1. 首頁
  2. 問答
  3. CAS:無法驗證ProxyTicketValidator

CAS:無法驗證ProxyTicketValidator

2015-04-03 217 views
2

我目前正在嘗試設置CAS服務器並使用它登錄多個本地應用程序。CAS:無法驗證ProxyTicketValidator

CAS服務器(HTTPS):本地主機:8443(這是正常工作)

應用:本地主機:82

,當我去到本地主機:82,它立即重定向到本地主機:8443。當我嘗試登錄,它返回到localhost:82 /票務= ST-7-THoxHvfK5FoZZsejrSLh-cas01.example.org,但它表明這個錯誤:

edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://localhost:8443/cas/serviceValidate] ticket=[ST-5-oYvT4kciKnE3Ibx1CtRd-cas01.example.org] service=[http%3A%2F%2Flocalhost%3A82%2F] renew=false entireResponse=[ 
..(complete page's HTML code).. 
]]]] 
edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:52) 
edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:455) 
edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)

當我嘗試登錄,顯示的Tomcat以下在服務器日誌中。這表明localhost:82已通過身份驗證,對吧?

2015-04-03 09:22:40,544 INFO      [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <AcceptUsersAuthenticationHandler successfully authenticated admin+password> 
2015-04-03 09:22:40,544 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <Authenticated admin with credentials [admin+password].> 
2015-04-03 09:22:40,544 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN 
============================================================= 
WHO: audit:unknown 
WHAT: supplied credentials: [admin+password] 
ACTION: AUTHENTICATION_SUCCESS 
APPLICATION: CAS 
WHEN: Fri Apr 03 09:22:40 CEST 2015 
CLIENT IP ADDRESS: 127.0.0.1 
SERVER IP ADDRESS: 127.0.0.1 
============================================================= 

> 
2015-04-03 09:22:40,545 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN 
============================================================= 
WHO: audit:unknown 
WHAT: TGT-3-I53UgV3LJICJLLtxgKcAIgSmLniIGCuPZsqWs0jLa146Secypw-cas01.example.org 
ACTION: TICKET_GRANTING_TICKET_CREATED 
APPLICATION: CAS 
WHEN: Fri Apr 03 09:22:40 CEST 2015 
CLIENT IP ADDRESS: 127.0.0.1 
SERVER IP ADDRESS: 127.0.0.1 
============================================================= 

> 
2015-04-03 09:22:40,546 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-7-THoxHvfK5FoZZsejrSLh-cas01.example.org] for service [http://localhost:82/] for user [admin]> 
2015-04-03 09:22:40,546 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN 
============================================================= 
WHO: admin 
WHAT: ST-7-THoxHvfK5FoZZsejrSLh-cas01.example.org for http://localhost:82/ 
ACTION: SERVICE_TICKET_CREATED 
APPLICATION: CAS 
WHEN: Fri Apr 03 09:22:40 CEST 2015 
CLIENT IP ADDRESS: 127.0.0.1 
SERVER IP ADDRESS: 127.0.0.1 
============================================================= 

> 
2015-04-03 09:22:40,622 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-8-ISpe32fFhErzCeFcfUgJ-cas01.example.org] for service [http://localhost:82/favicon.ico] for user [admin]> 
2015-04-03 09:22:40,622 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN 
============================================================= 
WHO: admin 
WHAT: ST-8-ISpe32fFhErzCeFcfUgJ-cas01.example.org for http://localhost:82/favicon.ico 
ACTION: SERVICE_TICKET_CREATED 
APPLICATION: CAS 
WHEN: Fri Apr 03 09:22:40 CEST 2015 
CLIENT IP ADDRESS: 127.0.0.1 
SERVER IP ADDRESS: 127.0.0.1 
============================================================= 

>

我根據wiki.jasig.org/display/CASUM/Demo創建了一個SSL證書。我已經做了 keytool -genkey -alias tomcat -keypass changeit -keyalg RSA(與/姓=本地主機), keytool -export -alias tomcat -keypass changeit -file server.crtkeytool -import -file server.crt -keypass changeit -keystore ..\jre\lib\security\cacerts

而且在Tomcat的server.xml我加入

<Connector port="8443" maxHttpHeaderSize="8192"maxThreads="150" minSpareThreads="25" 
enableLookups="false" disableUploadTimeout="true" 
acceptCount="100" scheme="https" secure="true" 
clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" 
keystoreFile="C:\workspace\.keystore" 
keystorePass="changeit" 
truststoreFile="C:/Program Files/Java/jdk1.7.0_76/jre/lib/security/cacerts" 
SSLEnabled="true" protocol="org.apache.coyote.http11.Http11Protocol" />

誰能給我一個線索在哪裏可以找到解決這個問題?任何幫助,將不勝感激!

來源

2015-04-03 Geert

+0

你可以嘗試使用HTTPS的應用程序tomcat(localhost:82)?如果可以,請提供更多日誌嗎? – longhua 2015-04-13 10:01:51

+0

謝謝你的迴應。幸運的是,我已經找到了解決方案,問題在於我使用了CAS Server的一個較老的依賴項,而我使用的是最新的CAS Client依賴項。 Tomcat的設置似乎沒有問題。 – Geert 2015-04-14 11:09:42

回答

1

無論何時您使用pgtUrl請求serviceValidate,CAS都會嘗試創建一個pgt並將其發送給您的pgtUrl。

結帳演練here

如果您的應用程序在pgtUrl沒有服務,CAS將記錄這些錯誤。如果您未在應用程序中實施代理票務,則不應使用pgtUrl作爲參數發出請求。這通常可以通過不設置代理回調url來完成。

如果您正在實施代理票務,則回調需要是https URL。然後您可以使用這些參數來獲取代理票證。

在我的情況下,我在grails中使用了spring-security-cas插件。該文檔建議設置cas.proxyCallbackUrlcas.proxyReceptorUrl,但是當這些設置CAS日誌填充錯誤。我發現pgtUrl已設置,因爲配置已設置。一旦我刪除了這個配置,錯誤消失了。

我建議不要發送pgtUrl到serviceValidate並查看錯誤是否消失。

來源

2015-04-19 16:44:05

相關問題

 相關問題