我使用 mod_auth_cas 将SSO用于 Alfresco社区5.2 到 Keycloak 4.0 ,并使用keycloak-cas-protocol插件。
Alfresco坐在第一个Apache反向代理后面,而Keycloak在另一台机器上运行另一个。 SSL证书由前端Apache服务器处理。
我的问题是以下:当我登录时,我被重定向到Alfresco网址的方式太多CAS门票:
http://alfresco-server-url/alfresco?ticket=ST-eyJhbAbdOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..2fzwwcMChdFFNk49ucH56A.aHDDlnXrignL4oCAXzrSmIinjqVqaisUQtaioLTzRlLoHjPGD8k-PRrUA0U5S09Wh0Z8MV2JkK2_2CUh5efDFnVdrLqvCtFUOakAtTH9b8MK_7NLU6H_K6tM0cItB7tGAooUZmoKhHAc5DlzIx7n7QrbThk5nrwt5BBl4luIK0k9zeLUOjn5Cp6_nRyCK6uJZZu2-l0qbeMSPjTOktbGZUb2S0F4l1Af5be6sYwQO95XTLEyny8mPKhexEnFR6vx.9BDatlhtuxg17oqopjwpdw&ticket=ST-eyJhbAbdOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..SCWcwVtbK9xcZKCYm12Tpw.9h03gCwnzeC6xBNwvDojAJs1b6zIIn4AxA02jrx_CZ5m8r2enNjIiS70wJWvSx_a1bq_EekSTCAFU01b93UopZNuEPDExZ1A9S1hur6t-IWTYfDS1WfKKh9CyKRSvUTqPkug-lf3UoPR4KTXgjhrXIC_nTxX_TJX6lIXsTEKTDPA0GZXRkHAB9PGTy98X1orm10qN_q8zMefo7aCqVIcx3WRrqs4XvwBVqY3oGv8oNN4dE1jONTUonGZSWtwfHlk.s_1V8uVC7XArWHVc6ICYRA&ticket=ST-eyJhbAbdOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..T56R8c7F8tQoSnZ2uAkckw.GB7WHWpTURuSxsMITJblSNTuYf4Rd3TiDult_HBWXm7AEOIiiHC0n2Af9SvrjOjdEGxPhkfMimQzOZgigbYG2SoQ2I0xuBRVSv0to8ib-gATbBSWoKayAqaT5CdXQuAxii1bqQ1ysdOK00jQKweaQoa-NAbDr6lTtZf9hwS5bj0x05yiczD2Pzf-w57oqPOdmmr_YrbHNy8qiMXNMp8HqmFAF0Brtpu-m_PW5skSHTpWGHXr_vPKLHsFcSHeKwTz.NkCBgoCEtf4_7xevG2_04w&ticket=ST-eyJhbAbdOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..h7WkA0L-0cir8OxkNjXbRA.xnYyOrOAD8_fVXwrQ-kydcbTrVlEVLvACdmNAi-DVKbBF53HllKmFE2HBe3PSjaYcmI85y1xzVuZEd6JgzzfdCKPHkGY4AUAFICcxyFjruxvBULo-tp2BCSunGKp-0vwJ4Ty8fYRkj2l5AphnSaBdn_A6_lM4pW1Ietm6PxJkvUvvFE1J00LSB0mU35ys--V_ri7T-NOvRyc5hBTWdU_qun8464vTdEaDXpKADLEr4gn5VnKEOGp5M9KOkfOgVB8.jzb3spHhYsO8unDITNjHyw&ticket=ST-eyJhbAbdOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..HblYkRPxMSEe2_11COlOYQ.V6BNdvgAqrJfh2OW2Mm5ZnnZpvu6qjdoPofumFbMo0-prIc9x92qgPIkFQPn2JCKIA8esDS-R7X4DNNq59-KBS6pnQfBgdZDD1KviF07G4xtDjCrc0PCrpnxM6Z_OovmtuRsMeXpAlBb-eQ5FuF1-LKtZAy2h_mIACsJD0GZEaD2PNKi-xRrzi0MU1NEE9y8T73ZxBzxt30LFU9NpmPHAfmXXuhRMk97326L34ae-7Uh-TMgcEeUTukFTvn0rDi1.5ACqkhDwdBwIGcaFrYb1IA&ticket=ST-eyJhbAbdOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..1m-5uj9sJcsU4Jzu1DmDfg.H8fgd0W_xOo4IB0AKsm27NEnNM9YP8XdZURip3aW0yqgprsrfOBSlNL0jssP_YjwuNT_-IR8O5TB4iw8_tP_kf32