cas5.3.x配置返回多属性问题(java客户端无法获取服务器返回的自定义信息)

问题如题:

其中参照了

https://www.jianshu.com/p/54646ac96473
https://blog.csdn.net/yelllowcong/article/details/79238335

并根据教程做了如下配置:
1、修改service文件,HTTPSandIMAPS-10000001.json

{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "^(http|https|imaps)://.*",
  "name" : "HTTPS and IMAPS",
  "id" : 10000001,
  "description" : "This service definition authorizes all application urls that support HTTPS and IMAPS protocols.",
  "evaluationOrder" : 10000,
  "attributeReleasePolicy" : {
    "@class" : "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
  }
}

2、自定义验证以及返回更多的个人信息

3、spring.factories文件配上自己自定义的流程,其他的去掉

org.springframework.boot.autoconfigure.EnableAutoConfiguration=com.gxzytech.config.CustomAuthenticationConfiguration

4、查看后台服务器,确实返回了新加的信息
图片说明

最后问题是,java客户端还是只返回了用户名

图片说明

登录时控制台打印的日志如下,一开始attributes是有值的,后面不知怎么又变空了?难道是这个原因?

2019-09-04 14:46:52,558 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: [result=Service Access Granted,service=http://localhost:8282/node2/,principal=SimplePrincipal(id=admin, attributes={mobil_no=12345678111, email=123456@126, username=admin}),requiredAttributes={}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Wed Sep 04 14:46:52 CST 2019
CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1
SERVER IP ADDRESS: 0:0:0:0:0:0:0:1
2019-09-04 14:46:52,569 INFO [org.apereo.cas.DefaultCentralAuthenticationService] - <Granted ticket [ST-5-GCMpvMiMoVABKskshh9TqrsSNUUlkk-PC] for service [http://localhost:8282/node2/] and principal [admin]>
2019-09-04 14:46:52,569 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: admin
WHAT: ST-5-GCMpvMiMoVABKskshh9TqrsSNUUlkk-PC for http://localhost:8282/node2/
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Wed Sep 04 14:46:52 CST 2019
CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1
SERVER IP ADDRESS: 0:0:0:0:0:0:0:1
=============================================================

>
2019-09-04 14:46:52,684 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: [result=Service Access Granted,service=http://localhost:8282/node2/,principal=SimplePrincipal(id=admin, attributes={}),requiredAttributes={}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Wed Sep 04 14:46:52 CST 2019
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=============================================================

1个回答

解决了。。。配置问题!
主要是当时配置了HTTPSandIMAPS-10000001.json的返回策略Return All(所有配置返回的都返回) ,但是没有配置landingone-1000.json的返回策略, 所以后面意识到后加上了返回策略属性后,成功获取到对应的个人信息了图片说明

