CAS Rest 协议在没有通用服务定义的情况下无法工作
CAS Rest Protocol Does not work without Generic Service Definition
我想在我的服务中使用 REST 协议。为此,我启用了 Rest Protocol 并尝试获取 TGT。此外,所有示例都基于我不希望在生产环境中使用的通用服务注册。
Here 是通用服务注册表示例,应该不 在生产环境中使用。我没有在我的环境中使用它:
{
/*
Generic service definition that applies to https/imaps urls
that wish to register with CAS for authentication.
*/
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^(https|imaps)://.*",
"name" : "HTTPS and IMAPS",
"id" : 10000001,
}
相反,我有以下一个:
{
"@class": "org.apereo.cas.services.RegexRegisteredService",
// this service will match all the requests contains test in the request url
"serviceId": "^https?:\/\/.*test($|\/).*$",
"name": "Test",
"id": 1,
"description": "Test service",
"evaluationOrder": 2,
"requiredHandlers": [
"java.util.HashSet",
[
"TestHandler"
]
],
"attributeReleasePolicy": {
"@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
},
"properties": {
"@class": "java.util.HashMap",
"jwtAsServiceTicket": {
"@class": "org.apereo.cas.services.DefaultRegisteredServiceProperty",
"values": [
"java.util.HashSet",
[
"true"
]
]
}
}
}
我不能请求一个票据授予票据 explained here:
POST /cas/v1/tickets HTTP/1.0
'Content-type': 'Application/x-www-form-urlencoded'
username=battags&password=password&additionalParam1=paramvalue
我遇到以下异常:
Unauthorized Service Access. Service [] is not found in service registry
当我调试代码时,我可以看到 TGT 已创建并且我注册的服务工作正常。由于在 JWTBuilder:
中再次检查 CAS Server 的注册服务而引发异常
val registeredService = payload.getRegisteredService() == null
? locateRegisteredService(serviceAudience)
: payload.getRegisteredService();
RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(registeredService);
此处 CAS 尝试检查是否允许服务访问。 payload.getRegisteredService returns null 并且使用 serviceAudience 调用 locateRegisteredService,然后 ensureServiceAccessIsAllowed 抛出异常。
问题是:serviceAudience 是 always filled,带有 CAS 服务器前缀 ,这意味着必须有一个与CAS 服务器前缀。当我启用通用服务定义时,所有示例都有效,但当我删除它时,由于上述检查,TGT 不会 return。
任何想法,解决方案?我不想让每个人都能够创建 TGT,我也可以添加仅与 CAS 前缀匹配的服务定义,但首先最好了解我是否遗漏了什么或者这是一个错误。
我的Cas版本:6.1.0
我的配置:
server.port=8095
server.servlet.context-path=/bouncer
cas.authn.policy.any.tryAll=false
cas.authn.policy.any.enabled=true
cas.serviceRegistry.initFromJson=true
cas.serviceRegistry.json.location=file:/services
我的构建:
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-war-plugin</artifactId>
<version>${maven-war-plugin.version}</version>
<configuration>
<warName>${project.artifactId}</warName>
<failOnMissingWebXml>false</failOnMissingWebXml>
<recompressZippedFiles>false</recompressZippedFiles>
<archive>
<compress>false</compress>
<manifestFile>${manifestFileToUse}</manifestFile>
</archive>
<overlays>
<overlay>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-webapp${app.server}</artifactId>
<excludes>
<exclude>WEB-INF/lib/log4j-api-2.12.1.jar</exclude>
<exclude>WEB-INF/lib/log4j-jcl-2.12.1.jar</exclude>
<exclude>WEB-INF/lib/log4j-jul-2.12.1.jar</exclude>
<exclude>WEB-INF/lib/log4j-slf4j18-impl-2.12.1.jar</exclude>
<exclude>WEB-INF/lib/log4j-web-2.12.1.jar</exclude>
<exclude>WEB-INF/lib/slf4j-api-1.8.0-beta4.jar</exclude>
</excludes>
</overlay>
</overlays>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>${maven-compiler-plugin.version}</version>
</plugin>
</plugins>
<finalName>${project.artifactId}.jar</finalName>
</build>
<dependencies>
<!--START: Extend CAS as WebApp-->
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-webapp${app.server}</artifactId>
<version>${cas.version}</version>
<type>war</type>
<scope>runtime</scope>
</dependency>
<!--END-->
<!--START: Logback Gelf(Graylog Extended Log Format) integration-->
<dependency>
<groupId>de.siegmar</groupId>
<artifactId>logback-gelf</artifactId>
<version>${logback-gelf.version}</version>
<exclusions>
<exclusion>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
</exclusion>
<exclusion>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-core</artifactId>
</exclusion>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<!--END-->
<!--START: Java 11 integration problems, use older logback and slf4j until it is supported-->
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
<version>${logback-classic.version}</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>${slf4j-api.version}</version>
