【发布时间】:2016-03-25 04:40:34
【问题描述】:
我成功安装了 CAS 4.1 并将其配置为使用 Active Directory 作为后端身份验证。现在的问题是,每次我尝试验证票证时,CAS 服务器都会抱怨票证已过期。我一直在做的获取和验证票的步骤如下:
- 致电https://sso.domain.net/cas/login?service=https://myservice.domain.net
- 我收到了一张类似 ST-2-NLOngMHayTl3uCLKn91T-sso.domain.net 的票
- 调用验证服务https://sso.domain.net/serviceValidate?ticket=ST-3-zrjAFf1UU95NdzGmCibv-sso.domain.net&service=https://myservice.domain.net
我得到以下回复:
<cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas">
<script/>
<cas:authenticationFailure code="INVALID_TICKET">
Ticket 'ST-3-zrjAFf1UU95NdzGmCibv-sso.domain.net' not recognized
</cas:authenticationFailure>
</cas:serviceResponse>
出票记录显示
2015-12-18 15:28:53,505 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted ticket [ST-3-zrjAFf1UU95NdzGmCibv-sso.domain.net] for service [https://e.domain.net/] for user [castest]>
2015-12-18 15:28:53,506 INFO [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
Dec 18 15:28:53 mk-jas-cas-01 server[24501]: =============================================================
Dec 18 15:28:53 mk-jas-cas-01 server[24501]: WHO: castest
Dec 18 15:28:53 mk-jas-cas-01 server[24501]: WHAT: ST-3-zrjAFf1UU95NdzGmCibv-sso.domain.net for https://e.domain.net/
Dec 18 15:28:53 mk-jas-cas-01 server[24501]: ACTION: SERVICE_TICKET_CREATED
Dec 18 15:28:53 mk-jas-cas-01 server[24501]: APPLICATION: CAS
Dec 18 15:28:53 mk-jas-cas-01 server[24501]: WHEN: Fri Dec 18 15:28:53 AST 2015
Dec 18 15:28:53 mk-jas-cas-01 server[24501]: CLIENT IP ADDRESS: 10.100.25.89
Dec 18 15:28:53 mk-jas-cas-01 server[24501]: SERVER IP ADDRESS: 10.10.12.120
Dec 18 15:28:53 mk-jas-cas-01 server[24501]: =============================================================
验证日志显示
2015-12-18 15:29:05,633 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <ServiceTicket [ST-3-zrjAFf1UU95NdzGmCibv-sso.domain.net] has expired.>
Dec 18 15:29:05 mk-jas-cas-01 server[24501]: 2015-12-18 15:29:05,635 INFO [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
Dec 18 15:29:05 mk-jas-cas-01 server[24501]: =============================================================
Dec 18 15:29:05 mk-jas-cas-01 server[24501]: WHO: audit:unknown
Dec 18 15:29:05 mk-jas-cas-01 server[24501]: WHAT: ST-3-zrjAFf1UU95NdzGmCibv-sso.domain.net
Dec 18 15:29:05 mk-jas-cas-01 server[24501]: ACTION: SERVICE_TICKET_VALIDATE_FAILED
Dec 18 15:29:05 mk-jas-cas-01 server[24501]: APPLICATION: CAS
Dec 18 15:29:05 mk-jas-cas-01 server[24501]: WHEN: Fri Dec 18 15:29:05 AST 2015
Dec 18 15:29:05 mk-jas-cas-01 server[24501]: CLIENT IP ADDRESS: 10.100.25.89
Dec 18 15:29:05 mk-jas-cas-01 server[24501]: SERVER IP ADDRESS: 10.10.12.120
Dec 18 15:29:05 mk-jas-cas-01 server[24501]:=============================================================
我使用了来自 StackOverflow entry 的同一个 ticketExpirationPolicy.xml 我得到了相同的结果,我也尝试更改为没有过期但得到相同的结果 我当前的 ticketExpirationPolicy.xml 文件:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c" xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util.xsd">
<bean id="serviceTicketExpirationPolicy" class="org.jasig.cas.ticket.support.MultiTimeUseOrTimeoutExpirationPolicy">
<!-- This argument is the number of times that a ticket can be used before its considered expired. -->
<constructor-arg
index="0"
value="1" />
<!-- This argument is the time a ticket can exist before its considered expired. -->
<constructor-arg
index="1"
value="10000" />
</bean>
<bean id="grantingTicketExpirationPolicy" class="org.jasig.cas.ticket.support.NeverExpiresExpirationPolicy" />
</beans>
一个附带问题:我在哪里以及如何定义一个服务来充当代理?!
【问题讨论】:
标签: spring-security single-sign-on cas