CAS 4 with Spring Security 4 (java config) - 在票证授予 SSO 后卡在重定向循环中
CAS 4 with Spring Security 4 (java config) - stuck in a redirect loop after ticket granted SSO
我已经在这个问题上停留了大约几天了。我在 Tomcat 8 上有一个 CAS 4 应用程序和一个 Spring-enabled (MVC and Security) 网络应用程序 运行。我正在尝试针对 CAS 服务器进行身份验证。所有设置都工作得很好,但是一旦我似乎通过了身份验证(给出了票证)并尝试重定向我得到 This webpage has a redirect loop,ERR_TOO_MANY_REDIRECTS。我正在使用来自 CAS 4 的默认内存中身份验证(用户:casuser,密码:Mellon)
我试过了:
1) 为 casAuthenticationFilter 上下文路径 (/test/j_spring_cas_security_check) 使用了不同的前缀,并在 serviceProperties (serviceProperties.setService("https://OFB25572D8.OKFB.COM:8443/phoenixWeb/test/j_spring_cas_security_check");)
中使用了一个匹配的前缀
- 从自定义
SavedRequestAwareAuthenticationSuccessHandler 重定向到我的 contextRoot 并覆盖
onAuthenticationSuccess(HttpServletRequest 请求,
HttpServletResponse响应,Authentication认证)
- 转到
Spring MVC 3.2.8 和 Spring Security 3.2.8(有人遇到类似问题并转到 Spring 的旧版本)
这是设置(没有web.xml,全部使用Java Config完成):
SecurityConfig.java
@Configuration
@EnableWebSecurity
public class PhoenixSecurityConfig extends WebSecurityConfigurerAdapter {
@Bean
public ServiceProperties serviceProperties() {
ServiceProperties serviceProperties = new ServiceProperties();
serviceProperties.setService("https://OFB25572D8.OKFB.COM:8443/phoenixWeb/j_spring_cas_security_check");
serviceProperties.setSendRenew(false);
return serviceProperties;
}
@Bean
public CasAuthenticationProvider casAuthenticationProvider() {
CasAuthenticationProvider casAuthenticationProvider = new CasAuthenticationProvider();
casAuthenticationProvider.setAuthenticationUserDetailsService(authenticationUserDetailsService());
casAuthenticationProvider.setServiceProperties(serviceProperties());
casAuthenticationProvider.setTicketValidator(cas20ServiceTicketValidator());
casAuthenticationProvider.setKey("phoenixWeb_CAS_ID");
return casAuthenticationProvider;
}
@Bean
public AuthenticationUserDetailsService authenticationUserDetailsService() {
return new TestCasAuthenticationUserDetailsService();
}
@Bean
public Cas20ServiceTicketValidator cas20ServiceTicketValidator() {
return new Cas20ServiceTicketValidator("https://OFB25572D8.OKFB.COM:8443/cas");
}
@Bean
public CasAuthenticationFilter casAuthenticationFilter() throws Exception {
CasAuthenticationFilter casAuthenticationFilter = new CasAuthenticationFilter();
casAuthenticationFilter.setAuthenticationManager(authenticationManager());
casAuthenticationFilter.setAuthenticationSuccessHandler(customSuccessHandler());
casAuthenticationFilter.setFilterProcessesUrl("/j_spring_cas_security_check");
return casAuthenticationFilter;
}
@Bean
public SavedRequestAwareAuthenticationSuccessHandler customSuccessHandler() {
return new CustomRequestHandler();
}
@Bean
public CasAuthenticationEntryPoint casAuthenticationEntryPoint() {
CasAuthenticationEntryPoint casAuthenticationEntryPoint = new CasAuthenticationEntryPoint();
casAuthenticationEntryPoint.setLoginUrl("https://OFB25572D8.OKFB.COM:8443/cas/login");
casAuthenticationEntryPoint.setServiceProperties(serviceProperties());
return casAuthenticationEntryPoint;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.addFilter(casAuthenticationFilter());
http
.exceptionHandling()
.authenticationEntryPoint(casAuthenticationEntryPoint());
http.authorizeRequests().antMatchers("/**").access("hasRole('ROLE_USER')");
//.anyRequest().permitAll()
