使用CAS Spring安全性获取重定向循环

以下配置将导致指向CAS服务器的重定向循环，该服务器可用于其他应用程序。我可以登录，结果url为：

http://localhost:18080/ourapp/app/j_spring_cas_security_check?ticket=ST-18-CQMfGMeDPcXkdKGjosfj-localsso.subdomain.mycompany.com

applicationContext security.xml

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
          http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd">   

<!-- Enable security, let the casAuthenticationEntryPoint handle all intercepted 
urls. The CAS_FILTER needs to be in the right position within the filter 
chain. -->
<security:http entry-point-ref="casEntryPoint" use-expressions="true" auto-config="false">
    <!--<security:intercept-url pattern="/**" access="permitAll"/> -->
      <security:anonymous username="guest" granted-authority="isAnonymous()"/>
    <security:intercept-url pattern="/app/resources/**" access="hasAnyRole('ROLE_ANONYMOUS', 'cm_user')"/>
    <security:intercept-url pattern="/app/**" access="hasRole('cm_user')"/>
    <security:custom-filter position="CAS_FILTER" ref="casFilter"/>

    <security:session-management>
        <security:concurrency-control max-sessions="5" error-if-maximum-exceeded="true"/>
   </security:session-management>
</security:http>

<!-- Required for the casProcessingFilter, so define it explicitly set and 
specify an Id Even though the authenticationManager is created by default 
when namespace based config is used. -->
<security:authentication-manager alias="authenticationManager">
    <security:authentication-provider ref="casAuthenticationProvider"/>
</security:authentication-manager>

<!-- This section is used to configure CAS. The service is the actual redirect 
that will be triggered after the CAS login sequence. -->
<bean id="serviceProperties"
    class="org.springframework.security.cas.ServiceProperties"
    p:service="http://localhost:18080/ourapp/app/j_spring_cas_security_check"
    p:sendRenew="false"/>

<!-- The CAS filter handles the redirect from the CAS server and starts 
the ticket validation. -->
<bean id="casFilter"
    class="org.springframework.security.cas.web.CasAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager"/>
</bean>

<!-- The entryPoint intercepts all the CAS authentication requests. It redirects 
to the CAS loginUrl for the CAS login page. -->
<bean id="casEntryPoint"
    class="org.springframework.security.cas.web.CasAuthenticationEntryPoint"
    p:serviceProperties-ref="serviceProperties"
    p:loginUrl="https://devmcauth01.nexus.mycompany.com:5443/login"/>

<!-- Handles the CAS ticket processing. -->
<bean id="casAuthenticationProvider"
  class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
    <property name="userDetailsService" ref="userDetailsService"/>
    <property name="serviceProperties" ref="serviceProperties" />
    <property name="ticketValidator">
      <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
        <constructor-arg index="0" value="https://devmcauth01.nexus.mycompany.com:5443" />
      </bean>
    </property>
    <property name="key" value="cas"/>
</bean>

<bean id="permissionConversionService"
    class="com.mycompany.connmgmt.misc.security.PermissionConversionServiceImpl"/>

<bean id="userDetailsService"
    class="com.mycompany.connmgmt.misc.security.CmUserDetailsService">
    <property name="userRepository" ref="userRepository"/>
    <property name="permissionConversionService" ref="permissionConversionService"/>
</bean>

<bean id="accessDecisionManager" 
        class="org.springframework.security.access.vote.AffirmativeBased">
    <property name="allowIfAllAbstainDecisions">
        <value>false</value>
    </property>
    <property name="decisionVoters">
        <list>
           <ref bean="roleVoter"/>
        </list>
    </property>
</bean>

<bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter">
    <property name="rolePrefix" value=""/>
</bean>

<bean id="loggerListener" 
    class="org.springframework.security.access.event.LoggerListener"/>

<!-- Enable JSR250 annotations, disable Spring Security annotations for now -->
<security:global-method-security secured-annotations="disabled" 
    jsr250-annotations="enabled" 
    access-decision-manager-ref="accessDecisionManager"/>

假的

web.xml

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
          http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd">   

<!-- Enable security, let the casAuthenticationEntryPoint handle all intercepted 
urls. The CAS_FILTER needs to be in the right position within the filter 
chain. -->
<security:http entry-point-ref="casEntryPoint" use-expressions="true" auto-config="false">
    <!--<security:intercept-url pattern="/**" access="permitAll"/> -->
      <security:anonymous username="guest" granted-authority="isAnonymous()"/>
    <security:intercept-url pattern="/app/resources/**" access="hasAnyRole('ROLE_ANONYMOUS', 'cm_user')"/>
    <security:intercept-url pattern="/app/**" access="hasRole('cm_user')"/>
    <security:custom-filter position="CAS_FILTER" ref="casFilter"/>

    <security:session-management>
        <security:concurrency-control max-sessions="5" error-if-maximum-exceeded="true"/>
   </security:session-management>
</security:http>

<!-- Required for the casProcessingFilter, so define it explicitly set and 
specify an Id Even though the authenticationManager is created by default 
when namespace based config is used. -->
<security:authentication-manager alias="authenticationManager">
    <security:authentication-provider ref="casAuthenticationProvider"/>
</security:authentication-manager>

