尝试设置一个具有基本 CAS 保护的简单 Grails 应用程序。
首先,我很难说出 cas-plugin 与 spring-security-core 和 spring-security-cas 之间的区别......我什么时候使用一个与另一个?
在我的测试中,我配置了以下内容:
在 BuildConfig.groovy 中:
plugins {
...
...
compile ":spring-security-core:1.2.7.3"
compile ":spring-security-cas:1.0.5"
}
在 Config.groovy ...我不知道我需要什么。不同的文档引用不同的值,但这是我到目前为止所得到的:
grails.plugins.springsecurity.providerNames = ['casAuthenticationProvider']
grails.plugins.springsecurity.rejectIfNoRule = true
grails.plugins.springsecurity.securityConfigType = "InterceptUrlMap"
grails.plugins.springsecurity.interceptUrlMap = [
'/js/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
'/css/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
'/images/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
'/login/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
'/logout/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
'/**': ['IS_AUTHENTICATED_FULLY']
]
grails.plugins.springsecurity.cas.loginUri = '/login'
grails.plugins.springsecurity.cas.serviceUrl = 'http://cas2.mydomain.com:8085/' + appName + '/j_spring_cas_security_check'
grails.plugins.springsecurity.cas.serverUrlPrefix = 'https://cas2.mydomain.com:8443/cas'
grails.plugins.springsecurity.cas.proxyCallbackUrl = 'http://cas2.mydomain.com:8085/' + appName + '/secure/receptor'
grails.plugins.springsecurity.cas.proxyReceptorUrl = '/secure/receptor'
grails.plugins.springsecurity.logout.afterLogoutUrl = 'https://cas2.mydomain.com:8443/cas/logout?url=http://cas2.mydomain.com:8085/' + appName + '/'
现在,当我浏览到我的应用程序时,我被转发到 CAS 登录页面......输入凭据后,我得到一个浏览器错误页面:
The page isn't redirecting properly
Firefox has detected that the server is redirecting the request for this address in a way that will never complete.
和 cas.log 说:
INFO: Server startup in 21570 ms
2013-10-31 11:28:05,178 INFO [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - <Beginning ticket cleanup.>
2013-10-31 11:28:05,180 INFO [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - <0 tickets found to be removed.>
2013-10-31 11:28:05,180 INFO [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - <Finished ticket cleanup.>
2013-10-31 11:28:10,088 INFO [org.jasig.cas.web.flow.InitialFlowSetupAction] - <Setting path for cookies to: /cas/>
2013-10-31 11:28:16,498 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully authenticated [username: myusername]>
2013-10-31 11:28:16,518 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <Resolved principal myusername>
2013-10-31 11:28:16,518 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler@4e1e6e1f authenticated myusername with credential [username: myusername].>
2013-10-31 11:28:16,523 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: [username: myusername]
WHAT: supplied credentials: [username: myusername]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Thu Oct 31 11:28:16 EDT 2013
CLIENT IP ADDRESS: xxx.xx150.30
SERVER IP ADDRESS: xxx.xx0.79
=============================================================
>
2013-10-31 11:28:16,527 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: [username: myusername]
WHAT: TGT-1-76m7jUyKI7pguovcGWmJqKOsbpqp6wW2yj3dTCNOCtb65MKpTH-cas2
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Thu Oct 31 11:28:16 EDT 2013
CLIENT IP ADDRESS: xxx.xx150.30
SERVER IP ADDRESS: xxx.xx0.79
=============================================================
>
2013-10-31 11:28:16,533 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-1-rvDgqEvGQDeljEeVf5rM-cas2] for service [http://cas2.mydomain.com:8085/rss_03/j_spring_cas_security_check] for user [myusername]>
2013-10-31 11:28:16,533 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: myusername
WHAT: ST-1-rvDgqEvGQDeljEeVf5rM-cas2 for http://cas2.mydomain.com:8085/rss_03/j_spring_cas_security_check
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Thu Oct 31 11:28:16 EDT 2013
CLIENT IP ADDRESS: xxx.xx150.30
SERVER IP ADDRESS: xxx.xx0.79
=============================================================
>
2013-10-31 11:28:16,703 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler failed to authenticate [callbackUrl: http://cas2.mydomain.com:8085/rss_03/secure/receptor]>
2013-10-31 11:28:16,704 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: [callbackUrl: http://cas2.mydomain.com:8085/rss_03/secure/receptor]