//.and().csrf().csrfTokenRepository(csrfTokenRepository()).and();
//.and().csrf().disable()
//.formLogin()
//.loginPage("/login")
//.permitAll();
//Below is forcing over HTTPS
//.and().requiresChannel().anyRequest().requiresSecure();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.authenticationProvider(casAuthenticationProvider());
}
}
TestCasAuthenticationUserDetailsService.java
public class TestCasAuthenticationUserDetailsService implements AuthenticationUserDetailsService {
@Override
public UserDetails loadUserDetails(Authentication token) throws UsernameNotFoundException {
List<GrantedAuthority> authorities = new ArrayList<>();
authorities.add(new SimpleGrantedAuthority("ROLE_USER"));
return new User("casuser", "Mellon", authorities);
}
}
pom.xml
<dependencies>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>4.2.2.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-orm</artifactId>
<version>4.2.2.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.data</groupId>
<artifactId>spring-data-jpa</artifactId>
<version>1.9.1.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>4.0.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>4.0.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-ldap</artifactId>
<version>4.0.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-cas-client</artifactId>
<version>3.0.8.RELEASE</version>
</dependency>
</dependencies>
对 Web 应用程序的初始请求
Request URL:https://ofb25572d8.okfb.com:8443/phoenixWeb
Request Method:GET
Status Code:302 Found
Remote Address:10.1.24.71:8443
**Response Headers**
view source
Cache-Control:no-cache, no-store, max-age=0, must-revalidate
Content-Length:0
Date:Wed, 30 Dec 2015 19:20:14 GMT
Expires:0
Location:https://OFB25572D8.OKFB.COM:8443/cas/login?service=https%3A%2F%2FOFB25572D8.OKFB.COM%3A8443%2FphoenixWeb%2Fj_spring_cas_security_check
Pragma:no-cache
Server:Apache-Coyote/1.1
Set-Cookie:JSESSIONID=3BEED4D08DA6EF00EDBCB87B7930D521; Path=/phoenixWeb/; Secure; HttpOnly
Strict-Transport-Security:max-age=31536000 ; includeSubDomains
X-Content-Type-Options:nosniff
X-Frame-Options:DENY
X-XSS-Protection:1; mode=block
**Request Headers**
view source
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
Host:ofb25572d8.okfb.com:8443
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
一旦我按下提交
Request URL:https://ofb25572d8.okfb.com:8443/cas/login;jsessionid=988CBFBD15B4FE7562C8A5D4A3ADBE70?service=https%3A%2F%2FOFB25572D8.OKFB.COM%3A8443%2FphoenixWeb%2Fj_spring_cas_security_check
Request Method:POST
Status Code:302 Found
Remote Address:10.1.24.71:8443
**Response Headers**
view source
Cache-Control:no-cache
Cache-Control:no-store
Content-Length:0
Date:Wed, 30 Dec 2015 19:22:53 GMT
Expires:Thu, 01 Jan 1970 00:00:00 GMT
Location:https://OFB25572D8.OKFB.COM:8443/phoenixWeb/j_spring_cas_security_check?ticket=ST-1-LhfIkMXSX2iTmpRAKaXc-cas01.example.org
Pragma:no-cache
Server:Apache-Coyote/1.1
Set-Cookie:CASPRIVACY=""; Path=/cas/; Secure; HttpOnly
Set-Cookie:TGC=eyJhbGciOiJIUzUxMiJ9.ZXlKaGJHY2lPaUprYVhJaUxDSmxibU1pT2lKQk1USTRRMEpETFVoVE1qVTJJbjAuLndXYV9rNTVNRWVMWHNXdjlCWW1qVGcuVjFGM1VqWF93THVQWFBpbnBUaW9lRWRyS2p0QnNRODJwNG5INnRCZTlUYVJORk00QUprbVlRYlI0c2l3SFpJeHVCc0R6ZkZVdnlSaVhNekpkSURBaXQtazhpNkl2NEhUUjlyVzY1T1E1YmZ6VUEwX3JKOWdvLXNaNE5hTm9WTTNtSGVDalBsdGtFaVVUNXAxWGhYWVh5U25rZlQwaGxXLTJXVEZLZ0U3LXZQLVd2SVNCLTFtaHRjLWl6U2VfUWhrVS00RnZ1QWdOM2lZN2JvTGJ4c3VLMEE5RFBWM2xxZ2xncWtCQld2eW1PMkxKcm5fSGZ6aXdDeDdmS2N2Sjk1UlA1clIxaWs2Sk5VSTk2dEktUEtiS2cuSzl4YjM2aVY0Q0RfRDQtVWhDSzgzUQ.1KHCed4LP-E1VHN8nxTIoligha0yGYP-aAfbuIVkVPbbb2o5PiLdFrS3gbmuGLEApEXJpPcCExOcjYaLRNw8tg; Path=/cas/; Secure; HttpOnly
