.me.maxAge=1209600
曲奇
"CASPRIVACY="";
Expires=Thu, 01-Jan-1970 00:00:10 GMT;
Path=/cas;
SecureTGC=eyJhbGciOiJIUzUxMiJ9.WlhsS2FHSkhZMmxQYVVwcllWaEphVXhEU214aWJVMXBUMmxLUWsxVVNUUlJNRXBFVEZWb1ZFMXFWVEpKYmpBdUxqRnNSVEl5T1U5SFdsQTRVWFpUTFc5VWIzRmpNRUV1T0Vac2J6QnRaMjl5ZVRWRk9XRnFNR3AwVFZKcFNIQklTVGt5YjJGelNWZE9XR0pEU2swM2VrMUJRekJYVUVjd1UwSnRaRGRaTTFwVlJHNVROekpNTjA5aWNsZGtjMEo2TkVGVVZYQkJWMGxPVEhKQkxWSmxVWEozZUdWRlpFaGxOV2xEYkhZdFgxUnRWbXBYY0hJeFZEWlpXQzFRVG1kcFdtNUJRa2RuTW5CdlRHOUxaRzB3VFMxQk56ZFNWelZ4YVdORVQxQXRVekEzTVVVNGNFSmxWVFJ2UkZwZmVFTTNWRzVFVlRWRmMyeFJRVXR3Y2tOMFlXMVhTVVJGT0ZoQ00xQlNaV0pMVTJGcVJrMVdPV1ZEVmxkU1ozaEtkeTVQYTJwSFEzTmhWRmxRVkdwSE0xZG5UVnBVZUVKQg.H2P1nCulIj3BtS-wOJr3PtOVGi1hT6y0PDP0MVSQerwv3khVB-lFQe2BdKNElUYzJhURtW-zwyZK3PuBh6p_eQ;
Expires=Wed, 18-Jan-2017 15:00:18 GMT;
Path=/cas;
Secure"
答案 0 :(得分:0)
我回应自己,万一有人恰好相同。 问题在于PSOUserDetails,它没有覆盖任何凭证未过期的方法。
由于