WHAT: supplied credentials: [callbackUrl: http://cas2.mydomain.com:8085/rss_03/secure/receptor]
ACTION: AUTHENTICATION_FAILED
APPLICATION: CAS
WHEN: Thu Oct 31 11:28:16 EDT 2013
CLIENT IP ADDRESS: xxx.xx0.79
SERVER IP ADDRESS: xxx.xx0.79
=============================================================
>
2013-10-31 11:28:16,705 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: myusername
WHAT: error.authentication.credentials.bad
ACTION: PROXY_GRANTING_TICKET_NOT_CREATED
APPLICATION: CAS
WHEN: Thu Oct 31 11:28:16 EDT 2013
CLIENT IP ADDRESS: xxx.xx0.79
SERVER IP ADDRESS: xxx.xx0.79
=============================================================
>
2013-10-31 11:28:16,706 ERROR [org.jasig.cas.web.ServiceValidateController] - <TicketException generating ticket for: [callbackUrl: http://cas2.mydomain.com:8085/rss_03/secure/receptor]>
org.jasig.cas.ticket.TicketCreationException: error.authentication.credentials.bad
at org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket_aroundBody6(CentralAuthenticationServiceImpl.java:325)
at org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket_aroundBody7$advice(CentralAuthenticationServiceImpl.java:57)
at org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket(CentralAuthenticationServiceImpl.java:1)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:318)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:80)
at org.perf4j.aop.AbstractTimingAspect$1.proceed(AbstractTimingAspect.java:47)
at org.perf4j.aop.AgnosticTimingAspect.runProfiledMethod(AgnosticTimingAspect.java:53)
at org.perf4j.aop.AbstractTimingAspect.doPerfLogging(AbstractTimingAspect.java:45)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:621)
at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:610)
at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:65)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161)
at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:80)
at com.github.inspektr.audit.AuditTrailManagementAspect.handleAuditTrail(AuditTrailManagementAspect.java:126)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:621)
at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:610)
at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:65)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161)
at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:90)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at com.sun.proxy.$Proxy49.delegateTicketGrantingTicket(Unknown Source)
at org.jasig.cas.web.ServiceValidateController.handleRequestInternal(ServiceValidateController.java:138)
at org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractController.java:153)
at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:48)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:923)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:852)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:882)
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:778)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
at org.jasig.cas.web.init.SafeDispatcherServlet.service_aroundBody2(SafeDispatcherServlet.java:128)
at org.jasig.cas.web.init.SafeDispatcherServlet.service_aroundBody3$advice(SafeDispatcherServlet.java:57)
at org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServlet.java:1)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at com.github.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:63)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:947)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1009)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
at org.apache.tomcat.util.net.AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:1810)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:722)
这一点:
2013-10-31 11:28:16,703 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler failed to authenticate [callbackUrl: http://cas2.mydomain.com:8085/rss_03/secure/receptor]>
似乎是问题所在...我的凭据很好,因此配置中似乎仍然缺少某些东西...任何想法...?
更新:
将应用程序置于 SSL 下,并到 Config.groovy 中,向 interceptUrlMap 添加:
'/secure/receptor': ['IS_AUTHENTICATED_ANONYMOUSLY'],
现在 cas.log 显示了与我之前得到的看起来相似的循环(在 cas 和应用程序之间来回),除了没有错误......最终它停止并且浏览器再次显示:
Firefox has detected that the server is redirecting the request for this address in a way that will never complete.