D6vA8YavIOEPKFks3a2s8pIqk0zfp1SXn-c2g228cBctDYVh7gHANR2UgQt_WZt2A6fg2OJveD2Lan11udD1bFojIP6ADWVbkwohhwHyAIPiuXUTELCvytT3y_q_QhPqT7JEBQrRCHawRMLAnhZjXBBTJxrJEXOTE2Qiad5C.sO7povpRpOU-G3rRsN7zcg&ticket=ST-eyJhbAbdOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..93a2rMaFy9lGj_0HN2349Q.KIkpwoYROOKglvJ5EjMkQtY2D7jacyNJ8f6viNWSj3SFOjZIXGGYwXqnOL3Wrk7M6DQAB3bGw2X4OJQ3UJY7SANYO-cUBvjgMueZ7TxtMZTE87Xl0Vo1KkFVFdP1hTwIQ1fQhRLQKOSzvOun_FXHRnWG-7rHMPBR9LX6qk1L1E5Y8Zo7edTrUEqOLIKmp719q3MUaUs5mGQimjv_MwOHbVb5c5KCnndn9jbG9CNexVxpkFt9CRpO_c4MC3WP-LlY._DCqAqUVZYJgcddeJkdVxw&ticket=ST-eyJhbAbdOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..s41OanknH97t3zX-jUOU-A.0mhgL6z_WRdSyy5nZt8JJ-JASNl93xgAB6IBEsbFs_elu84DGASNfBtYmhIktk9PTlSYQzPTD_FEveME_ThDEEGXS3ojTQ4vRDJuR5crV41kXmrcm9kjDxtlUz_nlT0HOtuSmyQdUwHyVoNcEITkvr63-jbvBD3Z5yEWD8uZGkKLHvnOwZ6tc4tJcqsb52W5AMU3Lh6sqAidwOVtObjQvSXw9Otzk0mkKpCdIksBeeHaP9sIAalVwK6vHHHN-ean.n-VJaIwSJZxvviopuJdpYQ&ticket=ST-eyJhbAbdOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..PPIdjwnNIqHFm0B-eimXEA.iiDs_2mHMt9yGzSjyNWMeg2tkNRKatK8Xd5vOmBg0zgfVhAxqPDii1J3SauIK9ujEJ_7oFLqnDiPWJjp-EFJVRq59Ihf6g3un5n1yNGaNUolXhVxqZ1kwZrLer0kulX1GxKWKi_YWiCJH6Zupc322GgmE8ZFAX_rB__vH8PbdtWvoTPcYE3GrmgVASPxzC0EDj1sf552F6BSk5XrmWDH6ipGaY_rTEWJ6NdPYrb0k1vAkuonhAc2zdfloaXEe3c3.6zYuKHuXrm-zlxMV3UW-RA&ticket=ST-eyJhbAbdOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..nGaDNtyvKsn8C0ziVB-2_Q.L9DuWHfKGNumX8cd-H0UphZfjgnhBxd8clZopkWLMQOWr6VFKjPi2IM9H9Gb9hXji31txiLJoRnCc6DG75oE6-hwvWjiF4hy2tHRbm0zmnia4l0ILS2hW_Te1Wdi9Dc2XilGBrI2mjQky1YFODC0o2B5MBjKbRuCM83hliRBxFE1PgujQpl3AGvF3H4iCDKC6aYDqvFVeyJr_Bv8tVAj2gRko0z8jH4-7mjRIoEmZOt4iqWPlrdS023ZQJxyFX7h.wErxn32g48QZOn4rLWMHYg
看起来像 mod_auth_cas 一直将我重定向到Keycloak,将票证标记堆叠在一起;这导致Alfresco返回401 Unauthorized错误。
删除所有票证,但URL中的一个票证正常工作,并使用经过身份验证的用户重定向到Alfresco资源管理器。
我不确定这是否相关,但是一旦服务器启动,我也会在日志中收到以下错误:
WARN [org.alfresco.wcm.client.util.impl.GuestSessionFactoryImpl]
WQS unable to connect to repository: Unauthorized
由以下原因引起:
127.0.0.1 - - [18/May/2018:17:24:38 +0200] "GET /alfresco/service/api/login?u=admin&pw=admin HTTP/1.1" 403 425
127.0.0.1 - - [18/May/2018:17:24:38 +0200] "GET /alfresco/cmisatom HTTP/1.1" 401 5
以下是相关的配置片段:
alfresco-global.properties:
authentication.chain=external1:external
external.authentication.proxyUserName=