后记:当时我怀疑是不是cas服务器session没有存有返回的个人信息。。都已经查询cas服务端&客户端源码了。。

小结:还是得熟悉常见的文件,搭建的步骤。

Csdn user default icon
上传中...
上传图片
插入图片
抄袭、复制答案,以达到刷声望分或其他目的的行为,在CSDN问答是严格禁止的,一经发现立刻封号。是时候展现真正的技术了!
其他相关推荐
CAS5.3 客户端配置cas.client-host-url的参数不相同时,单点登出失效
1.host文件配置如下: 127.0.0.1 server.cas.com 127.0.0.1 chain.cas.com 127.0.0.1 public.cas.com 2.两个客户端分别chain-client与public-client,当分别配置如下代码时,单点登出失效,但当配置相同参数时是OK的,比如:都配置成mi.com,猜想是不是跨域引起的? chain-client:cas.client-host-url=http://chain.cas.com:9001 public-client:cas.client-host-url=http://public.cas.com:9002
CAS5.2.3 启动Oauth认证,客户端访问获取accessToken失败
``` 2018-04-04 18:14:30,265 ERROR [org.apereo.cas.support.oauth.web.endpoints.OAuth20AccessTokenEndpointController] - <Executing an update/delete query> javax.persistence.TransactionRequiredException: Executing an update/delete query at org.hibernate.query.internal.AbstractProducedQuery.executeUpdate(AbstractProducedQuery.java:1496) ~[hibernate-core-5.2.13.Final.jar:5.2.13.Final] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_144] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_144] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_144] at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_144] at org.springframework.orm.jpa.SharedEntityManagerCreator$DeferredQueryInvocationHandler.invoke(SharedEntityManagerCreator.java:372) ~[spring-orm-4.3.14.RELEASE.jar:4.3.14.RELEASE] at com.sun.proxy.$Proxy210.executeUpdate(Unknown Source) ~[?:?] at org.apereo.cas.ticket.registry.JpaTicketRegistry.deleteSingleTicket(JpaTicketRegistry.java:149) ~[cas-server-support-jpa-ticket-registry-5.2.3.jar:5.2.3] at org.apereo.cas.ticket.registry.AbstractTicketRegistry.deleteTicket(AbstractTicketRegistry.java:126) ~[cas-server-core-tickets-5.2.3.jar:5.2.3] at org.apereo.cas.support.oauth.web.endpoints.OAuth20AccessTokenEndpointController.handleRequest(OAuth20AccessTokenEndpointController.java:114) ~[cas-server-support-oauth-5.2.3.jar:5.2.3] ... 98 more 2018-04-04 18:14:30,701 ERROR [org.apereo.cas.ticket.DefaultTicketCatalog] - <Ticket definition for [null] cannot be found in the ticket catalog which only contains the following ticket types: [[TGT, ST, RT, AT, PT, OC, PGT]]> 2018-04-04 18:14:30,702 ERROR [org.apereo.cas.ticket.registry.JpaTicketRegistry] - <Error getting ticket [null] from registry.> java.lang.NullPointerException: null at org.apereo.cas.ticket.registry.JpaTicketRegistry.getRawTicket(JpaTicketRegistry.java:88) ~[cas-server-support-jpa-ticket-registry-5.2.3.jar:5.2.3] at org.apereo.cas.ticket.registry.JpaTicketRegistry.getTicket(JpaTicketRegistry.java:75) ~[cas-server-support-jpa-ticket-registry-5.2.3.jar:5.2.3] ... 2018-04-04 18:14:30,703 ERROR [org.apereo.cas.support.oauth.web.endpoints.OAuth20UserProfileControllerController] - <Expired/Missing access token: [null]> ```
CAS4.2单点登录如何配置多个系统登录一次和退出到登录页问题
1、我用CAS4.2搭建了cas服务端,客户端是3.4.1版本 2、现在服务端配置好了,也可以通过我配置的客户端系统访问和查询数据库登录 3、问题:我配置了两个cas系统castest1和castest2,两个系统serverName分别配置为hhaip-cas1.com和hhaip-cas2.com,现在我访问castest1且登录成功,然后同一浏览器访问castest2还是跳转到登录页面,预期应该直接跳转到我访问的页面才是 4、问题2:我想退出到登录页,但是我每次都退出到我设置的那个链接,且打开浏览器新标签访问我这个系统竟然不会跳转到登录页而是直接跳转到我的系统页面,即:我可能没有退出成功,下图是我的退出URL和客户端web.xml配置。 5、注意我的cas-server是4.2版本和老版本差别很大,请大家不要复制其他的代码回答问题。 <a href="http://192.168.189.1:8080/sso/logout?service=http://hhaip-cas2.com:8080/casclient2">退出</a> ![图片说明](https://img-ask.csdn.net/upload/201612/14/1481707479_714440.png) ![图片说明](https://img-ask.csdn.net/upload/201612/14/1481707508_601819.png) ![图片说明](https://img-ask.csdn.net/upload/201612/14/1481707532_729900.png) ![图片说明](https://img-ask.csdn.net/upload/201612/14/1481707548_711607.png)
cas server4.1.3集群退出的问题
一个Nginx+两个Tomcat组成的cas server集群,cas server主要配置如下: ticketRegistry.xml文件: ``` <bean id="ticketDataSource" class="com.mchange.v2.c3p0.ComboPooledDataSource" p:driverClass="com.mysql.jdbc.Driver" p:jdbcUrl="jdbc:mysql://localhost:7999/casticket?useUnicode=true&amp;characterEncoding=UTF-8&amp;zeroDateTimeBehavior=convertToNull" p:user="root" p:password="root" p:initialPoolSize="6" p:minPoolSize="6" p:maxPoolSize="20" p:maxIdleTimeExcessConnections="1000" p:checkoutTimeout="2000" p:acquireIncrement="16" p:acquireRetryAttempts="5" p:acquireRetryDelay="2000" p:idleConnectionTestPeriod="30" p:preferredTestQuery="select 1" /> <!-- Ticket Registry --> <!-- <bean id="ticketRegistry" class="org.jasig.cas.ticket.registry.DefaultTicketRegistry"/> --> <bean id="ticketRegistry" class="org.jasig.cas.ticket.registry.JpaTicketRegistry" /> <bean class="org.springframework.orm.jpa.support.PersistenceAnnotationBeanPostProcessor"/> <util:list id="packagesToScan"> <value>org.jasig.cas.ticket</value> <value>org.jasig.cas.adaptors.jdbc</value> </util:list> <bean id="jpaVendorAdapter" class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter" p:generateDdl="true" p:showSql="true" /> <bean id="entityManagerFactory" class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean" p:dataSource-ref="ticketDataSource" p:jpaVendorAdapter-ref="jpaVendorAdapter" p:packagesToScan-ref="packagesToScan"> <property name="persistenceUnitName" value="CasPU"/> <property name="jpaProperties"> <props> <prop key="hibernate.dialect">org.hibernate.dialect.MySQL5InnoDBDialect</prop> <prop key="hibernate.hbm2ddl.auto">update</prop> </props> </property> </bean> <bean id="transactionManager" class="org.springframework.orm.jpa.JpaTransactionManager" p:entityManagerFactory-ref="entityManagerFactory" /> <!-- 使用这个报错 --> <!-- <tx:annotation-driven transaction-manager="transactionManager" /> --> <tx:advice id="txRegistryAdvice" transaction-manager="transactionManager"> <tx:attributes> <tx:method name="deleteTicket" read-only="false" /> <tx:method name="addTicket" read-only="false" /> <tx:method name="updateTicket" read-only="false" /> <tx:method name="getTicket" read-only="true" /> <tx:method name="getTickets" read-only="true" /> <tx:method name="add*" read-only="false"/> <tx:method name="delete*" read-only="false"/> <tx:method name="save*" read-only="false"/> <tx:method name="update*" read-only="false"/> <tx:method name="get*" read-only="true"/> <tx:method name="grant*" read-only="false"/> <tx:method name="validate*" read-only="true"/> <tx:method name="sessionCount" read-only="true" /> <tx:method name="serviceTicketCount" read-only="true" /> </tx:attributes> </tx:advice> <tx:advice id="txRegistryLockingAdvice" transaction-manager="transactionManager"> <tx:attributes> <tx:method name="getOwner" read-only="true" /> <tx:method name="acquire" read-only="false" /> <tx:method name="release" read-only="false" /> </tx:attributes> </tx:advice> <aop:config> <aop:pointcut id="ticketRegistryOperations" expression="execution(* org.jasig.cas.ticket.registry.JpaTicketRegistry.*(..))"/> <aop:pointcut id="ticketRegistryLockingOperations" expression="execution(* org.jasig.cas.ticket.registry.support.JpaLockingStrategy.*(..))"/> <aop:pointcut id="centralAuthenticationServiceOperations" expression="execution(* org.jasig.cas.CentralAuthenticationService.*(..))"/> <aop:advisor advice-ref="txRegistryAdvice" pointcut-ref="ticketRegistryOperations"/> <aop:advisor advice-ref="txRegistryLockingAdvice" pointcut-ref="ticketRegistryLockingOperations"/> <aop:advisor advice-ref="txRegistryAdvice" pointcut-ref="centralAuthenticationServiceOperations"/> </aop:config> <!--Quartz --> <!-- TICKET REGISTRY CLEANER --> <bean id="cleanerLock" class="org.jasig.cas.ticket.registry.support.JpaLockingStrategy" p:uniqueId="${host.name}" p:applicationId="cas-ticket-registry-cleaner" /> <bean id="ticketRegistryCleaner" class="org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner" c:centralAuthenticationService-ref="centralAuthenticationService" c:ticketRegistry-ref="ticketRegistry" p:lock-ref="cleanerLock"/> <bean id="jobDetailTicketRegistryCleaner" class="org.springframework.scheduling.quartz.MethodInvokingJobDetailFactoryBean" p:targetObject-ref="ticketRegistryCleaner" p:targetMethod="clean"/> <bean id="triggerJobDetailTicketRegistryCleaner" class="org.springframework.scheduling.quartz.SimpleTriggerFactoryBean" p:jobDetail-ref="jobDetailTicketRegistryCleaner" p:startDelay="20000" p:repeatInterval="5000000"/> ``` Nginx.conf配置文件: ``` upstream cas { server 10.0.0.8:8082 weight=1; server 10.0.0.8:8083 weight=1; } server { listen 8080; server_name localhost; #charset koi8-r; #access_log logs/host.access.log main; location / { #proxy_redirect off; proxy_set_header Host $host; proxy_set_header Referer $http_referer; proxy_set_header Cookie $http_cookie; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://cas; } ``` 两个tomcat使用memcached-session-manager实现session共享: ``` <Manager className="de.javakaffee.web.msm.MemcachedBackupSessionManager" memcachedNodes="n1:localhost:11211" sticky="false" sessionBackupAsync="false" lockingMode="auto" requestUriIgnorePattern=".