</dependency>
<!--END-->
<!-- TODO: Problem The following two deps are needed for sending traces to zipkin -->
<!-- Problem: https://github.com/spring-cloud/spring-cloud-sleuth/issues/1193 -->
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-sleuth</artifactId>
<version>${cas.version}</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<!--this one is needed, because else an exception will be thrown caused
by: java.lang.NoClassDefFoundError: com/netflix/servo/monitor/Monitors-->
<dependency>
<groupId>com.netflix.servo</groupId>
<artifactId>servo-core</artifactId>
<version>${servo-core.version}</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<!-- START: Support JWT/CAS Protocol: https://apereo.github.io/cas/6.0.x/installation/Configure-ServiceTicket-JWT.html -->
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-token-tickets</artifactId>
<version>${cas.version}</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<!--END-->
<!-- START: REST Endpoints enabled for cli authentications -->
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-rest-tokens</artifactId>
<version>${cas.version}</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<!--END-->
<!-- START: JSON Service Registry Enabled -->
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-json-service-registry</artifactId>
<version>${cas.version}</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
<exclusion>
<groupId>javax.el</groupId>
<artifactId>el-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<!--END-->
<!--START: OIDC Protocol enabled-->
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-oidc</artifactId>
<version>${cas.version}</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<!--END-->
<!--START: Enable consul client -->
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-consul-client</artifactId>
<version>${cas-server-support-consul-client.version}</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<!--END-->
<!--START: Enable Custom Authentication for CAS: https://apereo.github.io/cas/6.0.x/installation/Configuring-Custom-Authentication.html-->
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-core-authentication-api</artifactId>
<version>${cas.version}</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-core-api-configuration-model</artifactId>
<version>${cas.version}</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-core-web-api</artifactId>
<version>${cas.version}</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<!--END-->
<!--START: Enable Logback Support: https://apereo.github.io/cas/6.0.x/logging/Logging-Logback.html#logback-logging-->
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-logback</artifactId>
<version>${cas.version}</version>
<exclusions>
<exclusion>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
</exclusion>
<exclusion>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-core</artifactId>
</exclusion>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
<!-- NotNull annotation comes from this package conflicts with hibarnate for ConsulProperties class-->
<exclusion>
<groupId>edu.washington.cs.types.checker</groupId>
<artifactId>checker-framework</artifactId>
</exclusion>
</exclusions>
</dependency>
<!--END-->
</dependencies>
Any idea, solution? I don't want to allow everyone able to create TGT, I can add service definition that only matches with CAS prefix also but first it is better to understand if I miss something or if this is a bug.
你没有遗漏任何东西。这对我来说听起来像是一个错误。作为解决方法,我现在会添加与 CAS 前缀匹配的服务定义。
听起来这个问题很可能只是因为你正在使用这个而出现:
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-token-tickets</artifactId>
<version>${cas.version}</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
</exclusions>
</dependency>
如果你不需要这个,那么你可以删除它来解决这个问题。否则现在,添加仅与 CAS 前缀匹配的服务定义 的解决方法应该可以。
PS 您可以尝试切换到 6.1.2,但我认为这不会对这种情况产生影响;无论如何切换是个好主意。
我想在我的服务中使用 REST 协议。为此,我启用了 Rest Protocol 并尝试获取 TGT。此外,所有示例都基于我不希望在生产环境中使用的通用服务注册。
Here 是通用服务注册表示例,应该不 在生产环境中使用。我没有在我的环境中使用它:
{
/*
Generic service definition that applies to https/imaps urls
that wish to register with CAS for authentication.
*/
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^(https|imaps)://.*",
"name" : "HTTPS and IMAPS",
"id" : 10000001,
}
相反,我有以下一个:
{
"@class": "org.apereo.cas.services.RegexRegisteredService",
// this service will match all the requests contains test in the request url
"serviceId": "^https?:\/\/.*test($|\/).*$",
"name": "Test",
"id": 1,
"description": "Test service",
"evaluationOrder": 2,
"requiredHandlers": [
"java.util.HashSet",
[
"TestHandler"
]
],
"attributeReleasePolicy": {
"@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
},
"properties": {
"@class": "java.util.HashMap",
"jwtAsServiceTicket": {
"@class": "org.apereo.cas.services.DefaultRegisteredServiceProperty",
"values": [
"java.util.HashSet",
[
"true"
]
]
}
}
}
我不能请求一个票据授予票据 explained here:
POST /cas/v1/tickets HTTP/1.0
'Content-type': 'Application/x-www-form-urlencoded'
username=battags&password=password&additionalParam1=paramvalue
我遇到以下异常:
Unauthorized Service Access. Service [] is not found in service registry
当我调试代码时,我可以看到 TGT 已创建并且我注册的服务工作正常。由于在 JWTBuilder:
中再次检查 CAS Server 的注册服务而引发异常 val registeredService = payload.getRegisteredService() == null
? locateRegisteredService(serviceAudience)
: payload.getRegisteredService();
RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(registeredService);
此处 CAS 尝试检查是否允许服务访问。 payload.getRegisteredService returns null 并且使用 serviceAudience 调用 locateRegisteredService,然后 ensureServiceAccessIsAllowed 抛出异常。
问题是:serviceAudience 是 always filled,带有 CAS 服务器前缀 ,这意味着必须有一个与CAS 服务器前缀。当我启用通用服务定义时,所有示例都有效,但当我删除它时,由于上述检查,TGT 不会 return。
任何想法,解决方案?我不想让每个人都能够创建 TGT,我也可以添加仅与 CAS 前缀匹配的服务定义,但首先最好了解我是否遗漏了什么或者这是一个错误。
我的Cas版本:6.1.0
我的配置:
server.port=8095
server.servlet.context-path=/bouncer
cas.authn.policy.any.tryAll=false
cas.authn.policy.any.enabled=true
cas.serviceRegistry.initFromJson=true
cas.serviceRegistry.json.location=file:/services
我的构建:
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-war-plugin</artifactId>
<version>${maven-war-plugin.version}</version>
<configuration>
<warName>${project.artifactId}</warName>
<failOnMissingWebXml>false</failOnMissingWebXml>
<recompressZippedFiles>false</recompressZippedFiles>
<archive>
<compress>false</compress>
<manifestFile>${manifestFileToUse}</manifestFile>
</archive>
<overlays>
<overlay>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-webapp${app.server}</artifactId>
<excludes>
<exclude>WEB-INF/lib/log4j-api-2.12.1.jar</exclude>
<exclude>WEB-INF/lib/log4j-jcl-2.12.1.jar</exclude>
<exclude>WEB-INF/lib/log4j-jul-2.12.1.jar</exclude>
<exclude>WEB-INF/lib/log4j-slf4j18-impl-2.12.1.jar</exclude>
<exclude>WEB-INF/lib/log4j-web-2.12.1.jar</exclude>
<exclude>WEB-INF/lib/slf4j-api-1.8.0-beta4.jar</exclude>
</excludes>
</overlay>
</overlays>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>${maven-compiler-plugin.version}</version>
</plugin>
</plugins>
<finalName>${project.artifactId}.jar</finalName>
</build>
<dependencies>
<!--START: Extend CAS as WebApp-->
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-webapp${app.server}</artifactId>
<version>${cas.version}</version>
<type>war</type>
<scope>runtime</scope>
</dependency>
<!--END-->
<!--START: Logback Gelf(Graylog Extended Log Format) integration-->
<dependency>
<groupId>de.siegmar</groupId>
<artifactId>logback-gelf</artifactId>
<version>${logback-gelf.version}</version>
<exclusions>
<exclusion>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
</exclusion>
<exclusion>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-core</artifactId>
</exclusion>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<!--END-->
<!--START: Java 11 integration problems, use older logback and slf4j until it is supported-->
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
<version>${logback-classic.version}</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>${slf4j-api.version}</version>