**Request Headers**
view source
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip, deflate
Accept-Language:en-US,en;q=0.8
Cache-Control:max-age=0
Connection:keep-alive
Content-Length:2894
Content-Type:application/x-www-form-urlencoded
Cookie:JSESSIONID=988CBFBD15B4FE7562C8A5D4A3ADBE70
Host:ofb25572d8.okfb.com:8443
Origin:https://ofb25572d8.okfb.com:8443
Referer:https://ofb25572d8.okfb.com:8443/cas/login?service=https%3A%2F%2FOFB25572D8.OKFB.COM%3A8443%2FphoenixWeb%2Fj_spring_cas_security_check
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
Query String Parameters
view source
view URL encoded
service:https://OFB25572D8.OKFB.COM:8443/phoenixWeb/j_spring_cas_security_check
Form Data
view source
view URL encoded
username:casuser
password:Mellon
lt:LT-1-3c6Q2CbmBx2YdWkQDM9fxHkWnc7AQJ-cas01.example.org
execution:a1757b02-69fc-46c7-a997-1b747ea87038_AAAAIgAAABAyzkQ98n/PaEXy025/kUJZAAAABmFlczEyOFsDrH9p+tpmDRMzL8sfKARNMiwmDEizgxEjXOHgNN0GhRtK8d600V6tEbNFQfoUKKibDDrjJ2YYfimZvArm0AARwzGgiFLV2MIuzs5poUXNXf1Gam6chUrgexNZRu+MKgnh3jTUjzEMGd8BQT/2wYUgbsYktbppTEYfsR1FjIC2rbL4euzaM452Wvdbbb7kyw4hHNWnF6/Gvtf6iQxg14vW7FtDGv5J96E1Cv/FrXpqHffMujN6ZlZs1rz5jonhehVJoWSjIJYQgeq6p9meBdNuzeoLZCyr71vxIT/CBElmIxDr4HDd+u7g3VPDJdZ0FfI+p6LOFH3l97HGwT8AjAKtAlZ+DfPXHXIDbDWeHgw31ke6VHsnjuTR6TG+gc2TkF82WOiZ5PpTS7J/N565hkrgEh7Mx5mH2WSrDUk+5V95ZY78ctZBHyiblT0xVWjZp/eEaDGy6+14IRFRXshkx/x0LkvrLbYsb1J+4tkUo1j959JEjHbLqDsUZUczYSkFXYJVcZGEiVOlgp66i0QpGR7O4ubRtFrA/ZKSAwDsTMaR4uKcORADCPSOOG3R8fUuQAF0UQZtsrsu/C8FBXD16wE81Jy/EDvUwiFpihkmkEoajvDDsYuVguapeWVIloHrAGp8RjzWPcG7mK7bO++/oet5TWm6yG3hvSPVTpR93ETpdfTYlcZneKaM7HRyGx1WbZntK5mgsBzJtqvgJy9mYANRggPpWVFOThMS6BP1Q14HpWA5XUDu4hay8Pulps4K7cRnk1SRjzCFNqYXA/ZI9hVf8+QrShl2T6xS7kdTfI283THixux2WSfyWkoYmN9xhweSw5YOL7zWBxvvcEEP8hOqPLfr1/pxQMFhiAu8xrg1Gbf6BYIX9f/Olp8Zp6MJtzM99TNLcp0Wvoa8Oj4WHB38cuGPppYNA5V7iDycIaEMCzYb+aOQZd455YuLQxpePVD48CTENEocBJGsKQ+dO2zVayRkwtLlB5PgXaJEkqwlFbNxPaImYahv9p/HteNNMS4jc1JsimhOaICOk/u1XG9jRLCRXKeYazKpRfPT8z9KEvVDmncOqSwK8uJqZMLZIaFLPGJzhehp081CToVb50WxJiO1ySYU8e441LrIHGjS4NNoeoIf1MThmXpXGqqeTEaZMP/+XQUF2VhWsZM5k6iYj0227MxYJlObnBCXgYjsv9v4VTa6kCVutUWMYIwdENID6S1fXF8Dqn4RSg3l2TRhGQZMzrylJdLA8K873i1wU7o2neEmL4PPBvHuxCBaIhF2lldcq1MXg+fH4mtRrULk+aTjc9zvWjXZvTqO1nVsWZyxuSG72QCfS5MEDUWqVA3BRkW1RLcQPQs7WxvkUi9MTJN99Gt/X30Kw4ifZk2RpZD8x8DI1HC+stBdY9mgl+8SYtoB6Cxuj/XVPMcZM+iw4sQTlDTqNw0p0Muwmj6sGduh4bjuZX2r+E/L8d3tARy0QtdHht/07Y24QA8If6C9rL7SlSkhhOQQynpI9BOFN/jOf9ya66HPTEVtyutiT+r+5SuawyhwUCvgnRkVxNsFIHIcuvUj10X9VAR0/5rHlTX0pXnMz8zO75nCCVb3yoaOfVKPiAar8bLY20PSwUm4hapMWHrnIwINR64jntyA0byq7zGPH2OiGrv1c/5ky5mhzEG5A9yrWId89kgNd8BjNpL9DJN0+0mCVECULYnSwk5nfJVsuUMFDClEmJ1L06uahTvxS1X0GdWjna36gqiW4uMIpW8czH4IAATqob/iF0f30U8+0I/aNUPGuUimMoeS+fCQM2enu0V8tCwU4oPemCYCrVQGi2ReCMglbQGDnp2IJPhgYN2E6OGndJOSNpc1w9KQF3t5bwnsrScnVj2gf3/GVEUwxRqhH2GA49LiqNLycwoJGZHMz6tK0DZL8FQu7I0S74SLsuFfmbeQwLVj3KMgMOWpLctPCIrn2CVfYvzd1uFZXTfK7s3+uR8Kfh+wSqAoF9c3du3Qb3saFg8AxRQ6A21BzgUgcU8nS5nhoGaGLdunpITtiRBK3DTuEWOnXnuQXU02CW4PbPLNDsiHydvJFmP6nn9Uhi4y1G7XPUrv/s3IkZxW4NsvtTNXC3gqvyWke0zQLNKszYcsIV5v+8POOZLXQpQRA79LN1toLjLvH8snhrgAMYND8NnAFLbgCJMzLvvPLnmWW6oMsIu3IH6irU8Qjk3FkwUOnUoQ1ybqTAdNsmG3RJ7dxM1sDBCRRY67dpbl4/fETYFQGgrYw8YOTeH3KF00w00q8ytyyXGGUOyrxiT1hDqPo+0Ya01q/BkEnhjwIgDSjTI3eoiNy/JS2Y8Yg94OpeTfaTOyRk8MNb6UYg+mx8QOrm8+A2/W5WwC6A050CWcXBOG/GCC94TqL+cQ1iJw8MMLl4ZXYRrY51voeXcWJipoVF3YH/cs+WvL3YfJAQzPgj8HhMiUtM9aMauQFg1Z6wNPndPx6M8p/d8YJqt2v8IamNDWNx/Qx7tAHie3dxids5E8GqmeVqFJ9mitMT2vIT6kmEiw
_eventId:submit
submit:LOGIN
获得票证后
Request URL:https://ofb25572d8.okfb.com:8443/phoenixWeb/j_spring_cas_security_check?ticket=ST-1-LhfIkMXSX2iTmpRAKaXc-cas01.example.org
Request Method:GET
Status Code:302 Found
Remote Address:10.1.24.71:8443
**Response Headers**
view source
Cache-Control:no-cache, no-store, max-age=0, must-revalidate
Content-Length:0
Date:Wed, 30 Dec 2015 19:24:29 GMT
Expires:0
Location:https://ofb25572d8.okfb.com:8443/phoenixWeb
Pragma:no-cache
Server:Apache-Coyote/1.1
Strict-Transport-Security:max-age=31536000 ; includeSubDomains
X-Content-Type-Options:nosniff
X-Frame-Options:DENY
X-XSS-Protection:1; mode=block
**Request Headers**
view source
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-US,en;q=0.8
Cache-Control:max-age=0
Connection:keep-alive
Cookie:JSESSIONID=3BEED4D08DA6EF00EDBCB87B7930D521
Host:ofb25572d8.okfb.com:8443
Referer:https://ofb25572d8.okfb.com:8443/cas/login?service=https%3A%2F%2FOFB25572D8.OKFB.COM%3A8443%2FphoenixWeb%2Fj_spring_cas_security_check
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
Query String Parameters
view source
view URL encoded
ticket:ST-1-LhfIkMXSX2iTmpRAKaXc-cas01.example.org
当我应该通过身份验证并显示主页时
Request URL:https://ofb25572d8.okfb.com:8443/phoenixWeb
Request Method:GET
Status Code:302 Found
Remote Address:10.1.24.71:8443
**Response Headers**
view source
Cache-Control:no-cache, no-store, max-age=0, must-revalidate
Content-Length:0
Date:Wed, 30 Dec 2015 19:24:29 GMT
Expires:0
Location:https://OFB25572D8.OKFB.COM:8443/cas/login?service=https%3A%2F%2FOFB25572D8.OKFB.COM%3A8443%2FphoenixWeb%2Fj_spring_cas_security_check
Pragma:no-cache
Server:Apache-Coyote/1.1
Set-Cookie:JSESSIONID=9A60C50821E55B52CAA138B9233B305F; Path=/phoenixWeb/; Secure; HttpOnly
Strict-Transport-Security:max-age=31536000 ; includeSubDomains
X-Content-Type-Options:nosniff
X-Frame-Options:DENY
X-XSS-Protection:1; mode=block
**Request Headers**
view source
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-US,en;q=0.8
Cache-Control:max-age=0
Connection:keep-alive
Host:ofb25572d8.okfb.com:8443
Referer:https://ofb25572d8.okfb.com:8443/cas/login?service=https%3A%2F%2FOFB25572D8.OKFB.COM%3A8443%2FphoenixWeb%2Fj_spring_cas_security_check
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
我终于找到了 Redirect Loop 错误的原因。问题是,当我发出初始请求时,Spring 在 SAVED_REQUEST 会话属性中的 servletPath 有一个空字符串。
最初的URL是:
https://server:8443/contextPath
我的 Spring 控制器有一个 class-level,根映射到 "/"。我的应用程序安全设置是:
http.authorizeRequests().antMatchers("/**").access("hasRole('ROLE_USER')");
因此,考虑到这一点,当我发出初始请求时,servletPath 是一个空字符串 ""(我扩展了 SavedRequestAwareAuthenticationSuccessHandler 以在成功登录后观察重定向) 并且由于没有映射到 casFilter 试图一遍又一遍地 re-authenticate 请求。
如果我在 URL 的末尾使用斜杠,一切都会完美无缺:
https://server:8443/contextPath/ //NOTE the slash in the end
因此,对于那些有类似问题的人来说,所有配置和设置看起来和行为都正确,但仍然会出现重定向循环,请检查您的 RequestMappings 和您尝试验证的 URL!
我已经在这个问题上停留了大约几天了。我在 Tomcat 8 上有一个 CAS 4 应用程序和一个 Spring-enabled (MVC and Security) 网络应用程序 运行。我正在尝试针对 CAS 服务器进行身份验证。所有设置都工作得很好,但是一旦我似乎通过了身份验证(给出了票证)并尝试重定向我得到 This webpage has a redirect loop,ERR_TOO_MANY_REDIRECTS。我正在使用来自 CAS 4 的默认内存中身份验证(用户:casuser,密码:Mellon)
我试过了:
1) 为 casAuthenticationFilter 上下文路径 (/test/j_spring_cas_security_check) 使用了不同的前缀,并在 serviceProperties (serviceProperties.setService("https://OFB25572D8.OKFB.COM:8443/phoenixWeb/test/j_spring_cas_security_check");)
- 从自定义
SavedRequestAwareAuthenticationSuccessHandler重定向到我的 contextRoot 并覆盖
onAuthenticationSuccess(HttpServletRequest 请求, HttpServletResponse响应,Authentication认证)
- 转到
Spring MVC 3.2.8和Spring Security 3.2.8(有人遇到类似问题并转到 Spring 的旧版本)
这是设置(没有web.xml,全部使用Java Config完成):
SecurityConfig.java
@Configuration
@EnableWebSecurity
public class PhoenixSecurityConfig extends WebSecurityConfigurerAdapter {
@Bean
public ServiceProperties serviceProperties() {
ServiceProperties serviceProperties = new ServiceProperties();
serviceProperties.setService("https://OFB25572D8.OKFB.COM:8443/phoenixWeb/j_spring_cas_security_check");
serviceProperties.setSendRenew(false);
return serviceProperties;
}
@Bean
public CasAuthenticationProvider casAuthenticationProvider() {
CasAuthenticationProvider casAuthenticationProvider = new CasAuthenticationProvider();
casAuthenticationProvider.setAuthenticationUserDetailsService(authenticationUserDetailsService());
casAuthenticationProvider.setServiceProperties(serviceProperties());
casAuthenticationProvider.setTicketValidator(cas20ServiceTicketValidator());
casAuthenticationProvider.setKey("phoenixWeb_CAS_ID");
return casAuthenticationProvider;
}
@Bean
public AuthenticationUserDetailsService authenticationUserDetailsService() {
return new TestCasAuthenticationUserDetailsService();
}
@Bean
public Cas20ServiceTicketValidator cas20ServiceTicketValidator() {
return new Cas20ServiceTicketValidator("https://OFB25572D8.OKFB.COM:8443/cas");
}
@Bean
public CasAuthenticationFilter casAuthenticationFilter() throws Exception {
CasAuthenticationFilter casAuthenticationFilter = new CasAuthenticationFilter();
casAuthenticationFilter.setAuthenticationManager(authenticationManager());
casAuthenticationFilter.setAuthenticationSuccessHandler(customSuccessHandler());
casAuthenticationFilter.setFilterProcessesUrl("/j_spring_cas_security_check");
return casAuthenticationFilter;
}
@Bean
public SavedRequestAwareAuthenticationSuccessHandler customSuccessHandler() {
return new CustomRequestHandler();
}
@Bean
public CasAuthenticationEntryPoint casAuthenticationEntryPoint() {
CasAuthenticationEntryPoint casAuthenticationEntryPoint = new CasAuthenticationEntryPoint();
casAuthenticationEntryPoint.setLoginUrl("https://OFB25572D8.OKFB.COM:8443/cas/login");
casAuthenticationEntryPoint.setServiceProperties(serviceProperties());
return casAuthenticationEntryPoint;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.addFilter(casAuthenticationFilter());
http
.exceptionHandling()
.authenticationEntryPoint(casAuthenticationEntryPoint());
http.authorizeRequests().antMatchers("/**").access("hasRole('ROLE_USER')");
//.anyRequest().permitAll()
//.and().csrf().csrfTokenRepository(csrfTokenRepository()).and();
//.and().csrf().disable()
//.formLogin()
//.loginPage("/login")