*\.(ico|png|gif|jpg|css|js)$" transcoderFactoryClass="de.javakaffee.web.msm.serializer.kryo.KryoTranscoderFactory" /> ``` 客户端SpringMVC项目web.xml文件: ``` <filter> <filter-name>CAS Single Sign Out Filter</filter-name> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>http://h4:8080/cas</param-value> </init-param> </filter> <!-- 该过滤器负责用户的认证工作,必须启用它 --> <filter> <filter-name>CASFilter</filter-name> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> <init-param> <param-name>casServerLoginUrl</param-name> <!-- 下面的URL是Cas服务器的登录地址 --> <param-value>http://h4:8080/cas/login</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>http://localhost:8888</param-value> </init-param> </filter> <!-- 该过滤器负责对Ticket的校验工作,必须启用它 --> <filter> <filter-name>CAS Validation Filter</filter-name> <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <!-- 下面的URL是Cas服务器的认证地址 --> <param-value>http://h4:8080/cas</param-value><!-- /login --> </init-param> <init-param> <param-name>serverName</param-name> <param-value>http://localhost:8888</param-value> </init-param> <init-param> <param-name>redirectAfterValidation</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>useSession</param-name> <param-value>true</param-value> </init-param> <!--<init-param>--> <!--<param-name>renew</param-name>--> <!--<param-value>false</param-value>--> <!--</init-param>--> <!--<init-param>--> <!--<param-name>gateway</param-name>--> <!--<param-value>false</param-value>--> <!--</init-param>--> </filter> <filter> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> </filter> <!-- 该过滤器使得开发者可以通过org.jasig.cas.client.util.AssertionHolder来获取用户的登录名。 比如AssertionHolder.getAssertion().getPrincipal().getName()。 --> <filter> <filter-name>CAS Assertion Thread Local Filter</filter-name> <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class> </filter> <filter> <filter-name>CasForInvokeContextFilter</filter-name> <filter-class>javacommon.filter.LoginFilter</filter-class> </filter> <listener> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> </listener> ``` 客户端项目退出时报错: 2016-10-18 10:58:35,558 ERROR [org.springframework.transaction.interceptor.TransactionInterceptor] - Application exception overridden by commit exception INVALID_TICKET at org.jasig.cas.CentralAuthenticationServiceImpl.getTicket(CentralAuthenticationServiceImpl.java:520) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
spring security cas单点登录拒绝访问
[b]cas服务端和cas客户端都已经配合,访问cas服务端可以登录,访问客户端应用资源的时候出现拒绝访问问题,但是[color=red]能成功跳转到cas服务端的login页面,输入账号密码后控制台打印显示出服务端登录成功,但是关于客户端的打印出现拒绝访问异常,而且httpSession不为null但是里面没值[/color][/b]。 初次使用spring security和cas望多多指教. 异常信息: [color=red][b]首次登录直接出现拒绝访问,但是却能跳转到cas 登录页面,[/b][/color] [quote] 信息: Server startup in 21955 ms 2012-6-6 11:51:31 org.apache.catalina.core.ApplicationContext log 信息: HTMLManager: init: Associated with Deployer 'Catalina:type=Deployer,host=localhost' 2012-6-6 11:51:31 org.apache.catalina.core.ApplicationContext log 信息: HTMLManager: init: Global resources are available 2012-6-6 11:51:31 org.apache.catalina.core.ApplicationContext log 信息: HTMLManager: list: Listing contexts for virtual host 'localhost' 2012-06-06 11:51:32,593 INFO [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - <Beginning ticket cleanup.> 2012-06-06 11:51:32,593 INFO [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - <0 tickets found to be removed.> 2012-06-06 11:51:32,593 INFO [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - <Finished ticket cleanup.> 11:51:33,906 DEBUG org.springframework.security.web.FilterChainProxy:318 - /index.jsp at position 1 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' 11:51:33,921 DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository:127 - No HttpSession currently exists 11:51:33,921 DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository:85 - No SecurityContext was available from the HttpSession: null. A new one will be created. 11:51:33,921 DEBUG org.springframework.security.web.FilterChainProxy:318 - /index.jsp at position 2 of 12 in additional filter chain; firing Filter: 'LogoutFilter' 11:51:33,921 DEBUG org.springframework.security.web.FilterChainProxy:318 - /index.jsp at position 3 of 12 in additional filter chain; firing Filter: 'CasAuthenticationFilter' 11:51:33,937 DEBUG org.springframework.security.cas.web.CasAuthenticationFilter:311 - serviceTicketRequest = false 11:51:33,937 DEBUG org.springframework.security.cas.web.CasAuthenticationFilter:362 - proxyReceptorConfigured = false 11:51:33,937 DEBUG org.springframework.security.cas.web.CasAuthenticationFilter:349 - proxyReceptorRequest = false 11:51:33,937 DEBUG org.springframework.security.cas.web.CasAuthenticationFilter:327 - proxyTicketRequest = false 11:51:33,937 DEBUG org.springframework.security.cas.web.CasAuthenticationFilter:262 - requiresAuthentication = false 11:51:33,937 DEBUG org.springframework.security.web.FilterChainProxy:318 - /index.jsp at position 4 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter' 11:51:33,937 DEBUG org.springframework.security.web.FilterChainProxy:318 - /index.jsp at position 5 of 12 in additional filter chain; firing Filter: 'DefaultLoginPageGeneratingFilter' 11:51:33,937 DEBUG org.springframework.security.web.FilterChainProxy:318 - /index.jsp at position 6 of 12 in additional filter chain; firing Filter: 'BasicAuthenticationFilter' 11:51:33,937 DEBUG org.springframework.security.web.FilterChainProxy:318 - /index.jsp at position 7 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter' 11:51:33,937 DEBUG org.springframework.security.web.FilterChainProxy:318 - /index.jsp at position 8 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter' 11:51:33,937 DEBUG org.springframework.security.web.FilterChainProxy:318 - /index.jsp at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter' 11:51:33,937 DEBUG org.springframework.security.web.authentication.AnonymousAuthenticationFilter:102 - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS' 11:51:33,937 DEBUG org.springframework.security.web.FilterChainProxy:318 - /index.jsp at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter' 11:51:33,937 DEBUG org.springframework.security.web.session.SessionManagementFilter:91 - Requested session IDFED78FFF2BDBC0647461CBFA29AB9B23 is invalid. 11:51:33,937 DEBUG org.springframework.security.web.FilterChainProxy:318 - /index.jsp at position 11 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter' 11:51:33,937 DEBUG org.springframework.security.web.FilterChainProxy:318 - /index.jsp at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor' 11:51:33,937 DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor:193 - Secure object: FilterInvocation: URL: /index.jsp; Attributes: [ROLE_USER] 11:51:33,937 DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor:298 - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS 11:51:33,937 DEBUG org.springframework.security.access.vote.AffirmativeBased:65 - Voter: org.springframework.security.access.vote.RoleVoter@13e02ed, returned: -1 11:51:33,953 DEBUG org.springframework.security.access.vote.AffirmativeBased:65 - Voter: org.springframework.security.access.vote.AuthenticatedVoter@322394, returned: 0 11:51:33,968 DEBUG org.springframework.security.web.access.ExceptionTranslationFilter:165 - Access is denied (user is anonymous); redirecting to authentication entry point org.springframework.security.access.AccessDeniedException: Access is denied at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83) at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:205) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:114) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:101) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter.doFilter(DefaultLoginPageGeneratingFilter.java:91) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:182) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:182) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293) at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:877) at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:594) at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1675) at java.lang.Thread.run(Thread.java:662) 11:51:33,984 DEBUG org.springframework.security.web.savedrequest.HttpSessionRequestCache:41 - DefaultSavedRequest added to Session: DefaultSavedRequest[http://localhost:8080/Cas_Client/] 11:51:33,984 DEBUG org.springframework.security.web.access.ExceptionTranslationFilter:185 - Calling Authentication entry point. 