external.authentication.enabled=true
external.authentication.defaultAdministratorUserNames=admin
external.authentication.proxyHeader=X-Alfresco-Remote-User
### Initial admin password ###
alfresco_user_store.adminusername=admin
#alfresco_user_store.adminpassword=209c6174da490caeb422f3fa5a7ae634
share-config-custom.xml:
<config evaluator="string-compare" condition="Remote">
<remote>
<ssl-config>
<keystore-path>alfresco/web-extension/alfresco-system.p12</keystore-path>
<keystore-type>pkcs12</keystore-type>
<keystore-password>alfresco-system</keystore-password>
<truststore-path>alfresco/web-extension/ssl-truststore</truststore-path>
<truststore-type>JCEKS</truststore-type>
<truststore-password>password</truststore-password>
<verify-hostname>false</verify-hostname>
</ssl-config>
<connector>
<id>alfrescoCookie</id>
<name>Alfresco Connector</name>
<description>Connects to an Alfresco instance using cookie-based authentication</description>
<class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
</connector>
<connector>
<id>alfrescoHeader</id>
<name>Alfresco Connector</name>
<description>Connects to an Alfresco instance using header and cookie-based authentication</description>
<class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
<userHeader>X-Alfresco-Remote-User</userHeader>
</connector>
<endpoint>
<id>alfresco</id>
<name>Alfresco - user access</name>
<description>Access to Alfresco Repository WebScripts that require user authentication</description>
<connector-id>alfrescoHeader</connector-id>
<endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
<basic-auth>false</basic-auth>
<identity>user</identity>
<external-auth>true</external-auth>
</endpoint>
<endpoint>
<id>alfresco-feed</id>
<parent-id>alfresco</parent-id>
<name>Alfresco Feed</name>
<description>Alfresco Feed - supports basic HTTP authentication via the EndPointProxyServlet</description>
<connector-id>alfrescoHeader</connector-id>
<endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
<basic-auth>false</basic-auth>
<identity>user</identity>
<external-auth>true</external-auth>
</endpoint>
<endpoint>
<id>alfresco-api</id>
<parent-id>alfresco</parent-id>
<name>Alfresco Public API - user access</name>
<description>Access to Alfresco Repository Public API that require user authentication.