//.permitAll();
//Below is forcing over HTTPS
//.and().requiresChannel().anyRequest().requiresSecure();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.authenticationProvider(casAuthenticationProvider());
}
}
TestCasAuthenticationUserDetailsService.java
public class TestCasAuthenticationUserDetailsService implements AuthenticationUserDetailsService {
@Override
public UserDetails loadUserDetails(Authentication token) throws UsernameNotFoundException {
List<GrantedAuthority> authorities = new ArrayList<>();
authorities.add(new SimpleGrantedAuthority("ROLE_USER"));
return new User("casuser", "Mellon", authorities);
}
}
pom.xml
<dependencies>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>4.2.2.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-orm</artifactId>
<version>4.2.2.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.data</groupId>
<artifactId>spring-data-jpa</artifactId>
<version>1.9.1.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>4.0.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>4.0.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-ldap</artifactId>
<version>4.0.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-cas-client</artifactId>
<version>3.0.8.RELEASE</version>
</dependency>
</dependencies>
对 Web 应用程序的初始请求
Request URL:https://ofb25572d8.okfb.com:8443/phoenixWeb
Request Method:GET
Status Code:302 Found
Remote Address:10.1.24.71:8443
**Response Headers**
view source
Cache-Control:no-cache, no-store, max-age=0, must-revalidate
Content-Length:0
Date:Wed, 30 Dec 2015 19:20:14 GMT
Expires:0
Location:https://OFB25572D8.OKFB.COM:8443/cas/login?service=https%3A%2F%2FOFB25572D8.OKFB.COM%3A8443%2FphoenixWeb%2Fj_spring_cas_security_check
Pragma:no-cache
Server:Apache-Coyote/1.1
Set-Cookie:JSESSIONID=3BEED4D08DA6EF00EDBCB87B7930D521; Path=/phoenixWeb/; Secure; HttpOnly
Strict-Transport-Security:max-age=31536000 ; includeSubDomains
X-Content-Type-Options:nosniff
X-Frame-Options:DENY
X-XSS-Protection:1; mode=block
**Request Headers**
view source
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
Host:ofb25572d8.okfb.com:8443
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
一旦我按下提交
Request URL:https://ofb25572d8.okfb.com:8443/cas/login;jsessionid=988CBFBD15B4FE7562C8A5D4A3ADBE70?service=https%3A%2F%2FOFB25572D8.OKFB.COM%3A8443%2FphoenixWeb%2Fj_spring_cas_security_check
Request Method:POST
Status Code:302 Found
Remote Address:10.1.24.71:8443
**Response Headers**
view source
Cache-Control:no-cache
Cache-Control:no-store
Content-Length:0
Date:Wed, 30 Dec 2015 19:22:53 GMT
Expires:Thu, 01 Jan 1970 00:00:00 GMT
Location:https://OFB25572D8.OKFB.COM:8443/phoenixWeb/j_spring_cas_security_check?ticket=ST-1-LhfIkMXSX2iTmpRAKaXc-cas01.example.org
Pragma:no-cache
Server:Apache-Coyote/1.1
Set-Cookie:CASPRIVACY=""; Path=/cas/; Secure; HttpOnly
Set-Cookie:TGC=eyJhbGciOiJIUzUxMiJ9.ZXlKaGJHY2lPaUprYVhJaUxDSmxibU1pT2lKQk1USTRRMEpETFVoVE1qVTJJbjAuLndXYV9rNTVNRWVMWHNXdjlCWW1qVGcuVjFGM1VqWF93THVQWFBpbnBUaW9lRWRyS2p0QnNRODJwNG5INnRCZTlUYVJORk00QUprbVlRYlI0c2l3SFpJeHVCc0R6ZkZVdnlSaVhNekpkSURBaXQtazhpNkl2NEhUUjlyVzY1T1E1YmZ6VUEwX3JKOWdvLXNaNE5hTm9WTTNtSGVDalBsdGtFaVVUNXAxWGhYWVh5U25rZlQwaGxXLTJXVEZLZ0U3LXZQLVd2SVNCLTFtaHRjLWl6U2VfUWhrVS00RnZ1QWdOM2lZN2JvTGJ4c3VLMEE5RFBWM2xxZ2xncWtCQld2eW1PMkxKcm5fSGZ6aXdDeDdmS2N2Sjk1UlA1clIxaWs2Sk5VSTk2dEktUEtiS2cuSzl4YjM2aVY0Q0RfRDQtVWhDSzgzUQ.1KHCed4LP-E1VHN8nxTIoligha0yGYP-aAfbuIVkVPbbb2o5PiLdFrS3gbmuGLEApEXJpPcCExOcjYaLRNw8tg; Path=/cas/; Secure; HttpOnly