11:51:33,984 DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository:269 - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession. 11:51:34,015 DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter:97 - SecurityContextHolder now cleared, as request processing completed 2012-06-06 11:51:34,921 INFO [org.jasig.cas.web.flow.InitialFlowSetupAction] - <Setting path for cookies to: /casServer/> [/quote] [color=red][b]跳转到登录页面后输入账号密码出现cas服务端的信息正常,但是关于cas客户端的和上面的异常一样:[/b][/color] 打印信息: [quote] 2012-06-06 12:03:21,625 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - <Reloading registered services.> 2012-06-06 12:03:21,625 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - <Loaded 0 services.> start[1338955402531] time[603] tag[QueryDatabaseAuthenticationHandler] 2012-06-06 12:03:23,125 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <AuthenticationHandler: org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler successfully authenticated the user which provided the following credentials: [username: wucht]> 2012-06-06 12:03:23,234 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <Resolved principal wucht> 2012-06-06 12:03:23,234 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <Principal found: wucht> 2012-06-06 12:03:23,250 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: [username: wucht] WHAT: supplied credentials: [username: wucht] ACTION: AUTHENTICATION_SUCCESS APPLICATION: CAS WHEN: Wed Jun 06 12:03:23 CST 2012 CLIENT IP ADDRESS: 127.0.0.1 SERVER IP ADDRESS: 127.0.0.1 ============================================================= > 2012-06-06 12:03:23,250 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: [username: wucht] WHAT: TGT-1-0WNh4MDLT57myMG77eF54B9ix5oQP0OItPnVBGDZBYac9Bj42E-casServer ACTION: TICKET_GRANTING_TICKET_CREATED APPLICATION: CAS WHEN: Wed Jun 06 12:03:23 CST 2012 CLIENT IP ADDRESS: 127.0.0.1 SERVER IP ADDRESS: 127.0.0.1 ============================================================= > 2012-06-06 12:03:23,265 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-1-eOK4CG7zd7cApkahlva9-casServer] for service [http://localhost:8080/Cas_Client/j_acegi_cas_security_check] for user [wucht]> 2012-06-06 12:03:23,265 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: wucht WHAT: ST-1-eOK4CG7zd7cApkahlva9-casServer for http://localhost:8080/Cas_Client/j_acegi_cas_security_check ACTION: SERVICE_TICKET_CREATED APPLICATION: CAS WHEN: Wed Jun 06 12:03:23 CST 2012 CLIENT IP ADDRESS: 127.0.0.1 SERVER IP ADDRESS: 127.0.0.1 ============================================================= > 12:03:23,296 DEBUG org.springframework.security.web.FilterChainProxy:318 - /j_acegi_cas_security_check?ticket=ST-1-eOK4CG7zd7cApkahlva9-casServer at position 1 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' 12:03:23,296 DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository:139 - HttpSession returned null object for SPRING_SECURITY_CONTEXT 12:03:23,296 DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository:85 - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@1ef3d12. A new one will be created. 12:03:23,296 DEBUG org.springframework.security.web.FilterChainProxy:318 - /j_acegi_cas_security_check?ticket=ST-1-eOK4CG7zd7cApkahlva9-casServer at position 2 of 12 in additional filter chain; firing Filter: 'LogoutFilter' 12:03:23,296 DEBUG org.springframework.security.web.FilterChainProxy:318 - /j_acegi_cas_security_check?ticket=ST-1-eOK4CG7zd7cApkahlva9-casServer at position 3 of 12 in additional filter chain; firing Filter: 'CasAuthenticationFilter' 12:03:23,296 DEBUG org.springframework.security.cas.web.CasAuthenticationFilter:311 - serviceTicketRequest = false 12:03:23,296 DEBUG org.springframework.security.cas.web.CasAuthenticationFilter:362 - proxyReceptorConfigured = false 12:03:23,296 DEBUG org.springframework.security.cas.web.CasAuthenticationFilter:349 - proxyReceptorRequest = false 12:03:23,296 DEBUG org.springframework.security.cas.web.CasAuthenticationFilter:327 - proxyTicketRequest = false 12:03:23,296 DEBUG org.springframework.security.cas.web.CasAuthenticationFilter:262 - requiresAuthentication = false 12:03:23,296 DEBUG org.springframework.security.web.FilterChainProxy:318 - /j_acegi_cas_security_check?ticket=ST-1-eOK4CG7zd7cApkahlva9-casServer at position 4 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter' 12:03:23,296 DEBUG org.springframework.security.web.FilterChainProxy:318 - /j_acegi_cas_security_check?ticket=ST-1-eOK4CG7zd7cApkahlva9-casServer at position 5 of 12 in additional filter chain; firing Filter: 'DefaultLoginPageGeneratingFilter' 12:03:23,296 DEBUG org.springframework.security.web.FilterChainProxy:318 - /j_acegi_cas_security_check?ticket=ST-1-eOK4CG7zd7cApkahlva9-casServer at position 6 of 12 in additional filter chain; firing Filter: 'BasicAuthenticationFilter' 12:03:23,296 DEBUG org.springframework.security.web.FilterChainProxy:318 - /j_acegi_cas_security_check?ticket=ST-1-eOK4CG7zd7cApkahlva9-casServer at position 7 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter' 12:03:23,296 DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest:309 - pathInfo: both null (property equals) 12:03:23,296 DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest:317 - queryString: arg1=null; arg2=ticket=ST-1-eOK4CG7zd7cApkahlva9-casServer (property not equals) 12:03:23,296 DEBUG org.springframework.security.web.savedrequest.HttpSessionRequestCache:75 - saved request doesn't match 12:03:23,296 DEBUG org.springframework.security.web.FilterChainProxy:318 - /j_acegi_cas_security_check?ticket=ST-1-eOK4CG7zd7cApkahlva9-casServer at position 8 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter' 12:03:23,296 DEBUG org.springframework.security.web.FilterChainProxy:318 - /j_acegi_cas_security_check?ticket=ST-1-eOK4CG7zd7cApkahlva9-casServer at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter' 12:03:23,296 DEBUG org.springframework.security.web.authentication.AnonymousAuthenticationFilter:102 - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6fa86552: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffd148a: RemoteIpAddress: 127.0.0.1; SessionId: 659060E504E41E2F28CF873803A07F81; Granted Authorities: ROLE_ANONYMOUS' 12:03:23,312 DEBUG org.springframework.security.web.FilterChainProxy:318 - /j_acegi_cas_security_check?ticket=ST-1-eOK4CG7zd7cApkahlva9-casServer at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter' 12:03:23,312 DEBUG org.springframework.security.web.FilterChainProxy:318 - /j_acegi_cas_security_check?ticket=ST-1-eOK4CG7zd7cApkahlva9-casServer at position 11 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter' 12:03:23,312 DEBUG org.springframework.security.web.FilterChainProxy:318 - /j_acegi_cas_security_check?ticket=ST-1-eOK4CG7zd7cApkahlva9-casServer at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor' 12:03:23,312 DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor:193 - Secure object: FilterInvocation: URL: /j_acegi_cas_security_check?ticket=ST-1-eOK4CG7zd7cApkahlva9-casServer; Attributes: [ROLE_USER] 12:03:23,312 DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor:298 - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6fa86552: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffd148a: RemoteIpAddress: 127.0.0.1; SessionId: 659060E504E41E2F28CF873803A07F81; Granted Authorities: ROLE_ANONYMOUS 12:03:23,312 DEBUG org.springframework.security.access.vote.AffirmativeBased:65 - Voter: org.springframework.security.access.vote.RoleVoter@13e02ed, returned: -1 12:03:23,312 DEBUG org.springframework.security.access.vote.AffirmativeBased:65 - Voter: org.springframework.security.access.vote.AuthenticatedVoter@322394, returned: 0 12:03:23,312 DEBUG org.springframework.security.web.access.ExceptionTranslationFilter:165 - Access is denied (user is anonymous); redirecting to authentication entry point org.springframework.security.access.AccessDeniedException: Access is denied at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83) at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:205) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:114) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:101) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter.doFilter(DefaultLoginPageGeneratingFilter.java:91) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:182) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:182) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293) at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:877) at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:594) at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1675) at java.lang.Thread.run(Thread.java:662) 12:03:23,312 DEBUG org.springframework.security.web.savedrequest.HttpSessionRequestCache:41 - DefaultSavedRequest added to Session: DefaultSavedRequest[http://localhost:8080/Cas_Client/j_acegi_cas_security_check?ticket=ST-1-eOK4CG7zd7cApkahlva9-casServer] 12:03:23,312 DEBUG org.springframework.security.web.access.ExceptionTranslationFilter:185 - Calling Authentication entry point. 