Java CAS+;Spring安全检测本地主机
我正在尝试使用Spring security和CAS实现一个应用程序,它在localhost上运行良好,但当我尝试从外部机器访问它时,它需要验证,并且应用程序也需要重定向到localhost 意义 我使用Java CAS+;Spring安全检测本地主机,java,spring,spring-security,cas,Java,Spring,Spring Security,Cas,我正在尝试使用Spring security和CAS实现一个应用程序,它在localhost上运行良好,但当我尝试从外部机器访问它时,它需要验证,并且应用程序也需要重定向到localhost 意义 我使用https://172.16.1.50:8443/isxannouncements/ 当需要验证时,应转到https://172.16.1.50:8443/cas/login/ 但它会转到https://localhost:8443/isxannouncements/ 这当然破坏了应用程序流程
https://172.16.1.50:8443/isxannouncements/
当需要验证时,应转到https://172.16.1.50:8443/cas/login/
但它会转到https://localhost:8443/isxannouncements/
这当然破坏了应用程序流程
我的配置是
security-cas.xml
<bean id="serviceProperties"
class="org.springframework.security.cas.ServiceProperties">
<property name="service"
value="https://localhost:8443/isxannouncements/login"/>
</bean>
<!--
Allows changing where the CAS Server and CAS Service are easily
by specifying System Arguments or replacing the values only in one place.
Could also use external properties file -->
<context:property-placeholder
system-properties-mode="OVERRIDE" properties-ref="environment"/>
<util:properties id="environment">
<prop key="cas.service.host">localhost:8443</prop>
<prop key="cas.server.host">localhost:8443</prop>
</util:properties>
<!-- sends to the CAS Server, must be in entry-point-ref of security.xml -->
<bean id="casEntryPoint"
class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
<property name="serviceProperties" ref="serviceProperties"/>
<property name="loginUrl" value="https://localhost:8443/cas/login" />
</bean>
<!-- authenticates CAS tickets, must be in custom-filter of security.xml -->
<bean id="casFilter"
class="org.springframework.security.cas.web.CasAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="filterProcessesUrl" value="/login"/>
</bean>
<bean id="casAuthProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
<property name="ticketValidator" ref="ticketValidator"/>
<property name="serviceProperties" ref="serviceProperties"/>
<property name="key" value="isxannouncements"/>
<property name="authenticationUserDetailsService" ref="DBUserServiceDetails"/>
<property name="statelessTicketCache" ref="statelessTicketCache"/>
</bean>
<bean id="statelessTicketCache" class="org.springframework.security.cas.authentication.EhCacheBasedTicketCache">
<property name="cache">
<bean class="net.sf.ehcache.Cache"
init-method="initialise" destroy-method="dispose">
<constructor-arg value="casTickets"/>
<constructor-arg value="50"/>
<constructor-arg value="true"/>
<constructor-arg value="false"/>
<constructor-arg value="3600"/>
<constructor-arg value="900"/>
</bean>
</property>
</bean>
<bean id="ticketValidator" class="org.jasig.cas.client.validation.Saml11TicketValidator">
<constructor-arg value="https://localhost:8443/cas" />
<property name="encoding" value="utf8" />
</bean>
<!-- Handles a Single Logout Request from the CAS Server must be in custom-filter of security.xml -->
<bean id="singleLogoutFilter" class="org.jasig.cas.client.session.SingleSignOutFilter"/>
本地主机:8443
本地主机:8443
还有我的security.xml
<security:http pattern="/resources/images" security="none"/>
<security:http use-expressions="true" entry-point-ref="casEntryPoint">
<security:intercept-url pattern="/login/*"
access="permitAll"/>
<security:intercept-url pattern="/resources/**"
access="permitAll"/>
<security:intercept-url pattern="/logout"
access="permitAll"/>
<security:intercept-url pattern="/errors/**"
access="permitAll"/>
<security:intercept-url pattern="/approve-announcement**"
access="hasRole('ROLE_USER')"/>
<security:intercept-url pattern="/delete-announcement**"
access="hasRole('ROLE_USER')"/>
<security:intercept-url pattern="/edit-announcement**"
access="hasRole('ROLE_USER')"/>
<security:intercept-url pattern="/admin/**"
access="hasRole('ROLE_ADMIN')"/>
<security:intercept-url pattern="/META-INF"
access="hasRole('ROLE_USER')"/>
<security:access-denied-handler error-page="/errors/403"/>
<security:custom-filter ref="singleLogoutFilter" before="LOGOUT_FILTER"/>
<security:custom-filter ref="casFilter" position="CAS_FILTER"/>
<security:port-mappings>
<security:port-mapping http="8080" https="8443"/>
</security:port-mappings>
<security:logout logout-url="/logout"
logout-success-url="https://localhost:8443/cas/logout"/>
</security:http>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="casAuthProvider" />
</security:authentication-manager>
如何修复此问题???我们使用属性文件处理此问题。特定于特定环境的任何内容(即本地计算机与测试服务器)都应该在属性文件中 例如,使用以下内容为每个环境创建属性文件: localhost.properties:
cas.service.url=http://localhost/login
cas.service.url=http://mytestserver/login
test.properties:
cas.service.url=http://localhost/login
cas.service.url=http://mytestserver/login
然后使用属性文件中的值来配置spring security,而不是像上面那样直接配置:
然后,您的构建过程将为每个环境设置一个目标,以将适当的文件重新排列到最终工件中的适当位置。CAS在域下工作。因此,您应该使用cas.example.com并在cas.properties中定义它好的,我找到了一个解决方法,但没有正确测试它 受此启发,我做了以下工作 因为我有两个域,用户可以使用它们访问我的应用程序,所以获取用户使用的域的唯一方法是从请求中获取,然后将其返回给安全提供者 我创建了一个名为
serviceProperties
的bean,并使用它来代替spring的serviceProperties
,我重写了getService方法,根据用户访问应用程序时使用的域名返回服务
然后我让这个bean在Web应用程序上下文中可用,并且我传入了会话,我已经从请求中提取了域并将其放入会话中
因此,当
CasAuthenticationEntryPoint
尝试获取服务时,我会传递我从会话中创建的服务URL,该URL附加到服务名称上。但是我们有两个域名,因此您需要以某种方式在这两个域名之间切换。一种方法是在构建过程中生成特定于环境的工件。这就是我在回答中的建议。