**Request Headers**
view source
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip, deflate
Accept-Language:en-US,en;q=0.8
Cache-Control:max-age=0
Connection:keep-alive
Content-Length:2894
Content-Type:application/x-www-form-urlencoded
Cookie:JSESSIONID=988CBFBD15B4FE7562C8A5D4A3ADBE70
Host:ofb25572d8.okfb.com:8443
Origin:https://ofb25572d8.okfb.com:8443
Referer:https://ofb25572d8.okfb.com:8443/cas/login?service=https%3A%2F%2FOFB25572D8.OKFB.COM%3A8443%2FphoenixWeb%2Fj_spring_cas_security_check
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
Query String Parameters
view source
view URL encoded
service:https://OFB25572D8.OKFB.COM:8443/phoenixWeb/j_spring_cas_security_check
Form Data
view source
view URL encoded
username:casuser
password:Mellon
lt:LT-1-3c6Q2CbmBx2YdWkQDM9fxHkWnc7AQJ-cas01.example.org
execution:a1757b02-69fc-46c7-a997-1b747ea87038_AAAAIgAAABAyzkQ98n/PaEXy025/kUJZAAAABmFlczEyOFsDrH9p+tpmDRMzL8sfKARNMiwmDEizgxEjXOHgNN0GhRtK8d600V6tEbNFQfoUKKibDDrjJ2YYfimZvArm0AARwzGgiFLV2MIuzs5poUXNXf1Gam6chUrgexNZRu+MKgnh3jTUjzEMGd8BQT/2wYUgbsYktbppTEYfsR1FjIC2rbL4euzaM452Wvdbbb7kyw4hHNWnF6/Gvtf6iQxg14vW7FtDGv5J96E1Cv/FrXpqHffMujN6ZlZs1rz5jonhehVJoWSjIJYQgeq6p9meBdNuzeoLZCyr71vxIT/CBElmIxDr4HDd+u7g3VPDJdZ0FfI+p6LOFH3l97HGwT8AjAKtAlZ+DfPXHXIDbDWeHgw31ke6VHsnjuTR6TG+gc2TkF82WOiZ5PpTS7J/N565hkrgEh7Mx5mH2WSrDUk+5V95ZY78ctZBHyiblT0xVWjZp/eEaDGy6+14IRFRXshkx/x0LkvrLbYsb1J+4tkUo1j959JEjHbLqDsUZUczYSkFXYJVcZGEiVOlgp66i0QpGR7O4ubRtFrA/ZKSAwDsTMaR4uKcORADCPSOOG3R8fUuQAF0UQZtsrsu/C8FBXD16wE81Jy/EDvUwiFpihkmkEoajvDDsYuVguapeWVIloHrAGp8RjzWPcG7mK7bO++/oet5TWm6yG3hvSPVTpR93ETpdfTYlcZneKaM7HRyGx1WbZntK5mgsBzJtqvgJy9mYANRggPpWVFOThMS6BP1Q14HpWA5XUDu4hay8Pulps4K7cRnk1SRjzCFNqYXA/ZI9hVf8+QrShl2T6xS7kdTfI283THixux2WSfyWkoYmN9xhweSw5YOL7zWBxvvcEEP8hOqPLfr1/pxQMFhiAu8xrg1Gbf6BYIX9f/Olp8Zp6MJtzM99TNLcp0Wvoa8Oj4WHB38cuGPppYNA5V7iDycIaEMCzYb+aOQZd455YuLQxpePVD48CTENEocBJGsKQ+dO2zVayRkwtLlB5PgXaJEkqwlFbNxPaImYahv9p/HteNNMS4jc1JsimhOaICOk/u1XG9jRLCRXKeYazKpRfPT8z9KEvVDmncOqSwK8uJqZMLZIaFLPGJzhehp081CToVb50WxJiO1ySYU8e441LrIHGjS4NNoeoIf1MThmXpXGqqeTEaZMP/+XQUF2VhWsZM5k6iYj0227MxYJlObnBCXgYjsv9v4VTa6kCVutUWMYIwdENID6S1fXF8Dqn4RSg3l2TRhGQZMzrylJdLA8K873i1wU7o2neEmL4PPBvHuxCBaIhF2lldcq1MXg+fH4mtRrULk+aTjc9zvWjXZvTqO1nVsWZyxuSG72QCfS5MEDUWqVA3BRkW1RLcQPQs7WxvkUi9MTJN99Gt/X30Kw4ifZk2RpZD8x8DI1HC+stBdY9mgl+8SYtoB6Cxuj/XVPMcZM+iw4sQTlDTqNw0p0Muwmj6sGduh4bjuZX2r+E/L8d3tARy0QtdHht/07Y24QA8If6C9rL7SlSkhhOQQynpI9BOFN/jOf9ya66HPTEVtyutiT+r+5SuawyhwUCvgnRkVxNsFIHIcuvUj10X9VAR0/5rHlTX0pXnMz8zO75nCCVb3yoaOfVKPiAar8bLY20PSwUm4hapMWHrnIwINR64jntyA0byq7zGPH2OiGrv1c/5ky5mhzEG5A9yrWId89kgNd8BjNpL9DJN0+0mCVECULYnSwk5nfJVsuUMFDClEmJ1L06uahTvxS1X0GdWjna36gqiW4uMIpW8czH4IAATqob/iF0f30U8+0I/aNUPGuUimMoeS+fCQM2enu0V8tCwU4oPemCYCrVQGi2ReCMglbQGDnp2IJPhgYN2E6OGndJOSNpc1w9KQF3t5bwnsrScnVj2gf3/GVEUwxRqhH2GA49LiqNLycwoJGZHMz6tK0DZL8FQu7I0S74SLsuFfmbeQwLVj3KMgMOWpLctPCIrn2CVfYvzd1uFZXTfK7s3+uR8Kfh+wSqAoF9c3du3Qb3saFg8AxRQ6A21BzgUgcU8nS5nhoGaGLdunpITtiRBK3DTuEWOnXnuQXU02CW4PbPLNDsiHydvJFmP6nn9Uhi4y1G7XPUrv/s3IkZxW4NsvtTNXC3gqvyWke0zQLNKszYcsIV5v+8POOZLXQpQRA79LN1toLjLvH8snhrgAMYND8NnAFLbgCJMzLvvPLnmWW6oMsIu3IH6irU8Qjk3FkwUOnUoQ1ybqTAdNsmG3RJ7dxM1sDBCRRY67dpbl4/fETYFQGgrYw8YOTeH3KF00w00q8ytyyXGGUOyrxiT1hDqPo+0Ya01q/BkEnhjwIgDSjTI3eoiNy/JS2Y8Yg94OpeTfaTOyRk8MNb6UYg+mx8QOrm8+A2/W5WwC6A050CWcXBOG/GCC94TqL+cQ1iJw8MMLl4ZXYRrY51voeXcWJipoVF3YH/cs+WvL3YfJAQzPgj8HhMiUtM9aMauQFg1Z6wNPndPx6M8p/d8YJqt2v8IamNDWNx/Qx7tAHie3dxids5E8GqmeVqFJ9mitMT2vIT6kmEiw
