CAS要求对每个应用程序进行身份验证

时间:2017-06-17 06:43:44

标签: java spring single-sign-on cas

我在我的项目中使用CAS 4。我有两个申请。我成功登录到我的应用程序1,如果我从应用程序1重定向到应用程序2,则无论先前的会话是否存在,CAS都会被强制再次提供凭据。我没有注销或关闭浏览器,但它要求对每个应用程序进行身份验证。

我在CAS服务器4.0和客户端3.4.1版本以及我的每个应用程序的 web.xml 中配置了CAS客户端。

的web.xml 

<filter>
    <filter-name>CAS Single Sign Out Filter</filter-name>
    <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
    <init-param>
        <param-name>casServerUrlPrefix</param-name>
        <param-value>http://localhost:8080/cas</param-value> 
    </init-param>
</filter>
<filter-mapping>
    <filter-name>CAS Single Sign Out Filter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<listener>
    <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener
    </listener-class>
</listener>

<filter>
    <filter-name>CAS Authentication Filter</filter-name>
    <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
    <init-param>
        <param-name>casServerLoginUrl</param-name>
        <param-value>http://localhost:8080/cas/login</param-value>
    </init-param>
    <init-param>
        <param-name>serverName</param-name>
        <param-value>http://localhost:8080</param-value>
    </init-param>
    <init-param>
        <param-name>gateway</param-name>
        <param-value>false</param-value>
    </init-param>
</filter>
<filter>
    <filter-name>CAS Validation Filter</filter-name>
    <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
    <init-param>
        <param-name>casServerUrlPrefix</param-name>
        <param-value>http://localhost:8080/cas</param-value>
    </init-param>
    <init-param>
        <param-name>serverName</param-name>
        <param-value>http://localhost:8080</param-value>
    </init-param>
</filter>

<filter>
    <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
    <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>

<filter>
    <filter-name>CAS Assertion Thread Local Filter</filter-name>
    <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>

<filter-mapping>
    <filter-name>CAS Authentication Filter</filter-name>
    <url-pattern>/login.do</url-pattern>
</filter-mapping>

<filter-mapping>
    <filter-name>CAS Validation Filter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<filter-mapping>
    <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<filter-mapping>
    <filter-name>CAS Assertion Thread Local Filter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<filter-mapping>
    <filter-name>CAS Validation Filter</filter-name>
    <url-pattern>/proxyCallback</url-pattern>
</filter-mapping>
<context-param>
    <param-name>renew</param-name>
    <param-value>false</param-value>
</context-param>

继续我的讨论,我调试CAS Server,其显示如下

  

[org.jasig.cas.CentralAuthenticationServiceImpl] - [org.jasig.cas.ticket.registry.DefaultTicketRegistry] -      [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - [org.jasig.cas.CentralAuthenticationServiceImpl] -

     

[org.jasig.cas.logout.SamlCompliantLogoutMessageCreator] - @ NOT_USED @samlp:SessionIndexST-2-jp9ydEyiFuT9hlKw2SaK-org.in]&gt;   [org.jasig.cas.logout.LogoutManagerImpl] - http://abc.in:8888/app1/login.do]>   [org.jasig.cas.util.SimpleHttpClient] - http://abc.in:8888/app1/login.do>

     

[org.jasig.cas.logout.SamlCompliantLogoutMessageCreator] - @ NOT_USED @samlp:SessionIndexST-1-DLttZgFyzfWmdpXVmB4a-org.in]&gt;   [org.jasig.cas.logout.LogoutManagerImpl] - http://abc.in:8888/app3/login.do]>   [org.jasig.cas.util.SimpleHttpClient] - http://abc.in:8888/app3/login.do>

     

[org.jasig.cas.logout.SamlCompliantLogoutMessageCreator] - @ NOT_USED @samlp:SessionIndexST-3-1tiTu9pcVaNs55O7FX4m-org.in]&gt;   [org.jasig.cas.logout.LogoutManagerImpl] - http://abc.in:8888/app2/login.do]&gt;

     

[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - [org.jasig.cas.ticket.registry.DefaultTicketRegistry] -   

     

[com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -         

世卫组织:审计:未知什么:   TGT-1-BEacZ4CpvMRxgSY5lEb5xvnGQ9fLgPjKJcjXj3BMKHjbQXCGJM-org.in   行动:TICKET_GRANTING_TICKET_DESTROYED应用程序:CAS时间:星期二   Jun 20 16:29:46 IST 2017客户端IP地址:10.191.53.54服务器IP   地址:10.191.53.54

     

[org.jasig.cas.util.SimpleHttpClient] - http://abc.in:8888/app2/login.do>

     

[org.jasig.cas.web.support.CookieRetrievingCookieGenerator] -   [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] -

     

[org.jasig.cas.util.SimpleHttpClient] - http://abc.in:8888/app1/login.do>   [org.jasig.cas.util.SimpleHttpClient] - http://abc.in:8888/app2/login.do>   [org.jasig.cas.util.SimpleHttpClient] - http://abc.in:8888/app3/login.do>

这里的问题是,如果我退出app1,它会从app1和app3注销,但我无法从app2注销。还是会议还活着。我在所有三个应用程序中使用相同的CAS客户端配置。这里我在单独的选项卡中打开了所有三个应用程序究竟是什么问题。

我认为appl2存在问题,我的web.xml配置如上,并且所有应用程序都验证了服务票证。如何在客户端(app2)中跟踪确切问题。

1 个答案:

答案 0 :(得分:0)

请检查ServiceProperties中的sendRenew参数。

https://docs.spring.io/spring-security/site/docs/current/reference/html/cas.html#cas-st

  

服务必须等于将由其监控的URL   CasAuthenticationFilter。 sendRenew 默认为false,但应该是   如果您的应用程序特别敏感,则设置为true。什么   这个参数的作用是告诉CAS登录服务一个单一的标志   登录是不可接受的。相反,用户需要重新输入   他们的用户名和密码是为了获得对服务的访问权。

相关问题
最新问题