Spring 安全 CAS 和 HttpBasic,授予票证后未调用 CasAuthentcationProvider
Spring Security CAS and HttpBasic, CasAuthentcationProvider not invoked after ticket granted
我有一个 Maven 多模块应用程序,其中主模块依赖于其他模块。此主模块使用 Spring 安全 CAS 进行保护,子模块需要基本身份验证。这是子模块的安全配置示例:
<security:http name="boobkingapiHttp" create-session="stateless" pattern="/hub/book/**"
authentication-manager-ref="apiAuthenticationManager">
<security:intercept-url pattern="/hub/book" access="ROLE_ORDER_MANAGER" />
<security:http-basic />
</security:http>
以及主模块的安全配置:
<security:http entry-point-ref="casEntryPoint" pattern="/**" realm="ecab" use-expressions="false">
<security:intercept-url pattern="/flow/googlestatistics/**" access="ROLE_ADMIN" />
<security:intercept-url pattern="/**" access="ROLE_ADMIN" />
<security:custom-filter position="CAS_FILTER" ref="casFilter" />
<security:logout logout-success-url="/logout.xhtml"/>
<security:custom-filter ref="requestSingleLogoutFilter" before="LOGOUT_FILTER"/>
<security:custom-filter ref="singleLogoutFilter" before="CAS_FILTER"/>
</security:http>
<beans:bean id="casFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>
<beans:bean id="casEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
<beans:property name="loginUrl" value="http://localhost:8082/sso/login" />
<beans:property name="serviceProperties" ref="serviceProperties" />
</beans:bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="casAuthenticationProvider" />
</security:authentication-manager>
<beans:bean id="casAuthenticationProvider"
class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
<beans:property name="authenticationUserDetailsService">
<beans:bean class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<beans:constructor-arg ref="hwsAuthenticationUserDetailsService" />
</beans:bean>
</beans:property>
<beans:property name="serviceProperties" ref="serviceProperties" />
<beans:property name="ticketValidator">
<beans:bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
<beans:constructor-arg index="0" value="http://localhost:8082/sso" />
</beans:bean>
</beans:property>
<beans:property name="key" value="an_id_for_this_auth_provider_only" />
</beans:bean>
<beans:bean id="serviceProperties"
class="org.springframework.security.cas.ServiceProperties">
<beans:property name="service" value="http://localhost:8080/cas-client/login/cas" />
<beans:property name="sendRenew" value="false" />
</beans:bean>
问题是,当 CAS 服务器授予票证并重定向到服务 url 时:http://localhost:8080/cas-client/login/cas?ticket=ST-19-1clKw2tZ5MVp0OznfAun casAuthenticationProvider 未被调用。调用的是子模块的 authenticationProvider 结果是 401 Unauthorized 错误。
为什么不调用 CAS SecurityFilterChain?我认为这是由 Spring Security CAS 处理的,但似乎不是。
我使用 Spring 安全 5.1.2.RELEASE
非常感谢您的帮助。
我找到了 CasAuthenticationProvider 没有被调用的原因。就是因为这个:
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="casAuthenticationProvider" />
</security:authentication-manager>
我把alias改成了id。
我有一个 Maven 多模块应用程序,其中主模块依赖于其他模块。此主模块使用 Spring 安全 CAS 进行保护,子模块需要基本身份验证。这是子模块的安全配置示例:
<security:http name="boobkingapiHttp" create-session="stateless" pattern="/hub/book/**"
authentication-manager-ref="apiAuthenticationManager">
<security:intercept-url pattern="/hub/book" access="ROLE_ORDER_MANAGER" />
<security:http-basic />
</security:http>
以及主模块的安全配置:
<security:http entry-point-ref="casEntryPoint" pattern="/**" realm="ecab" use-expressions="false">
<security:intercept-url pattern="/flow/googlestatistics/**" access="ROLE_ADMIN" />
<security:intercept-url pattern="/**" access="ROLE_ADMIN" />
<security:custom-filter position="CAS_FILTER" ref="casFilter" />
<security:logout logout-success-url="/logout.xhtml"/>
<security:custom-filter ref="requestSingleLogoutFilter" before="LOGOUT_FILTER"/>
<security:custom-filter ref="singleLogoutFilter" before="CAS_FILTER"/>
</security:http>
<beans:bean id="casFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>
<beans:bean id="casEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
<beans:property name="loginUrl" value="http://localhost:8082/sso/login" />
<beans:property name="serviceProperties" ref="serviceProperties" />
</beans:bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="casAuthenticationProvider" />
</security:authentication-manager>
<beans:bean id="casAuthenticationProvider"
class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
<beans:property name="authenticationUserDetailsService">
<beans:bean class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<beans:constructor-arg ref="hwsAuthenticationUserDetailsService" />
</beans:bean>
</beans:property>
<beans:property name="serviceProperties" ref="serviceProperties" />
<beans:property name="ticketValidator">
<beans:bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
<beans:constructor-arg index="0" value="http://localhost:8082/sso" />
</beans:bean>
</beans:property>
<beans:property name="key" value="an_id_for_this_auth_provider_only" />
</beans:bean>
<beans:bean id="serviceProperties"
class="org.springframework.security.cas.ServiceProperties">
<beans:property name="service" value="http://localhost:8080/cas-client/login/cas" />
<beans:property name="sendRenew" value="false" />
</beans:bean>
问题是,当 CAS 服务器授予票证并重定向到服务 url 时:http://localhost:8080/cas-client/login/cas?ticket=ST-19-1clKw2tZ5MVp0OznfAun casAuthenticationProvider 未被调用。调用的是子模块的 authenticationProvider 结果是 401 Unauthorized 错误。
为什么不调用 CAS SecurityFilterChain?我认为这是由 Spring Security CAS 处理的,但似乎不是。
我使用 Spring 安全 5.1.2.RELEASE
非常感谢您的帮助。
我找到了 CasAuthenticationProvider 没有被调用的原因。就是因为这个:
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="casAuthenticationProvider" />
</security:authentication-manager>
我把alias改成了id。