_eventId:submit
submit:LOGIN
获得票证后
Request URL:https://ofb25572d8.okfb.com:8443/phoenixWeb/j_spring_cas_security_check?ticket=ST-1-LhfIkMXSX2iTmpRAKaXc-cas01.example.org
Request Method:GET
Status Code:302 Found
Remote Address:10.1.24.71:8443
**Response Headers**
view source
Cache-Control:no-cache, no-store, max-age=0, must-revalidate
Content-Length:0
Date:Wed, 30 Dec 2015 19:24:29 GMT
Expires:0
Location:https://ofb25572d8.okfb.com:8443/phoenixWeb
Pragma:no-cache
Server:Apache-Coyote/1.1
Strict-Transport-Security:max-age=31536000 ; includeSubDomains
X-Content-Type-Options:nosniff
X-Frame-Options:DENY
X-XSS-Protection:1; mode=block
**Request Headers**
view source
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-US,en;q=0.8
Cache-Control:max-age=0
Connection:keep-alive
Cookie:JSESSIONID=3BEED4D08DA6EF00EDBCB87B7930D521
Host:ofb25572d8.okfb.com:8443
Referer:https://ofb25572d8.okfb.com:8443/cas/login?service=https%3A%2F%2FOFB25572D8.OKFB.COM%3A8443%2FphoenixWeb%2Fj_spring_cas_security_check
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
Query String Parameters
view source
view URL encoded
ticket:ST-1-LhfIkMXSX2iTmpRAKaXc-cas01.example.org
当我应该通过身份验证并显示主页时
Request URL:https://ofb25572d8.okfb.com:8443/phoenixWeb
Request Method:GET
Status Code:302 Found
Remote Address:10.1.24.71:8443
**Response Headers**
view source
Cache-Control:no-cache, no-store, max-age=0, must-revalidate
Content-Length:0
Date:Wed, 30 Dec 2015 19:24:29 GMT
Expires:0
Location:https://OFB25572D8.OKFB.COM:8443/cas/login?service=https%3A%2F%2FOFB25572D8.OKFB.COM%3A8443%2FphoenixWeb%2Fj_spring_cas_security_check
Pragma:no-cache
Server:Apache-Coyote/1.1
Set-Cookie:JSESSIONID=9A60C50821E55B52CAA138B9233B305F; Path=/phoenixWeb/; Secure; HttpOnly
Strict-Transport-Security:max-age=31536000 ; includeSubDomains
X-Content-Type-Options:nosniff
X-Frame-Options:DENY
X-XSS-Protection:1; mode=block
**Request Headers**
view source
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-US,en;q=0.8
Cache-Control:max-age=0
Connection:keep-alive
Host:ofb25572d8.okfb.com:8443
Referer:https://ofb25572d8.okfb.com:8443/cas/login?service=https%3A%2F%2FOFB25572D8.OKFB.COM%3A8443%2FphoenixWeb%2Fj_spring_cas_security_check
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
我终于找到了 Redirect Loop 错误的原因。问题是,当我发出初始请求时,Spring 在 SAVED_REQUEST 会话属性中的 servletPath 有一个空字符串。
最初的URL是:
https://server:8443/contextPath
我的 Spring 控制器有一个 class-level,根映射到 "/"。我的应用程序安全设置是:
http.authorizeRequests().antMatchers("/**").access("hasRole('ROLE_USER')");
因此,考虑到这一点,当我发出初始请求时,servletPath 是一个空字符串 ""(我扩展了 SavedRequestAwareAuthenticationSuccessHandler 以在成功登录后观察重定向) 并且由于没有映射到 casFilter 试图一遍又一遍地 re-authenticate 请求。
如果我在 URL 的末尾使用斜杠,一切都会完美无缺:
https://server:8443/contextPath/ //NOTE the slash in the end
因此,对于那些有类似问题的人来说,所有配置和设置看起来和行为都正确,但仍然会出现重定向循环,请检查您的 RequestMappings 和您尝试验证的 URL!