CAS 服务票证验证失败
我点击了链接 http://lukesampson。 com/post/315838839/cas-on-windows-localhost-setup-in-5-mins,则cas服务器正常工作,登录url为http://10.1.1.26:8080/login,验证网址为 http://10.1.1.26:8080/serviceValidate。
然后我像下面这样测试它:
- call http:// /10.1.1.26:8080/login?service=http://10.1.1.9:8081/default.aspx
- 成功获取服务票证,如ST-9-pJ5UDxqKIHP2zuN3JGe4-cas
- 然后我通过调用 http://10.1.1.26:8080/serviceValidate?ticket=ST-9-pJ5UDxqKIHP2zuN3JGe4-cas&service=http://10.1.1.9:8081/default.aspx,
- 不幸的是,它总是返回无效票证,
为了修复它,我尝试 cas 1.0 validate url, http://10.1.1.26:8080/validate?ticket=ST-9-pJ5UDxqKIHP2zuN3JGe4-cas&service=http://10.1.1.9:8081/default.aspx,但它返回“否”。
然后我生成一个证书文件并将其放入密钥库中,然后我使用 https://10.1.1.26 尝试了上述所有步骤: 8443但是,验证仍然失败。
我更改了 cas log4j 配置,以打印所有调试信息,下面是日志
2012-02-21 13:18:36,371 DEBUG [org.springframework.web.servlet.DispatcherServlet
] - <DispatcherServlet with name 'cas' processing GET request for [/cas-server-w
ebapp-3.4.11/serviceValidate]>
2012-02-21 13:18:36,381 DEBUG [org.springframework.webflow.mvc.servlet.FlowHandl
erMapping] - <No flow mapping found for request with URI '/cas-server-webapp-3.4
.11/serviceValidate'>
2012-02-21 13:18:36,381 DEBUG [org.springframework.web.servlet.handler.SimpleUrl
HandlerMapping] - <Mapping [/serviceValidate] to HandlerExecutionChain with hand
ler [org.jasig.cas.web.ServiceValidateController@302a4b] and 1 interceptor>
2012-02-21 13:18:36,381 DEBUG [org.springframework.web.servlet.DispatcherServlet
] - <Last-Modified value for [/cas-server-webapp-3.4.11/serviceValidate] is: -1>
2012-02-21 13:18:36,391 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] -
<ServiceTicket [ST-1-pqIeCRqcafGBE6idoCcd-cas] has expired.>
2012-02-21 13:18:36,391 INFO [com.github.inspektr.audit.support.Slf4jLoggingAudi
tTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: ST-1-pqIeCRqcafGBE6idoCcd-cas
ACTION: SERVICE_TICKET_VALIDATE_FAILED
APPLICATION: CAS
WHEN: Tue Feb 21 13:18:36 EST 2012
CLIENT IP ADDRESS: 10.1.1.9
SERVER IP ADDRESS: 10.1.1.26
=============================================================
我不明白也不知道为什么是从其他帖子我看到日志有类似“将服务票证写入票证注册表,然后检索服务票”,但我的日志中没有任何内容
I have followed a link http://lukesampson.com/post/315838839/cas-on-windows-localhost-setup-in-5-mins, then the cas server works correctly, the login url is http://10.1.1.26:8080/login, the validate url is http://10.1.1.26:8080/serviceValidate.
Then I tested it like below:
- call http://10.1.1.26:8080/login?service=http://10.1.1.9:8081/default.aspx
- I get the service ticket successfully, such as ST-9-pJ5UDxqKIHP2zuN3JGe4-cas
- then I validate the service ticket by calling http://10.1.1.26:8080/serviceValidate?ticket=ST-9-pJ5UDxqKIHP2zuN3JGe4-cas&service=http://10.1.1.9:8081/default.aspx,
- unfortunately, it always return invalid ticket,
in order to fix it, I try cas 1.0 validate url, http://10.1.1.26:8080/validate?ticket=ST-9-pJ5UDxqKIHP2zuN3JGe4-cas&service=http://10.1.1.9:8081/default.aspx, but it return "no".
Then I generate a certificate file and put it into keystore, then I tried all the above steps by using https://10.1.1.26:8443, howevery, the validation was still failed.
I changed the cas log4j configuration, to print all debug information, and below is the log
2012-02-21 13:18:36,371 DEBUG [org.springframework.web.servlet.DispatcherServlet
] - <DispatcherServlet with name 'cas' processing GET request for [/cas-server-w
ebapp-3.4.11/serviceValidate]>
2012-02-21 13:18:36,381 DEBUG [org.springframework.webflow.mvc.servlet.FlowHandl
erMapping] - <No flow mapping found for request with URI '/cas-server-webapp-3.4
.11/serviceValidate'>
2012-02-21 13:18:36,381 DEBUG [org.springframework.web.servlet.handler.SimpleUrl
HandlerMapping] - <Mapping [/serviceValidate] to HandlerExecutionChain with hand
ler [org.jasig.cas.web.ServiceValidateController@302a4b] and 1 interceptor>
2012-02-21 13:18:36,381 DEBUG [org.springframework.web.servlet.DispatcherServlet
] - <Last-Modified value for [/cas-server-webapp-3.4.11/serviceValidate] is: -1>
2012-02-21 13:18:36,391 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] -
<ServiceTicket [ST-1-pqIeCRqcafGBE6idoCcd-cas] has expired.>
2012-02-21 13:18:36,391 INFO [com.github.inspektr.audit.support.Slf4jLoggingAudi
tTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: ST-1-pqIeCRqcafGBE6idoCcd-cas
ACTION: SERVICE_TICKET_VALIDATE_FAILED
APPLICATION: CAS
WHEN: Tue Feb 21 13:18:36 EST 2012
CLIENT IP ADDRESS: 10.1.1.9
SERVER IP ADDRESS: 10.1.1.26
=============================================================
What I don't understand and don't know why is from other post I saw log has something like " write service ticket to ticket registry, and retrieve service ticket ", but there is nothing about that in my log
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我不是 100% 确定,因为我看不到您的配置,但日志显示这
意味着票证已经过期。 CAS 中存在一个名为
ticketExpirationPolicies.xml的配置文件,其中包含票证的有效时间。在我的 CAS 版本中,服务票证的有效期设置为 10000 毫秒。也许步骤 1 和步骤 3 之间的时间比文件中的过期设置长(当然),这可能与我的不同。我认为您遵循的教程的配置设置并不完整。根据您尝试使用此 CAS 服务器实现的目标,您可能需要一些此处描述的自定义内容< /a>
I'm not 100% sure because I can't see your configuration, but the log says this
Which means that the ticket has already expired. There exists a config-file in CAS called
ticketExpirationPolicies.xmlwhich contains the times a ticket is valid. In my CAS-version the expiration period for a service ticket is set to 10000ms. Maybe the time between you step 1 and 3 is longer than the expiration setting in your file (of course) which could differ from mineThe tutorial that you follow in my opinion is not complete in its configuration settings. Depending on what you try to achieve with this CAS-server you could need some of the customization described here
查看您的服务器的日期,在我的例子中,HA 服务器之间有 10 秒的差异,并且我收到的票证已过期。
Look the date of your servers, in my case I had 10 seconds of difference between HA servers and I received ticket expired.