Question

我有一个Maven多模块应用程序，其中主模块依赖于其他模块。该主模块由Spring Security CAS保护，子模块需要基本身份验证。这是子模块安全配置的示例：

<security:http name="boobkingapiHttp" create-session="stateless" pattern="/hub/book/**" 
    authentication-manager-ref="apiAuthenticationManager">
    <security:intercept-url pattern="/hub/book" access="ROLE_ORDER_MANAGER" />
     <security:http-basic />
</security:http>

以及主模块的安全性配置：

<security:http entry-point-ref="casEntryPoint" pattern="/**" realm="ecab" use-expressions="false">
    <security:intercept-url pattern="/flow/googlestatistics/**" access="ROLE_ADMIN" />
    <security:intercept-url pattern="/**" access="ROLE_ADMIN" />
    <security:custom-filter position="CAS_FILTER" ref="casFilter" />
    <security:logout logout-success-url="/logout.xhtml"/>
    <security:custom-filter ref="requestSingleLogoutFilter" before="LOGOUT_FILTER"/>
    <security:custom-filter ref="singleLogoutFilter" before="CAS_FILTER"/>
</security:http>

<beans:bean id="casFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter">
    <beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>

<beans:bean id="casEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
    <beans:property name="loginUrl" value="http://localhost:8082/sso/login" />
    <beans:property name="serviceProperties" ref="serviceProperties" />
</beans:bean>

<security:authentication-manager alias="authenticationManager">
    <security:authentication-provider ref="casAuthenticationProvider" />
</security:authentication-manager>

<beans:bean id="casAuthenticationProvider" 
class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
    <beans:property name="authenticationUserDetailsService">
        <beans:bean class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
            <beans:constructor-arg ref="hwsAuthenticationUserDetailsService" />
        </beans:bean>
    </beans:property>
    <beans:property name="serviceProperties" ref="serviceProperties" />
    <beans:property name="ticketValidator">
        <beans:bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
            <beans:constructor-arg index="0" value="http://localhost:8082/sso" />
        </beans:bean>
    </beans:property>
    <beans:property name="key" value="an_id_for_this_auth_provider_only" />
</beans:bean>

<beans:bean id="serviceProperties" 
  class="org.springframework.security.cas.ServiceProperties">
    <beans:property name="service" value="http://localhost:8080/cas-client/login/cas" />
    <beans:property name="sendRenew" value="false" />
</beans:bean>

问题是，当CAS服务器授予票证并重定向到服务URL：http://localhost:8080/cas-client/login/cas?ticket=ST-19-1clKw2tZ5MVp0OznfAun时，casAuthenticationProvider没有被调用。调用的一个是子模块的authenticationProvider，结果是401 Unauthorized错误。为什么不调用CAS SecurityFilterChain？我认为这是由Spring Security CAS处理的，但事实并非如此。我使用Spring Security 5.1.2.RELEASE 非常感谢您的帮助。

Answer 1

我找到了未调用CasAuthenticationProvider的原因。正因为如此：

<security:authentication-manager alias="authenticationManager">
   <security:authentication-provider ref="casAuthenticationProvider" />
</security:authentication-manager>

我将alias更改为id。

授予票证后未调用Spring Security CAS和HttpBasic，CasAuthentcationProvider

1 个答案: