Spring CAS服务器跨子域ST票证
我有自己的Jasig CAS服务器:Spring CAS服务器跨子域ST票证,spring,single-sign-on,cas,jasig,Spring,Single Sign On,Cas,Jasig,我有自己的Jasig CAS服务器: https://cas.example.com 此外,我还有两个子域(应用程序)连接到此CAS服务器,例如: https://ui.example.com https://api.example.com 我可以通过以下请求为成功创建ST票证: https://cas.example.com/login?service=https://ui.example.com 答复: https://cas.example.com/?ticket=ST-5-p5rV
https://cas.example.com
此外,我还有两个子域(应用程序)连接到此CAS服务器,例如:
https://ui.example.com
https://api.example.com
我可以通过以下请求为成功创建ST票证:
https://cas.example.com/login?service=https://ui.example.com
答复:
https://cas.example.com/?ticket=ST-5-p5rVK3OWBKPzwAAZteNw-cas.example.com/
但是我不能用这张票去买
出现以下错误:
access to this resource is forbidden","errors":[{"field":"BadCredentialsException","message":"\n Ticket \u0027ST-5-p5rVK3OWBKPzwAAZteNw-cas-dev.cfwdev.com\u0027 does not match supplied service. The original service was \u0027https://ui.example.com/\u0027 and the supplied service was \u0027https://api.example.com/api/v1.0/account
这是我的服务配置:
{
"@class" : "org.jasig.cas.services.RegexRegisteredService",
"serviceId" : "^(http?|https?)://.*example.com/.*",
"name" : "example.com dev
"theme" : example
"id" : 20000002,
"description" : "example.com dev environment",
"proxyPolicy" : {
"@class" : "org.jasig.cas.services.RegexMatchingRegisteredServiceProxyPolicy",
"pattern" : "^(http?|https?)://.*example.com/.*"
},
"evaluationOrder" : 2,
"usernameAttributeProvider" : {
"@class" : "org.jasig.cas.services.DefaultRegisteredServiceUsernameProvider"
},
"logoutType" : "BACK_CHANNEL",
"attributeReleasePolicy" : {
"@class" : "org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy",
"principalAttributesRepository" : {
"@class" : "org.jasig.cas.authentication.principal.DefaultPrincipalAttributesRepository"
},
"authorizedToReleaseCredentialPassword" : false,
"authorizedToReleaseProxyGrantingTicket" : false
},
"accessStrategy" : {
"@class" : "org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled" : true
}
}
是否有可能发行一张同时被这两个子域接受的ST票?对于Jasig CAS是不可能的你能用什么来证明吗?我在Jasig CAS谷歌集团问过同样的问题,答案是-我需要使用PT而不是ST,但这不是我的情况。
{
"@class" : "org.jasig.cas.services.RegexRegisteredService",
"serviceId" : "^(http?|https?)://.*example.com/.*",
"name" : "example.com dev
"theme" : example
"id" : 20000002,
"description" : "example.com dev environment",
"proxyPolicy" : {
"@class" : "org.jasig.cas.services.RegexMatchingRegisteredServiceProxyPolicy",
"pattern" : "^(http?|https?)://.*example.com/.*"
},
"evaluationOrder" : 2,
"usernameAttributeProvider" : {
"@class" : "org.jasig.cas.services.DefaultRegisteredServiceUsernameProvider"
},
"logoutType" : "BACK_CHANNEL",
"attributeReleasePolicy" : {
"@class" : "org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy",
"principalAttributesRepository" : {
"@class" : "org.jasig.cas.authentication.principal.DefaultPrincipalAttributesRepository"
},
"authorizedToReleaseCredentialPassword" : false,
"authorizedToReleaseProxyGrantingTicket" : false
},
"accessStrategy" : {
"@class" : "org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled" : true
}
}