This makes use of the authentication that is provided by parent 'alfresco' endpoint.</description>
<connector-id>alfrescoHeader</connector-id>
<endpoint-url>http://localhost:8080/alfresco/api</endpoint-url>
<basic-auth>false</basic-auth>
<identity>user</identity>
<external-auth>true</external-auth>
</endpoint>
</remote>
Apache配置:
ProxyPass /alfresco http://127.0.0.1:8080/alfresco
ProxyPassReverse /alfresco http://127.0.0.1:8080/alfresco
ProxyPassReverseCookiePath /alfresco /alfresco
ProxyPass /share http://127.0.0.1:8080/share
ProxyPassReverse /share http://127.0.0.1:8080/share
ProxyPassReverseCookiePath /share /share
ServerName my-apache-server-url
RequestHeader set Host "my-apache-server-url"
RequestHeader set X-Real-IP "my-apache-server-url"
RequestHeader set X-Forwarded-Server "my-apache-server-url"
RequestHeader set X-Forwarded-Host "my-apache-server-url"
RequestHeader set X-Forwarded-For "127.0.0.1:8080, my-apache-server-url"
mod_auth_cas config:
CASCookiePath /var/cache/httpd/mod_auth_cas/
CASLoginURL https://my-keycloak-server-url/keycloak/realms/my-client-id/protocol/cas/login
CASValidateURL https://my-keycloak-server-url/keycloak/realms/my-client-id/protocol/cas/serviceValidate
CASProxyValidateURL https://my-keycloak-server-url/keycloak/realms/my-client-id/protocol/cas/proxyValidate
CASDebug On
<Location /share>
Authtype CAS
AuthName "CAS"
require valid-user
CASAuthNHeader X-Alfresco-Remote-User
CASScope /share
</Location>
<Location /alfresco>
Authtype CAS
AuthName "CAS"
require valid-user
CASAuthNHeader X-Alfresco-Remote-User
CASScope /alfresco
</Location>
以下是 HTTPD调试日志:
[Tue May 22 18:12:37.738754 2018] [:debug] [pid 63283] mod_auth_cas.c(2058): [client XXX.XX.XXX.XXX:XXXXX] Entering cas_authenticate()
[Tue May 22 18:12:37.738817 2018] [:debug] [pid 63283] mod_auth_cas.c(580): [client XXX.XX.XXX.XXX:XXXXX] CAS Service 'http%3a%2f%2fXXX.XX.XXX.XX%2fshare%3fticket%3dST-eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..RR2EyToZ7ciuGy3XPKUVcg.oZBjcuS7OrZxk_OqU-cQDdXSzkzCq5bsKmlX3Ixt9XLAvjyPV2zoeoBjxol3zmL0hF1COsWt9QzkaF0_rWABvWPUEC9hT3QqtwMrmZMtivcdo9EDkV_3J8xSCtAjP45wPEDc0cYM50L7X6dcF76PCsgxIjEt5KUQVzDoNHwzocvdjk4_KpZEplx1l2WVJdD3UzsSoYN1YbXnPQU4kyGL33d8F1eW0VOfshrV9fz9WaKGzFG3K1ADdvADGfjSGoT3.zv7i2QPMu3AiwfXZOj3Dvw'
[Tue May 22 18:12:37.738846 2018] [:debug] [pid 63283] mod_auth_cas.c(528): [client XXX.XX.XXX.XXX:XXXXX] entering getCASLoginURL()
[Tue May 22 18:12:37.738859 2018] [:debug] [pid 63283] mod_auth_cas.c(505): [client XXX.XX.XXX.XXX:XXXXX] entering getCASGateway()
[Tue May 22 18:12:37.738865 2018] [:debug] [pid 63283] mod_auth_cas.c(595): [client XXX.XX.XXX.XXX:XXXXX] entering redirectRequest()
为什么mod_auth_cas会在Keycloak返回票证时重定向到SSO服务器?
答案 0 :(得分:0)
我在一段时间后发现了这个问题。
mod_auth_cas seems to use以上 5.2.2 的CAS版本可防止门票下划线。
这是一个问题,因为Keycloak CAS add-on 会生成带下划线的票证。
我通过修改mod_auth_cas.c中的validCASTicketFormat函数并重新编译Apache模块解决了这个问题,从而允许令牌包含下划线。
在最新的mod_auth_cas版本中,只允许使用点,短划线和字母数字字符。