3

我的 CAS 环境包括 CAS 服务器和 2 个(Grails)网络应用程序(API 和 UI),这样

CAS 服务器:(启用 RESTful API 的 CAS + Spring Security)
https://server/cas/login
服务 1:(通过代理与 app-api 通信的主用户 UI)
https://server/app/j_spring_cas_security_check
服务 2:
https://server/app-api/j_spring_cas_security_check

“app”通过像这样查询代理票证与“app-api”通信......

String getProxyTicketFor( String serviceUrl ) {
    String ticket = null;
    try {
        def context = SecurityContextHolder.getContext();
        def auth = context?.getAuthentication();
        def assertion = auth?.getAssertion();
        def principal = assertion?.getPrincipal();
        ticket = principal?.getProxyTicketFor( serviceUrl );
    } catch(e) { ... }
    return ticket;
}

这是我之前的所有设置,并且按预期工作。

除此之外,我还有一个“旧版”Java Web Start (Jnlp) 应用程序,它通过自定义端口与运行在 JBoss 上的后端服务器进行通信。

我的任务和问题如下 - 我希望这个 JWS 服务器能够代表经过身份验证的 cas 用户通过通过 Jnlp 启动器传递的服务票证与 casified webapp(服务 1)进行通信。用户可以通过“应用程序”UI 启动 JNLP,然后允许 Java Web Start 客户端与其服务器之间进行交互。我们希望 JWS 服务器能够代表用户与服务 1 进行通信,而无需重新输入凭据。

我一直在使用它自己的 Service1 url 从“app”请求服务票证并获得适当的服务票证,例如 ST-66-IlSRiXhm54ooRFeUXOZO-cas。

当我测试使用 Curl 首先点击 RESTful API 以生成服务票证然后使用不同的 Curl 会话来使用票证时,我正在尝试做的基本要点似乎有效。

// 1. Request TGT - Response TGT TICKET: [TGT-18-CZfUKZMjQWfwTE4fkUOqihhoNVRhpLg2KNcxxtYZd2QJHRmdLN-cas]
$ curl -k -s -c cookie1.txt -b cookie1.txt -d username=user1&password=password https://server/cas/v1/tickets

// 2. Request ST using TGT - Response ST TICKET: ST-18-1WqgeEsRBSLQ92GeOwXx-cas
$ curl -k -s -c cookie1.txt -b cookie1.txt -d service=https://server/app/j_spring_cas_security_check https://server/cas/v1/tickets/TGT-18-CZfUKZMjQWfwTE4fkUOqihhoNVRhpLg2KNcxxtYZd2QJHRmdLN-cas

// 3. Use ST Ticket to "validate" connection against the Spring Security service    ticket consumption page
$ curl -k -s -c cookie2.txt -b cookie2.txt -d ticket=ST-18-1WqgeEsRBSLQ92GeOwXx-cas https://server/app/j_spring_cas_security_check -o output1.txt -L

// 4. I am now able to reach my protected document
$ curl -k -s -c cookie2.txt -b cookie2.txt https://server/app/document.txt -o output2.txt -L

为了测试我之前从“应用程序”请求的服务票,以便与我的 JNLP 一起使用,我基本上一直在使用收到的 ST 手动执行上面的步骤 3 和 4 - 它在步骤 3 失败。当我尝试使用它时,我得到一个AUTHENTICATION_SUCCESS 紧随其后的是 PROXY_GRANTING_TICKET_NOT_CREATED。

错误信息

=============================================================
WHO: [callbackUrl: https://server/app/casCommunicator/proxyCallback]
WHAT: supplied credentials: [callbackUrl: https://server/app/casCommunicator/proxyCallback]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Wed Sep 19 17:23:37 EDT 2012
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=============================================================