12:03:23,312 DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository:269 - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession. 12:03:23,343 DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter:97 - SecurityContextHolder now cleared, as request processing completed [/quote] [b]cas服务端配置:[/b] cas.properties [quote] #server.prefix=http://localhost:8080/cas #server.prefix=http://cas.wucht.com:8080/casServer server.prefix=http://localhost:8080/casServer cas.securityContext.serviceProperties.service=${server.prefix}/j_acegi_cas_security_check # Names of roles allowed to access the CAS service manager cas.securityContext.serviceProperties.adminRoles=ROLE_ADMIN cas.securityContext.casProcessingFilterEntryPoint.loginUrl=${server.prefix}/login cas.securityContext.ticketValidator.casServerUrlPrefix=${server.prefix} cas.themeResolver.defaultThemeName=cas-theme-default #cas.themeResolver.defaultThemeName=default cas.viewResolver.basename=default_views #host.name=cas host.name=casServer #database.hibernate.dialect=org.hibernate.dialect.OracleDialect database.hibernate.dialect=org.hibernate.dialect.MySQLDialect #database.hibernate.dialect=org.hibernate.dialect.HSQLDialect [/quote] deployerConfigContext.xml [quote] <?xml version="1.0" encoding="UTF-8"?> <!-- | deployerConfigContext.xml centralizes into one file some of the declarative configuration that | all CAS deployers will need to modify. | | This file declares some of the Spring-managed JavaBeans that make up a CAS deployment. | The beans declared in this file are instantiated at context initialization time by the Spring | ContextLoaderListener declared in web.xml. It finds this file because this | file is among those declared in the context parameter "contextConfigLocation". | | By far the most common change you will need to make in this file is to change the last bean | declaration to replace the default SimpleTestUsernamePasswordAuthenticationHandler with | one implementing your approach for authenticating usernames and passwords. +--> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p" xmlns:sec="http://www.springframework.org/schema/security" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd"> <!-- | This bean declares our AuthenticationManager. The CentralAuthenticationService service bean | declared in applicationContext.xml picks up this AuthenticationManager by reference to its id, | "authenticationManager". Most deployers will be able to use the default AuthenticationManager | implementation and so do not need to change the class of this bean. We include the whole | AuthenticationManager here in the userConfigContext.xml so that you can see the things you will | need to change in context. +--> <bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl"> <!-- | This is the List of CredentialToPrincipalResolvers that identify what Principal is trying to authenticate. | The AuthenticationManagerImpl considers them in order, finding a CredentialToPrincipalResolver which | supports the presented credentials. | | AuthenticationManagerImpl uses these resolvers for two purposes. First, it uses them to identify the Principal | attempting to authenticate to CAS /login . In the default configuration, it is the DefaultCredentialsToPrincipalResolver | that fills this role. If you are using some other kind of credentials than UsernamePasswordCredentials, you will need to replace | DefaultCredentialsToPrincipalResolver with a CredentialsToPrincipalResolver that supports the credentials you are | using. | | Second, AuthenticationManagerImpl uses these resolvers to identify a service requesting a proxy granting ticket. | In the default configuration, it is the HttpBasedServiceCredentialsToPrincipalResolver that serves this purpose. | You will need to change this list if you are identifying services by something more or other than their callback URL. +--> <property name="credentialsToPrincipalResolvers"> <list> <!-- | UsernamePasswordCredentialsToPrincipalResolver supports the UsernamePasswordCredentials that we use for /login | by default and produces SimplePrincipal instances conveying the username from the credentials. | | If you've changed your LoginFormAction to use credentials other than UsernamePasswordCredentials then you will also | need to change this bean declaration (or add additional declarations) to declare a CredentialsToPrincipalResolver that supports the | Credentials you are using. +--> <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"> <!--增加此属性,为认证过的用户的Principal添加属性--> <property name="attributeRepository" ref="attributeRepository"></property> </bean> <!-- | HttpBasedServiceCredentialsToPrincipalResolver supports HttpBasedCredentials. It supports the CAS 2.0 approach of | authenticating services by SSL callback, extracting the callback URL from the Credentials and representing it as a | SimpleService identified by that callback URL. | | If you are representing services by something more or other than an HTTPS URL whereat they are able to | receive a proxy callback, you will need to change this bean declaration (or add additional declarations). +--> <bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" /> </list> </property> <!-- | Whereas CredentialsToPrincipalResolvers identify who it is some Credentials might authenticate, | AuthenticationHandlers actually authenticate credentials. Here we declare the AuthenticationHandlers that | authenticate the Principals that the CredentialsToPrincipalResolvers identified. CAS will try these handlers in turn | until it finds one that both supports the Credentials presented and succeeds in authenticating. +--> <property name="authenticationHandlers"> <list> <!-- | This is the authentication handler that authenticates services by means of callback via SSL, thereby validating | a server side SSL certificate. +--> <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" p:httpClient-ref="httpClient" /> <!-- | This is the authentication handler declaration that every CAS deployer will need to change before deploying CAS | into production. The default SimpleTestUsernamePasswordAuthenticationHandler authenticates UsernamePasswordCredentials | where the username equals the password. You will need to replace this with an AuthenticationHandler that implements your | local authentication strategy. You might accomplish this by coding a new such handler and declaring | edu.someschool.its.cas.MySpecialHandler here, or you might use one of the handlers provided in the adaptors modules. +--> <!-- <bean class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" /> --> <!-- 数据库认证.wucht--> <bean class="org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler"> <property name="dataSource" ref="dataSource" /> <property name="sql" value="select password from users where name=?" /> </bean> </list> </property> </bean> <!-- DATABASE 增加数据源配置 --> <bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource"> <property name="driverClassName"><value>com.mysql.jdbc.Driver</value></property> <property name="url"><value>jdbc:mysql://localhost:3306/mysql?useUnicode=true&amp;characterEncoding=utf-8</value></property> <property name="username"><value>root</value></property> <property name="password"><value>root</value></property> </bean> <!