</dependency>
<!--END-->
<!-- TODO: Problem The following two deps are needed for sending traces to zipkin -->
<!-- Problem: https://github.com/spring-cloud/spring-cloud-sleuth/issues/1193 -->
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-sleuth</artifactId>
<version>${cas.version}</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<!--this one is needed, because else an exception will be thrown caused
by: java.lang.NoClassDefFoundError: com/netflix/servo/monitor/Monitors-->
<dependency>
<groupId>com.netflix.servo</groupId>
<artifactId>servo-core</artifactId>
<version>${servo-core.version}</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<!-- START: Support JWT/CAS Protocol: https://apereo.github.io/cas/6.0.x/installation/Configure-ServiceTicket-JWT.html -->
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-token-tickets</artifactId>
<version>${cas.version}</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<!--END-->
<!-- START: REST Endpoints enabled for cli authentications -->
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-rest-tokens</artifactId>
<version>${cas.version}</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<!--END-->
<!-- START: JSON Service Registry Enabled -->
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-json-service-registry</artifactId>
<version>${cas.version}</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
<exclusion>
<groupId>javax.el</groupId>
<artifactId>el-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<!--END-->
<!--START: OIDC Protocol enabled-->
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-oidc</artifactId>
<version>${cas.version}</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<!--END-->
<!--START: Enable consul client -->
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-consul-client</artifactId>
<version>${cas-server-support-consul-client.version}</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<!--END-->
<!--START: Enable Custom Authentication for CAS: https://apereo.github.io/cas/6.0.x/installation/Configuring-Custom-Authentication.html-->
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-core-authentication-api</artifactId>
<version>${cas.version}</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-core-api-configuration-model</artifactId>
<version>${cas.version}</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-core-web-api</artifactId>
<version>${cas.version}</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<!--END-->
<!--START: Enable Logback Support: https://apereo.github.io/cas/6.0.x/logging/Logging-Logback.html#logback-logging-->
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-logback</artifactId>
<version>${cas.version}</version>
<exclusions>
<exclusion>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
</exclusion>
<exclusion>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-core</artifactId>
</exclusion>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
<!-- NotNull annotation comes from this package conflicts with hibarnate for ConsulProperties class-->
<exclusion>
<groupId>edu.washington.cs.types.checker</groupId>
<artifactId>checker-framework</artifactId>
</exclusion>
</exclusions>
</dependency>
<!--END-->
</dependencies>
Any idea, solution? I don't want to allow everyone able to create TGT, I can add service definition that only matches with CAS prefix also but first it is better to understand if I miss something or if this is a bug.
你没有遗漏任何东西。这对我来说听起来像是一个错误。作为解决方法,我现在会添加与 CAS 前缀匹配的服务定义。
听起来这个问题很可能只是因为你正在使用这个而出现:
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-token-tickets</artifactId>
<version>${cas.version}</version>
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
</exclusions>
</dependency>
如果你不需要这个,那么你可以删除它来解决这个问题。否则现在,添加仅与 CAS 前缀匹配的服务定义 的解决方法应该可以。
PS 您可以尝试切换到 6.1.2,但我认为这不会对这种情况产生影响;无论如何切换是个好主意。