2012-09-19 17:23:37,058 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to retrieve ticket [ST-32-ffeocQpdbYwtblIydlOm-cas]
2012-09-19 17:23:37,058 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Ticket [ST-32-ffeocQpdbYwtblIydlOm-cas] found in registry.
2012-09-19 17:23:37,058 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to retrieve ticket [ST-32-ffeocQpdbYwtblIydlOm-cas]
2012-09-19 17:23:37,058 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Ticket [ST-32-ffeocQpdbYwtblIydlOm-cas] found in registry.
2012-09-19 17:23:37,058 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN
=============================================================
WHO: https://server/app/casCommunicator/proxyCallback
WHAT: org.jasig.cas.ticket.InvalidTicketException
ACTION: PROXY_GRANTING_TICKET_NOT_CREATED
APPLICATION: CAS
WHEN: Wed Sep 19 17:23:37 EDT 2012
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=============================================================

2012-09-19 17:23:37,058 ERROR [org.jasig.cas.web.ServiceValidateController] - TicketException generating ticket for: [callbackUrl: https://server/app/casCommunicator/proxyCallback]
org.jasig.cas.ticket.InvalidTicketException
    at org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket_aroundBody6(CentralAuthenticationServiceImpl.java:278)
    at org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket_aroundBody7$advice(CentralAuthenticationServiceImpl.java:44)
    at org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket(CentralAuthenticationServiceImpl.java:1)
    at sun.reflect.GeneratedMethodAccessor44.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:601)
    at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:309)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
    at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:80)
    at org.perf4j.aop.AbstractTimingAspect$1.proceed(AbstractTimingAspect.java:47)
    at org.perf4j.aop.AgnosticTimingAspect.runProfiledMethod(AgnosticTimingAspect.java:53)
    at org.perf4j.aop.AbstractTimingAspect.doPerfLogging(AbstractTimingAspect.java:45)
    at sun.reflect.GeneratedMethodAccessor31.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:601)
    at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:621)
    at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:610)
    at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:65)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161)
    at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:80)
    at com.github.inspektr.audit.AuditTrailManagementAspect.handleAuditTrail(AuditTrailManagementAspect.java:126)
    at sun.reflect.GeneratedMethodAccessor30.invoke(Unknown Source)
)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:601)
    at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:621)
    at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:610)
    at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:65)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161)
    at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
    at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
    at $Proxy20.delegateTicketGrantingTicket(Unknown Source)
    at org.jasig.cas.web.ServiceValidateController.handleRequestInternal(ServiceValidateController.java:125)
    at org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractController.java:153)
    at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:48)
    at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:790)
    at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:719)
    at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:644)
    at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:549)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
    at org.jasig.cas.web.init.SafeDispatcherServlet.service_aroundBody2(SafeDispatcherServlet.java:115)
    at org.jasig.cas.web.init.SafeDispatcherServlet.service_aroundBody3$advice(SafeDispatcherServlet.java:44)
    at org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServlet.java:1)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    at com.github.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:63)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:224)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:987)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:579)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:309)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
    at java.lang.Thread.run(Thread.java:722)
2012-09-19 17:23:37,063 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to retrieve ticket [ST-32-ffeocQpdbYwtblIydlOm-cas]
2012-09-19 17:23:37,063 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Ticket [ST-32-ffeocQpdbYwtblIydlOm-cas] found in registry.
2012-09-19 17:23:37,064 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - ServiceTicket [ST-32-ffeocQpdbYwtblIydlOm-cas] has expired.
2012-09-19 17:23:37,064 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Removing ticket [ST-32-ffeocQpdbYwtblIydlOm-cas] from registry
2012-09-19 17:23:37,064 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to retrieve ticket [ST-32-ffeocQpdbYwtblIydlOm-cas]
2012-09-19 17:23:37,064 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: ST-32-ffeocQpdbYwtblIydlOm-cas
ACTION: SERVICE_TICKET_VALIDATE_FAILED
APPLICATION: CAS
WHEN: Wed Sep 19 17:23:37 EDT 2012
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=============================================================

我正在尝试做的事情可能吗?如果是这样 - 你看到我的实现有什么问题吗?

4

0 回答 0