-- This bean defines the security roles for the Services Management application. Simple deployments can use the in-memory version. More robust deployments will want to use another option, such as the Jdbc version. The name of this should remain "userDetailsService" in order for Spring Security to find it. --> <!-- <sec:user name="@@THIS SHOULD BE REPLACED@@" password="notused" authorities="ROLE_ADMIN" />--> <sec:user-service id="userDetailsService"> <sec:user name="@@THIS SHOULD BE REPLACED@@" password="notused" authorities="ROLE_ADMIN" /> </sec:user-service> <!-- Bean that defines the attributes that a service may return. This example uses the Stub/Mock version. A real implementation may go against a database or LDAP server. The id should remain "attributeRepository" though. --> <!-- <bean id="attributeRepository" class="org.jasig.services.persondir.support.StubPersonAttributeDao"> <property name="backingMap"> <map> <entry key="uid" value="uid" /> <entry key="eduPersonAffiliation" value="eduPersonAffiliation" /> <entry key="groupMembership" value="groupMembership" /> </map> </property> </bean> --> <!-- 使用SingleRowJdbcPersonAttributeDao 获取更多用户的信息 --> <bean id="attributeRepository" class="org.jasig.services.persondir.support.jdbc.SingleRowJdbcPersonAttributeDao"> <constructor-arg index="0" ref="dataSource"/> <constructor-arg index="1" value="select role_name from role where login_name = ?"/> <!--这里的key需写username,value对应数据库用户名字段 --> <property name="queryAttributeMapping"> <map> <entry key="username" value="login_name"/> </map> </property> <!--key对应数据库字段,value对应客户端获取参数 --> <!-- 返回数据认证后的数据 --> <property name="resultAttributeMapping"> <map> <!--这个从数据库中获取的角色,用于在应用中security的权限验证--> <entry key="role_name" value="authorities"/> </map> </property> </bean> <!-- Sample, in-memory data store for the ServiceRegistry. A real implementation would probably want to replace this with the JPA-backed ServiceRegistry DAO The name of this bean should remain "serviceRegistryDao". --> <bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl"> <!-- <property name="registeredServices"> <list> <bean class="org.jasig.cas.services.RegisteredServiceImpl"> <property name="id" value="0" /> <property name="name" value="HTTP" /> <property name="description" value="Only Allows HTTP Urls" /> <property name="serviceId" value="http://**" /> <property name="evaluationOrder" value="10000001" /> </bean> <bean class="org.jasig.cas.services.RegisteredServiceImpl"> <property name="id" value="1" /> <property name="name" value="HTTPS" /> <property name="description" value="Only Allows HTTPS Urls" /> <property name="serviceId" value="https://**" /> <property name="evaluationOrder" value="10000002" /> </bean> <bean class="org.jasig.cas.services.RegisteredServiceImpl"> <property name="id" value="2" /> <property name="name" value="IMAPS" /> <property name="description" value="Only Allows HTTPS Urls" /> <property name="serviceId" value="imaps://**" /> <property name="evaluationOrder" value="10000003" /> </bean> <bean class="org.jasig.cas.services.RegisteredServiceImpl"> <property name="id" value="3" /> <property name="name" value="IMAP" /> <property name="description" value="Only Allows IMAP Urls" /> <property name="serviceId" value="imap://**" /> <property name="evaluationOrder" value="10000004" /> </bean> </list> </property> --> </bean> <bean id="auditTrailManager" class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" /> </beans> [/quote] [b]spring的配置代码如下:[/b][code="ruby"] <?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p" xmlns:beans="http://www.springframework.org/schema/beans" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd" default-lazy-init="true"> <!-- entry-point-ref="casEntryPoint"作用是认证的入口,是一个实现AuthenticationEntryPoint接口的类 ,为ExceptionTranslationFilter类提供认证依据, <custom-filter position="FORM_LOGIN_FILTER" ref="casFilter"/> 使用自定义的Filter,放置在过滤器链的FORM_LOGIN_FILTER的位置 casEntryPoint只是提供认证入口的作用,当没有权限,将跳转到该地址。 casFilter是处理CAS service ticket的,当无权访问时,会使用casEntryPoint提供认证入口 --> <http auto-config="true" entry-point-ref="casEntryPoint" access-denied-page="/403.jsp"> <intercept-url pattern="/**" access="ROLE_USER" /> <!-- ROLE_ADMIN--> <!-- logout-success-url="/login.html" --> <!-- 注销时需要先注销应用程序,再注销cas中心认证服务 --> <logout logout-url="/logout.html" success-handler-ref="casLogoutSuccessHandler" /> <custom-filter position="CAS_FILTER" ref="casFilter" /> </http> <authentication-manager alias="authenticationManager"> <authentication-provider ref="casAuthenticationProvider" /> </authentication-manager> <!-- cas中心认证服务入口 --> <beans:bean id="casEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint"> <beans:property name="loginUrl" value="http://localhost:8080/casServer/login" /> <beans:property name="serviceProperties" ref="serviceProperties" /> </beans:bean> <!-- cas中心认证服务配置 --> <beans:bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties"> <beans:property name="service" value="http://localhost:8080/Cas_Client/j_acegi_cas_security_check" /> <beans:property name="sendRenew" value="false" /> </beans:bean> <!-- CAS service ticket(中心认证服务凭据)验证 --> <beans:bean id="casFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter"> <beans:property name="authenticationManager" ref="authenticationManager" /> <!-- <beans:property name="authenticationFailureHandler">--> <!-- <beans:bean--> <!-- class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">--> <!-- <beans:property name="defaultFailureUrl"--> <!-- value="/logout.html" />--> <!-- </beans:bean>--> <!-- </beans:property>--> <!-- 登录成功后的页面,如果是固定的。否则 ref="authenticationSuccessHandler" --> <!-- <beans:property name="authenticationSuccessHandler">--> <!-- <beans:bean--> <!-- class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">--> <!-- <beans:property name="defaultTargetUrl"--> <!-- value="/index.jsp" />--> <!-- </beans:bean>--> <!-- </beans:property>--> </beans:bean> <!-- 从Cas Server得到用户信息 --> <beans:bean id="authenticationUserDetailsService" class="org.springframework.security.cas.userdetails.GrantedAuthorityFromAssertionAttributesUserDetailsService"> <beans:constructor-arg> <beans:array> <beans:value>authorities</beans:value> </beans:array> </beans:constructor-arg> </beans:bean> <beans:bean id="userDetailsService" class="com.reportstart.security.service.impl.BocUserDetaislServiceImpl"> <!-- <beans:property name="userDao">--> <!-- <beans:ref bean="userDao" />--> <!-- </beans:property>--> </beans:bean> <!-- <beans:bean id="authenticationUserDetailsService"--> <!-- class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">--> <!-- <beans:property name="userDetailsService">--> <!-- <beans:ref local="userDetailsService" />--> <!-- </beans:property>--> <!-- </beans:bean>--> <beans:bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider"> <!-- 使用自定义service获取用户信息 --> <!-- <beans:property name="authenticationUserDetailsService"--> <!-- ref="casAuthenticationUserDetailsService" />--> <!-- 通过Cas Server获取用户信息 --> <beans:property name="authenticationUserDetailsService" ref="authenticationUserDetailsService" /> <beans:property name="serviceProperties" ref="serviceProperties" /> <beans:property name="ticketValidator"> <beans:bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator"> <beans:constructor-arg index="0" value="http://localhost:8080/casServer" /> </beans:bean> </beans:property> <!-- 自定义cas客户端应用标示.wucht.2012-6-4(每个cas客户端都需要一个key标示用于区分不同cas客户端) --> <beans:property name="key" value="Cas_Client" /> </beans:bean> <!-- 注销 --> <beans:bean id="casLogoutSuccessHandler" class="com.wucht.test.CasLogoutSuccessHandler"> </beans:bean> </beans:beans>[/code]
CAS单点登录如何集成非Java工程的客户端?
需求:公司有若干老系统,想弄个平台,个人在平台上登录后,就可以互访在他的平台上所有的公司系统(那若干老系统中他有权限的系统) 让我实现,我的想法是运用SSO单点登录的CAS, 实现思路:开发一个工程(就叫“平台”),登录"平台"后,进入页面,页面展示若干老系统图标,每一个图标就对应一个公司系统;另外解压开下载的”cas-server-3.5.2-release"包,改造为我的CAS服务器,如下图: ![图片说明](https://img-ask.csdn.net/upload/201606/17/1466131852_665257.jpg) “平台”和上面老系统 就都是CAS客户端,在CAS客户端配上拦截器,修改登录方式,权限认证之类的,然后就实现了单点登录 现在问题:公司老系统很多,(非重点:而且希望尽量少在老系统中修改代码,希望有套标准来修改各个老系统)老系统很多不是Java工程,如何去实现? 不是Java工程意味着拦截器都不能用了啊,而且能通过rest服务,去判断是否需要认证,是否认证通过吗?请教详细解说
使用yale cas做sso的问题
