CAS 服务器跨子域 ST 票证
CAS server cross subdomain ST ticket
我有自己的 Jasig CAS 服务器:
https://cas.example.com
此外,我有两个子域(应用程序)连接到此 CAS 服务器,例如:
https://ui.example.com
https://api.example.com
我可以通过以下请求为 https://ui.example.com 成功创建 ST 票证:
https://cas.example.com/login?service=https://ui.example.com
回复:
https://cas.example.com/?ticket=ST-5-p5rVK3OWBKPzwAAZteNw-cas.example.com/
但我无法将此票用于 https://api.example.com
https://api.example.com/api/v1.0/account?ticket=ST-5-p5rVK3OWBKPzwAAZteNw-cas.example.com
出现以下错误:
access to this resource is forbidden","errors":[{"field":"BadCredentialsException","message":"\n Ticket \u0027ST-5-p5rVK3OWBKPzwAAZteNw-cas-dev.cfwdev.com\u0027 does not match supplied service. The original service was \u0027https://ui.example.com/\u0027 and the supplied service was \u0027https://api.example.com/api/v1.0/account
这是我的服务配置:
{
"@class" : "org.jasig.cas.services.RegexRegisteredService",
"serviceId" : "^(http?|https?)://.*example.com/.*",
"name" : "example.com dev
"theme" : example
"id" : 20000002,
"description" : "example.com dev environment",
"proxyPolicy" : {
"@class" : "org.jasig.cas.services.RegexMatchingRegisteredServiceProxyPolicy",
"pattern" : "^(http?|https?)://.*example.com/.*"
},
"evaluationOrder" : 2,
"usernameAttributeProvider" : {
"@class" : "org.jasig.cas.services.DefaultRegisteredServiceUsernameProvider"
},
"logoutType" : "BACK_CHANNEL",
"attributeReleasePolicy" : {
"@class" : "org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy",
"principalAttributesRepository" : {
"@class" : "org.jasig.cas.authentication.principal.DefaultPrincipalAttributesRepository"
},
"authorizedToReleaseCredentialPassword" : false,
"authorizedToReleaseProxyGrantingTicket" : false
},
"accessStrategy" : {
"@class" : "org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled" : true
}
}
是否可以发行一张 ST 票据,同时被这些子域 https://ui.example.com 和 https://api.example.com 接受?
Jasig CAS 不可能
我有自己的 Jasig CAS 服务器:
https://cas.example.com
此外,我有两个子域(应用程序)连接到此 CAS 服务器,例如:
https://ui.example.com
https://api.example.com
我可以通过以下请求为 https://ui.example.com 成功创建 ST 票证:
https://cas.example.com/login?service=https://ui.example.com
回复:
https://cas.example.com/?ticket=ST-5-p5rVK3OWBKPzwAAZteNw-cas.example.com/
但我无法将此票用于 https://api.example.com
https://api.example.com/api/v1.0/account?ticket=ST-5-p5rVK3OWBKPzwAAZteNw-cas.example.com
出现以下错误:
access to this resource is forbidden","errors":[{"field":"BadCredentialsException","message":"\n Ticket \u0027ST-5-p5rVK3OWBKPzwAAZteNw-cas-dev.cfwdev.com\u0027 does not match supplied service. The original service was \u0027https://ui.example.com/\u0027 and the supplied service was \u0027https://api.example.com/api/v1.0/account
这是我的服务配置:
{
"@class" : "org.jasig.cas.services.RegexRegisteredService",
"serviceId" : "^(http?|https?)://.*example.com/.*",
"name" : "example.com dev
"theme" : example
"id" : 20000002,
"description" : "example.com dev environment",
"proxyPolicy" : {
"@class" : "org.jasig.cas.services.RegexMatchingRegisteredServiceProxyPolicy",
"pattern" : "^(http?|https?)://.*example.com/.*"
},
"evaluationOrder" : 2,
"usernameAttributeProvider" : {
"@class" : "org.jasig.cas.services.DefaultRegisteredServiceUsernameProvider"
},
"logoutType" : "BACK_CHANNEL",
"attributeReleasePolicy" : {
"@class" : "org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy",
"principalAttributesRepository" : {
"@class" : "org.jasig.cas.authentication.principal.DefaultPrincipalAttributesRepository"
},
"authorizedToReleaseCredentialPassword" : false,
"authorizedToReleaseProxyGrantingTicket" : false
},
"accessStrategy" : {
"@class" : "org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled" : true
}
}
是否可以发行一张 ST 票据,同时被这些子域 https://ui.example.com 和 https://api.example.com 接受?
Jasig CAS 不可能