这段时间在试用下cas做下身份人证发现了个奇怪的问题,在此提出来下,希望知道的同学给解答一下,感激不尽! 证书我已经生成了,证书的cn是localhost,并且tomcat的ssl已经配置好了,证书也导入到jdk了,我访问客户端,如(http://localhost:8080/myapp/test),第一次由于还没有通过cas的身份认证,所以会重定向到(https://localhost:8443/cas/login?service=http%3A%2F%2Flocalhost%3A8080%2Fmyapp%2Ftest)进行身份认证,我输入正确的用户和密码之后,认证成功,返回的地址是(http://localhost:8080/myapp/test?ticket=ST-1-ydkGooyveb6vnb3TLYnm),到此,貌似是正确的.奇怪的是,当我把http://localhost:8080/myapp/test?ticket=ST-1-ydkGooyveb6vnb3TLYnm这个地址拷贝下来,再打开一个浏览器访问http://localhost:8080/myapp/test?ticket=ST-1-ydkGooyveb6vnb3TLYnm的时候,就报错: [myapp] 21:32:38.937 [http-8080-1] ERROR edu.yale.its.tp.cas.client.CASReceipt - validation of [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://localhost:8443/cas/proxyValidate] ticket=[ST-1-ydkGooyveb6vnb3TLYnm] service=[http%3A%2F%2Flocalhost%3A8080%2Fmyapp%2Ftest] errorCode=[INVALID_TICKET] errorMessage=[???????? 'ST-1-ydkGooyveb6vnb3TLYnm'??] renew=false entireResponse=[<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationFailure code='INVALID_TICKET'> ???????? 'ST-1-ydkGooyveb6vnb3TLYnm'?? </cas:authenticationFailure> </cas:serviceResponse> ]]]] was not successful. [myapp] 21:32:38.937 [http-8080-1] ERROR edu.yale.its.tp.cas.client.filter.CASFilter - edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://localhost:8443/cas/proxyValidate] ticket=[ST-1-ydkGooyveb6vnb3TLYnm] service=[http%3A%2F%2Flocalhost%3A8080%2Fmyapp%2Ftest] errorCode=[INVALID_TICKET] errorMessage=[???????? 'ST-1-ydkGooyveb6vnb3TLYnm'??] renew=false entireResponse=[<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationFailure code='INVALID_TICKET'> ???????? 'ST-1-ydkGooyveb6vnb3TLYnm'?? </cas:authenticationFailure> </cas:serviceResponse> ]]]] 2009-7-5 21:32:38 org.apache.catalina.core.StandardWrapperValve invoke 严重: Servlet.service() for servlet default threw exception edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://localhost:8443/cas/proxyValidate] ticket=[ST-1-ydkGooyveb6vnb3TLYnm] service=[http%3A%2F%2Flocalhost%3A8080%2Fmyapp%2Ftest] errorCode=[INVALID_TICKET] errorMessage=[???????? 'ST-1-ydkGooyveb6vnb3TLYnm'??] renew=false entireResponse=[<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationFailure code='INVALID_TICKET'> ???????? 'ST-1-ydkGooyveb6vnb3TLYnm'?? </cas:authenticationFailure> </cas:serviceResponse> ]]]] at edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:62) at edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:455) at edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:261) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:581) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) at java.lang.Thread.run(Thread.java:619) 我实在是找不出原因来了,请各位同学帮忙了!
CAS 跨域的问题
[color=red]麻烦各位了,有以下问题:[/color] CAS 是通过 TGT(Ticket Granting Ticket) 来获取 ST(Service Ticket) ,通过 ST 来访问服务。网上说配置好后。 CAS是基于agent的。一次完整的sso过程为 1.用户第一次打开系统A的页面 2.系统A发现当前用户没有登录 3.系统将登录过程委托给本地的agent,比如CAS的java client或者web client 4.本地agent将页面转向给sso系统,并且生成一个随机的token 5.用户在sso系统上输入账号密码,登录成功 6.sso系统调用系统A上agent的一个url,将账号信息加密发送回A 7.该agent通过生成的token解密账号信息,传送到系统A内部。 8.系统A接收到该账号随后进行授权操作。 如果用户打开系统B页面,而该系统也运行同一个SSO的agent,那么过程同上面类似,只是跳过第5步。这时用户浏览器都是处于SSO系统所在域,所以可以直接将以前用户的账号信息发回。 ------------------------------ [color=red]不是很明白,用户先访问A后,再本地访问访问B的时候,系统B收到什么信息可以确认改用户访问过A!系统A与系统B的域名不一样,不会是cookie,那是什么?在网上看了看,下面一段[/color] 上图是一个最基础的 CAS 协议, CAS Client 以 Filter 方式保护 Web 应用的受保护资源,过滤从客户端过来的每一个 Web 请求,同时, CAS Client 会分析 HTTP 请求中是否包请求 Service Ticket( 上图中的 Ticket) ,如果没有,则说明该用户是没有经过认证的,于是, CAS Client 会重定向用户请求到 CAS Server ( Step 2 )。 Step 3 是用户认证过程,如果用户提供了正确的 Credentials , CAS Server 会产生一个随机的 Service Ticket ,然后,缓存该 Ticket ,并且重定向用户到 CAS Client (附带刚才产生的 Service Ticket ), Service Ticket 是不可以伪造的,最后, Step 5 和 Step6 是 CAS Client 和 CAS Server 之间完成了一个对用户的身份核实,用 Ticket 查到 Username ,因为 Ticket 是 CAS Server 产生的,因此,所以 CAS Server 的判断是毋庸置疑的。 ----------------- [color=red]CAS Client 会分析 HTTP 请求中是否包请求 Service Ticket,这个st 是怎么放到http请求中去的?网上那些例子好像直接输入一个url,不带参数的,也有单点登录效果。[/color] [b]问题补充:[/b] 7.原理剖析 Yale CAS使用了Ticket Granting Cookie (简称TGC)去作为获取Service Ticket(简称ST)的凭据,这个TGC 是保存在客户端的cookie,即当第2次被其他CAS Client重定向的时候,CAS Server实际上已经从用户的Cookie中抓取到TGC,然后知道TGC对应的用户,因此避免了再次登录,如果CAS Server抓取不到TGC,则用户需要登陆。 众所周知,cookie是不能跨域的。但是CAS能够做abc.com和xyz.com的sso,因为CAS Server缓存了所有的ticket,所以Client无需共享cookies。 ------------------ 是不是这个CAS server 也可以通过http访问的 应用场景是不是这样 :一个应用 是 domain1.com一个应用是domain2.com cas server 的 域名 是 domain.com ,所有对 domain1和domain2 的请求都会转发到domain.com,没有登录的话,在domain.com登陆,设置的cookie TGC的域是doamin.com,以后所有对domain1和domain2的请求都会转发到domain.com,也就是CAS server ,这个时候便可以获得这个cookie TGC进行验证。 是不是这样? [b]问题补充:[/b] 呵呵 谢谢 我先前不清楚的地方就是 我觉得先登录A后,再进入B时候,必须携带一个标志,才能证明这个用户先前已经登陆了,而A 与B的域不同,进入B的时候不能拿到cookie的,原来都会转发到一个统一的域拿到这个cookie,也就是标志,而这个cookie也是通过cas server进行设置的,cas server是可以通过http访问的,所以可以在浏览器下设置这个cookie。当然也可以在登录完后在A ,B各自的域设置cookie。 那这种模式,我也可以自己实现 ,不用cas了?? 好像配置cas的时候有什么key的 是用来干什么的,加密信息吗?加密什么信息?谢谢 我没有配置过,之前在做一个单点登录的时候碰到问题就百度到了 cas 呵呵
cas + shiro 的问题 求大神解救~!!
我的项目地址为localhost:8090/admin cas-server地址为 localhost:8080/cas 登入后localhost:8090/admin后网页出现 localhost 将您重定向的次数过多的提示。 然后浏览器地址栏上面显示 http://localhost:8090/admin/shiro-cas/?ticket=ST-138-v4C4tODiTvNFVmXwNCKz-cas01.example.org 然后我看后台 提示 WHO: kkk WHAT: ST-136-WIcLSycjM9JasRLpionF-cas01.example.org for http://localhost:8090/admin/shiro-cas/ ACTION: SERVICE_TICKET_CREATED APPLICATION: CAS WHEN: Wed Feb 27 21:32:34 CST 2019 CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1 SERVER IP ADDRESS: 0:0:0:0:0:0:0:1 ============================================================= > 2019-02-27 21:32:34,357 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-137-1neSWAn4taN2zY4Efgzd-cas01.example.org] for service [http://localhost:8090/admin/shiro-cas/] for user [kkk]> 2019-02-27 21:32:34,357 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: kkk WHAT: ST-137-1neSWAn4taN2zY4Efgzd-cas01.example.org for http://localhost:8090/admin/shiro-cas/ ACTION: SERVICE_TICKET_CREATED APPLICATION: CAS WHEN: Wed Feb 27 21:32:34 CST 2019 CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1 SERVER IP ADDRESS: 0:0:0:0:0:0:0:1 ============================================================= > 2019-02-27 21:32:34,362 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-138-v4C4tODiTvNFVmXwNCKz-cas01.example.org] for service [http://localhost:8090/admin/shiro-cas/] for user [kkk]> 2019-02-27 21:32:34,362 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: kkk WHAT: ST-138-v4C4tODiTvNFVmXwNCKz-cas01.example.org for http://localhost:8090/admin/shiro-cas/ ACTION: SERVICE_TICKET_CREATED APPLICATION: CAS WHEN: Wed Feb 27 21:32:34 CST 2019 CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1 SERVER IP ADDRESS: 0:0:0:0:0:0:0:1 ============================================================= > 貌似一直在创建票根,好像没有验证,这个怎么解决啊 求大神~!! 以下是我的shiro配置 <?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd" default-lazy-init="true"> <description>Shiro安全配置</description> <!-- Shiro Filter --> <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <property name="securityManager" ref="securityManager"/> <property name="loginUrl" value="http://localhost:8080/cas/login?service=http://localhost:8090/admin/shiro-cas/"/> <property name="successUrl" value="/" /> <property name="filters"> <map> <!-- 添加casFilter到shiroFilter --> <entry key="casFilter" value-ref="casFilter" /> <entry key="logout" value-ref="logout" /> </map> </property> <property name="filterChainDefinitions"> <value> <!-- 默认可以访问的 或者登陆可以访问的资源 --> /shiro-cas=casFilter /static/**= anon /manage=anon /getCode=anon /home=anon /error/**=anon /rest/**=anon /ssoReport/**=anon /logincheck=anon /logout = logout <!-- 日志文件查看 --> /logs/**=user <!-- 过滤条件 --> /**=authc </value> </property> </bean> <bean id="casFilter" class="org.apache.shiro.cas.CasFilter"> <!-- 配置验证错误时的失败页面 ,这里配置为登录页面 --> <property name="failureUrl" value="http://localhost:8080/cas/login?service=http://localhost:8090/admin/index/" /> </bean> <!-- 退出登录过滤器 --> <bean id="logout" class="org.apache.shiro.web.filter.authc.LogoutFilter"> <property name="redirectUrl" value="http://localhost:8080/cas/logout?service=http://localhost:8090/admin/index/" /> </bean> <bean id="casRealm" class="com.admin.shiro.ShiroDbRealm"> <!-- <property name="defaultRoles" value="ROLE_USER" /> --> <!-- 配置cas服务器地址 --> <property name="casServerUrlPrefix" value="http://localhost:8080/cas/" /> <!-- 客户端的回调地址设置,必须和上面的shiro-cas过滤器casFilter拦截的地址一致 --> <property name="casService" value="http://localhost:8090/admin/shiro-cas/" /> <!-- <property name="credentialsMatcher"> <bean class="org.apache.shiro.authc.credential.HashedCredentialsMatcher"> <property name="hashAlgorithmName" value="md5"/> <property name="hashIterations" value="1"/> <property name="storedCredentialsHexEncoded" value="true"/> </bean> </property> --> </bean> <bean id="cacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager"> <property name="cacheManagerConfigFile" value="classpath:security/ehcache-shiro.xml" /> </bean> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <property name="realm" ref="casRealm" /> <property name="subjectFactory" ref="casSubjectFactory" /> <property name="cacheManager" ref="cacheManager" /> <property name="sessionManager" ref="shiroSessionManager" /> </bean> <!-- 如果要实现cas的remember me的功能,需要用到下面这个bean,并设置到securityManager的subjectFactory中 --> <bean id="casSubjectFactory" class="org.apache.shiro.cas.CasSubjectFactory" /> <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" /> <bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean"> <property name="staticMethod" value="org.apache.shiro.SecurityUtils.setSecurityManager" /> <property name="arguments" ref="securityManager" /> </bean> <bean id="sessionDAO" class="org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO"> </bean> <bean id="shiroSessionManager" class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager"> <property name="sessionDAO" ref="sessionDAO" /> <property name="sessionValidationInterval" value="10800000" /> <!-- 相隔多久检查一次session的有效性 --> <property name="globalSessionTimeout" value="10800000" /> <!-- session 有效时间为三个小时 (毫秒单位) --> <property name="sessionIdCookie.name" value="jsid" /> </bean> </beans>
在中国程序员是青春饭吗?
今年,我也32了 ,为了不给大家误导,咨询了猎头、圈内好友,以及年过35岁的几位老程序员……舍了老脸去揭人家伤疤……希望能给大家以帮助,记得帮我点赞哦。 目录: 你以为的人生 一次又一次的伤害 猎头界的真相 如何应对互联网行业的「中年危机」 一、你以为的人生 刚入行时,拿着傲人的工资,想着好好干,以为我们的人生是这样的: 等真到了那一天,你会发现,你的人生很可能是这样的: ...
《MySQL 性能优化》之理解 MySQL 体系结构
本文介绍 MySQL 的体系结构,包括物理结构、逻辑结构以及插件式存储引擎。
程序员请照顾好自己,周末病魔差点一套带走我。
程序员在一个周末的时间,得了重病,差点当场去世,还好及时挽救回来了。
复习一周,京东+百度一面,不小心都拿了Offer
京东和百度一面都问了啥,面试官百般刁难,可惜我全会。
Java 14 都快来了,为什么还有这么多人固守Java 8?
从Java 9开始,Java版本的发布就让人眼花缭乱了。每隔6个月,都会冒出一个新版本出来,Java 10 , Java 11, Java 12, Java 13, 到2020年3月份,...
达摩院十大科技趋势发布:2020 非同小可!
【CSDN编者按】1月2日,阿里巴巴发布《达摩院2020十大科技趋势》,十大科技趋势分别是:人工智能从感知智能向认知智能演进;计算存储一体化突破AI算力瓶颈;工业互联网的超融合;机器间大规模协作成为可能;模块化降低芯片设计门槛;规模化生产级区块链应用将走入大众;量子计算进入攻坚期;新材料推动半导体器件革新;保护数据隐私的AI技术将加速落地;云成为IT技术创新的中心 。 新的画卷,正在徐徐展开。...
轻松搭建基于 SpringBoot + Vue 的 Web 商城应用
首先介绍下在本文出现的几个比较重要的概念: 函数计算(Function Compute): 函数计算是一个事件驱动的服务,通过函数计算,用户无需管理服务器等运行情况,只需编写代码并上传。函数计算准备计算资源,并以弹性伸缩的方式运行用户代码,而用户只需根据实际代码运行所消耗的资源进行付费。Fun: Fun 是一个用于支持 Serverless 应用部署的工具,能帮助您便捷地管理函数计算、API ...
讲真,这两个IDE插件,可以让你写出质量杠杠的代码
周末躺在床上看《拯救大兵瑞恩》 周末在闲逛的时候,发现了两个优秀的 IDE 插件,据说可以提高代码的质量,我就安装了一下,试了试以后发现,确实很不错,就推荐给大家。 01、Alibaba Java 代码规范插件 《阿里巴巴 Java 开发手册》,相信大家都不会感到陌生,其 IDEA 插件的下载次数据说达到了 80 万次,我今天又贡献了一次。嘿嘿。 该项目的插件地址: https://github....
Python+OpenCV实时图像处理
目录 1、导入库文件 2、设计GUI 3、调用摄像头 4、实时图像处理 4.1、阈值二值化 4.2、边缘检测 4.3、轮廓检测 4.4、高斯滤波 4.5、色彩转换 4.6、调节对比度 5、退出系统 初学OpenCV图像处理的小伙伴肯定对什么高斯函数、滤波处理、阈值二值化等特性非常头疼,这里给各位分享一个小项目,可通过摄像头实时动态查看各类图像处理的特点,也可对各位调参、测试...
2020年一线城市程序员工资大调查
人才需求 一线城市共发布岗位38115个,招聘120827人。 其中 beijing 22805 guangzhou 25081 shanghai 39614 shenzhen 33327 工资分布 2020年中国一线城市程序员的平均工资为16285元,工资中位数为14583元,其中95%的人的工资位于5000到20000元之间。 和往年数据比较: yea...
为什么猝死的都是程序员,基本上不见产品经理猝死呢?
相信大家时不时听到程序员猝死的消息,但是基本上听不到产品经理猝死的消息,这是为什么呢? 我们先百度搜一下:程序员猝死,出现将近700多万条搜索结果: 搜索一下:产品经理猝死,只有400万条的搜索结果,从搜索结果数量上来看,程序员猝死的搜索结果就比产品经理猝死的搜索结果高了一倍,而且从下图可以看到,首页里面的五条搜索结果,其实只有两条才是符合条件。 所以程序员猝死的概率真的比产品经理大,并不是错...
害怕面试被问HashMap?这一篇就搞定了!
声明:本文以jdk1.8为主! 搞定HashMap 作为一个Java从业者,面试的时候肯定会被问到过HashMap,因为对于HashMap来说,可以说是Java集合中的精髓了,如果你觉得自己对它掌握的还不够好,我想今天这篇文章会非常适合你,至少,看了今天这篇文章,以后不怕面试被问HashMap了 其实在我学习HashMap的过程中,我个人觉得HashMap还是挺复杂的,如果真的想把它搞得明明白...
毕业5年,我问遍了身边的大佬,总结了他们的学习方法
我问了身边10个大佬,总结了他们的学习方法,原来成功都是有迹可循的。
python爬取百部电影数据,我分析出了一个残酷的真相
2019年就这么匆匆过去了,就在前几天国家电影局发布了2019年中国电影市场数据,数据显示去年总票房为642.66亿元,同比增长5.4%;国产电影总票房411.75亿元,同比增长8.65%,市场占比 64.07%;城市院线观影人次17.27亿,同比增长0.64%。 看上去似乎是一片大好对不对?不过作为一名严谨求实的数据分析师,我从官方数据中看出了一点端倪:国产票房增幅都已经高达8.65%了,为什...
推荐10个堪称神器的学习网站
每天都会收到很多读者的私信,问我:“二哥,有什么推荐的学习网站吗?最近很浮躁,手头的一些网站都看烦了,想看看二哥这里有什么新鲜货。” 今天一早做了个恶梦,梦到被老板辞退了。虽然说在我们公司,只有我辞退老板的份,没有老板辞退我这一说,但是还是被吓得 4 点多都起来了。(主要是因为我掌握着公司所有的核心源码,哈哈哈) 既然 4 点多起来,就得好好利用起来。于是我就挑选了 10 个堪称神器的学习网站,推...
这些软件太强了,Windows必装!尤其程序员!
Windows可谓是大多数人的生产力工具,集娱乐办公于一体,虽然在程序员这个群体中都说苹果是信仰,但是大部分不都是从Windows过来的,而且现在依然有很多的程序员用Windows。 所以,今天我就把我私藏的Windows必装的软件分享给大家,如果有一个你没有用过甚至没有听过,那你就赚了????,这可都是提升你幸福感的高效率生产力工具哦! 走起!???? NO、1 ScreenToGif 屏幕,摄像头和白板...
阿里面试,面试官没想到一个ArrayList,我都能跟他扯半小时
我是真的没想到,面试官会这样问我ArrayList。
曾经优秀的人,怎么就突然不优秀了。
职场上有很多辛酸事,很多合伙人出局的故事,很多技术骨干被裁员的故事。说来模板都类似,曾经是名校毕业,曾经是优秀员工,曾经被领导表扬,曾经业绩突出,然而突然有一天,因为种种原因,被裁员了,...
大学四年因为知道了这32个网站,我成了别人眼中的大神!
依稀记得,毕业那天,我们导员发给我毕业证的时候对我说“你可是咱们系的风云人物啊”,哎呀,别提当时多开心啦????,嗯,我们导员是所有导员中最帅的一个,真的???? 不过,导员说的是实话,很多人都叫我大神的,为啥,因为我知道这32个网站啊,你说强不强????,这次是绝对的干货,看好啦,走起来! PS:每个网站都是学计算机混互联网必须知道的,真的牛杯,我就不过多介绍了,大家自行探索,觉得没用的,尽管留言吐槽吧???? 社...
良心推荐,我珍藏的一些Chrome插件
上次搬家的时候,发了一个朋友圈,附带的照片中不小心暴露了自己的 Chrome 浏览器插件之多,于是就有小伙伴评论说分享一下我觉得还不错的浏览器插件。 我下面就把我日常工作和学习中经常用到的一些 Chrome 浏览器插件分享给大家,随便一个都能提高你的“生活品质”和工作效率。 Markdown Here Markdown Here 可以让你更愉快的写邮件,由于支持 Markdown 直接转电子邮...
看完这篇HTTP,跟面试官扯皮就没问题了
我是一名程序员,我的主要编程语言是 Java,我更是一名 Web 开发人员,所以我必须要了解 HTTP,所以本篇文章就来带你从 HTTP 入门到进阶,看完让你有一种恍然大悟、醍醐灌顶的感觉。 最初在有网络之前,我们的电脑都是单机的,单机系统是孤立的,我还记得 05 年前那会儿家里有个电脑,想打电脑游戏还得两个人在一个电脑上玩儿,及其不方便。我就想为什么家里人不让上网,我的同学 xxx 家里有网,每...
2020 年,大火的 Python 和 JavaScript 是否会被取而代之?
Python 和 JavaScript 是目前最火的两大编程语言,但是2020 年,什么编程语言将会取而代之呢? 作者 |Richard Kenneth Eng 译者 |明明如月,责编 | 郭芮 出品 | CSDN(ID:CSDNnews) 以下为译文: Python 和 JavaScript 是目前最火的两大编程语言。然而,他们不可能永远屹立不倒。最终,必将像其他编程语言一...
史上最全的IDEA快捷键总结
现在Idea成了主流开发工具,这篇博客对其使用的快捷键做了总结,希望对大家的开发工作有所帮助。
阿里程序员写了一个新手都写不出的低级bug,被骂惨了。
这种新手都不会范的错,居然被一个工作好几年的小伙子写出来,差点被当场开除了。
谁是华为扫地僧?
是的,华为也有扫地僧!2020年2月11-12日,“养在深闺人不知”的华为2012实验室扫地僧们,将在华为开发者大会2020(Cloud)上,和大家见面。到时,你可以和扫地僧们,吃一个洋...
Idea 中最常用的10款插件(提高开发效率),一定要学会使用!
学习使用一些插件,可以提高开发效率。对于我们开发人员很有帮助。这篇博客介绍了开发中使用的插件。
AI 没让人类失业,搞 AI 的人先失业了
最近和几个 AI 领域的大佬闲聊 根据他们讲的消息和段子 改编出下面这个故事 如有雷同 都是巧合 1. 老王创业失败,被限制高消费 “这里写我跑路的消息实在太夸张了。” 王葱葱哼笑一下,把消息分享给群里。 阿杰也看了消息,笑了笑。在座几位也都笑了。 王葱葱是个有名的人物,21岁那年以全额奖学金进入 KMU 攻读人工智能博士,累计发表论文 40 余篇,个人技术博客更是成为深度学习领域内风向标。 ...
2020年,冯唐49岁:我给20、30岁IT职场年轻人的建议
点击“技术领导力”关注∆每天早上8:30推送 作者|Mr.K 编辑| Emma 来源|技术领导力(ID:jishulingdaoli) 前天的推文《冯唐:职场人35岁以后,方法论比经验重要》,收到了不少读者的反馈,觉得挺受启发。其实,冯唐写了不少关于职场方面的文章,都挺不错的。可惜大家只记住了“春风十里不如你”、“如何避免成为油腻腻的中年人”等不那么正经的文章。 本文整理了冯...
作为一名大学生,如何在B站上快乐的学习?
B站是个宝,谁用谁知道???? 作为一名大学生,你必须掌握的一项能力就是自学能力,很多看起来很牛X的人,你可以了解下,人家私底下一定是花大量的时间自学的,你可能会说,我也想学习啊,可是嘞,该学习啥嘞,不怕告诉你,互联网时代,最不缺的就是学习资源,最宝贵的是啥? 你可能会说是时间,不,不是时间,而是你的注意力,懂了吧! 那么,你说学习资源多,我咋不知道,那今天我就告诉你一个你必须知道的学习的地方,人称...
那些年,我们信了课本里的那些鬼话
教材永远都是有错误的,从小学到大学,我们不断的学习了很多错误知识。 斑羚飞渡 在我们学习的很多小学课文里,有很多是错误文章,或者说是假课文。像《斑羚飞渡》: 随着镰刀头羊的那声吼叫,整个斑羚群迅速分成两拨,老年斑羚为一拨,年轻斑羚为一拨。 就在这时,我看见,从那拨老斑羚里走出一只公斑羚来。公斑羚朝那拨年轻斑羚示意性地咩了一声,一只半大的斑羚应声走了出来。一老一少走到伤心崖,后退了几步,突...
一个程序在计算机中是如何运行的?超级干货!!!
强烈声明:本文很干,请自备茶水!???? 开门见山,咱不说废话! 你有没有想过,你写的程序,是如何在计算机中运行的吗?比如我们搞Java的,肯定写过这段代码 public class HelloWorld { public static void main(String[] args) { System.out.println("Hello World!"); } ...
【蘑菇街技术部年会】程序员与女神共舞,鼻血再次没止住。(文末内推)
蘑菇街技术部的年会,别开生面,一样全是美女。
那个在阿里养猪的工程师,5年了……
简介: 在阿里,走过1825天,没有趴下,依旧斗志满满,被称为“五年陈”。他们会被授予一枚戒指,过程就叫做“授戒仪式”。今天,咱们听听阿里的那些“五年陈”们的故事。 下一个五年,猪圈见! 我就是那个在养猪场里敲代码的工程师,一年多前我和20位工程师去了四川的猪场,出发前总架构师慷慨激昂的说:同学们,中国的养猪产业将因为我们而改变。但到了猪场,发现根本不是那么回事:要个WIFI,没有;...
为什么程序猿都不愿意去外包?
分享外包的组织架构,盈利模式,亲身经历,以及根据一些外包朋友的反馈,写了这篇文章 ,希望对正在找工作的老铁有所帮助
Java校招入职华为,半年后我跑路了
何来 我,一个双非本科弟弟,有幸在 19 届的秋招中得到前东家华为(以下简称 hw)的赏识,当时秋招签订就业协议,说是入了某 java bg,之后一系列组织架构调整原因等等让人无法理解的神操作,最终毕业前夕,被通知调往其他 bg 做嵌入式开发(纯 C 语言)。 由于已至于校招末尾,之前拿到的其他 offer 又无法再收回,一时感到无力回天,只得默默接受。 毕业后,直接入职开始了嵌入式苦旅,由于从未...
世界上有哪些代码量很少,但很牛逼很经典的算法或项目案例?
点击上方蓝字设为星标下面开始今天的学习~今天分享四个代码量很少,但很牛逼很经典的算法或项目案例。1、no code 项目地址:https://github.com/kelseyhight...
​两年前不知如何编写代码的我,现在是一名人工智能工程师
全文共3526字,预计学习时长11分钟 图源:Unsplash 经常有小伙伴私信给小芯,我没有编程基础,不会写代码,如何进入AI行业呢?还能赶上AI浪潮吗? 任何时候努力都不算晚。 下面,小芯就给大家讲一个朋友的真实故事,希望能给那些处于迷茫与徘徊中的小伙伴们一丝启发。(下文以第一人称叙述) 图源:Unsplash 正如Elsa所说,职业转换是...
强烈推荐10本程序员必读的书
很遗憾,这个春节注定是刻骨铭心的,新型冠状病毒让每个人的神经都是紧绷的。那些处在武汉的白衣天使们,尤其值得我们的尊敬。而我们这些窝在家里的程序员,能不外出就不外出,就是对社会做出的最大的贡献。 有些读者私下问我,窝了几天,有点颓丧,能否推荐几本书在家里看看。我花了一天的时间,挑选了 10 本我最喜欢的书,你可以挑选感兴趣的来读一读。读书不仅可以平复恐惧的压力,还可以对未来充满希望,毕竟苦难终将会...
作为一个程序员,内存的这些硬核知识你必须懂!
我们之前讲过CPU,也说了CPU和内存的那点事儿,今天咱就再来说说有关内存,作为一个程序员,你必须要懂的哪那些硬核知识! 大白话聊一聊,很重要! 先来大白话的跟大家聊一聊,我们这里说的内存啊,其实就是说的我们电脑里面的内存条,所以嘞,内存就是内存条,数据要放在这上面才能被cpu读取从而做运算,还有硬盘,就是电脑中的C盘啥的,一个程序需要运行的话需要向内存申请一块独立的内存空间,这个程序本身是存放在...
非典逼出了淘宝和京东,新冠病毒能够逼出什么?
loonggg读完需要5分钟速读仅需 2 分钟大家好,我是你们的校长。我知道大家在家里都憋坏了,大家可能相对于封闭在家里“坐月子”,更希望能够早日上班。今天我带着大家换个思路来聊一个问题...
立即提问