<!-- This section is used to configure CAS. The service is the actual redirect 
that will be triggered after the CAS login sequence. -->
<bean id="serviceProperties"
    class="org.springframework.security.cas.ServiceProperties"
    p:service="http://localhost:18080/ourapp/app/j_spring_cas_security_check"
    p:sendRenew="false"/>

<!-- The CAS filter handles the redirect from the CAS server and starts 
the ticket validation. -->
<bean id="casFilter"
    class="org.springframework.security.cas.web.CasAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager"/>
</bean>

<!-- The entryPoint intercepts all the CAS authentication requests. It redirects 
to the CAS loginUrl for the CAS login page. -->
<bean id="casEntryPoint"
    class="org.springframework.security.cas.web.CasAuthenticationEntryPoint"
    p:serviceProperties-ref="serviceProperties"
    p:loginUrl="https://devmcauth01.nexus.mycompany.com:5443/login"/>

<!-- Handles the CAS ticket processing. -->
<bean id="casAuthenticationProvider"
  class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
    <property name="userDetailsService" ref="userDetailsService"/>
    <property name="serviceProperties" ref="serviceProperties" />
    <property name="ticketValidator">
      <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
        <constructor-arg index="0" value="https://devmcauth01.nexus.mycompany.com:5443" />
      </bean>
    </property>
    <property name="key" value="cas"/>
</bean>

<bean id="permissionConversionService"
    class="com.mycompany.connmgmt.misc.security.PermissionConversionServiceImpl"/>

<bean id="userDetailsService"
    class="com.mycompany.connmgmt.misc.security.CmUserDetailsService">
    <property name="userRepository" ref="userRepository"/>
    <property name="permissionConversionService" ref="permissionConversionService"/>
</bean>

<bean id="accessDecisionManager" 
        class="org.springframework.security.access.vote.AffirmativeBased">
    <property name="allowIfAllAbstainDecisions">
        <value>false</value>
    </property>
    <property name="decisionVoters">
        <list>
           <ref bean="roleVoter"/>
        </list>
    </property>
</bean>

<bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter">
    <property name="rolePrefix" value=""/>
</bean>

<bean id="loggerListener" 
    class="org.springframework.security.access.event.LoggerListener"/>

<!-- Enable JSR250 annotations, disable Spring Security annotations for now -->
<security:global-method-security secured-annotations="disabled" 
    jsr250-annotations="enabled" 
    access-decision-manager-ref="accessDecisionManager"/>

http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version=“2.4”>

我们的应用程序
OpenPersistenceManagerViewFilter
org.springframework.orm.jdo.support.OpenPersistenceManagerInViewFilter
persistenceManagerFactoryBeanName
internalPersistenceManagerFactory
dsmProdOpenPersistenceManagerInViewFilter
org.springframework.orm.jdo.support.OpenPersistenceManagerInViewFilter
persistenceManagerFactoryBeanName
dsmProdInternalPersistenceManagerFactory
DSMTestOpenPersistenceManagerViewFilter
org.springframework.orm.jdo.support.OpenPersistenceManagerInViewFilter
persistenceManagerFactoryBeanName
DSMTestinerPersistenceManagerFactory
车载开放持久性管理器视图过滤器
org.springframework.orm.jdo.support.OpenPersistenceManagerInViewFilter
persistenceManagerFactoryBeanName
车载内部持久性管理器工厂
OpenEntityManager视图过滤器
org.springframework.orm.jpa.support.OpenEntityManagerInViewFilter
EntityManager工厂名称
orgDataDir_EntityManager工厂
springSecurityFilterChain
org.springframework.web.filter.DelegatingFilterProxy
边门
org.apache.wicket.protocol.http.WicketFilter
applicationFactoryClassName
org.apache.wicket.spring.SpringWebApplicationFactory
上下文配置位置
类路径：/applicationSecurityContext.xml
类路径：/applicationContext.xml
类路径：/orgDataDir-config.xml
类路径：/dsm-prod-spring-jdo-config.xml
类路径：/dsm-test-spring-jdo-config.xml
类路径：/dsm-prod-beans.xml
类路径：/dsm-test-beans.xml
类路径：/exchange-config.xml
classpath:/reporting.xml
classpath:/profile-conversion.xml
类路径：/com/mycompany/connmgmt/integration/jms/jms-client.xml
类路径：/com/mycompany/connmgmt/integration/jms/test-jms-client.xml
类路径：/com/mycompany/connmgmt/integration/jms/jms-consumers.xml
classpath:/com/mycompany/connmgmt/integration/jms/jms-producers.xml
classpath*：/com/mycompany/core/odd/odd-applicationContext.xml
类路径：/task-support.xml
org.springframework.web.context.ContextLoaderListener
org.springframework.web.context.request.RequestContextListener
org.springframework.security.web.session.HttpSessionEventPublisher
OpenPersistenceManagerViewFilter
/应用程序/*
dsmProdOpenPersistenceManagerInViewFilter
/应用程序/*
DSMTestOpenPersistenceManagerViewFilter
/应用程序/*
车载开放持久性管理器视图过滤器
/应用程序/*
OpenEntityManager视图过滤器
/应用程序/*
springSecurityFilterChain
/应用程序/*
边门
/应用程序/*
600

请注意，这是与相关错误不同的问题： 这建议使用预授权过滤器，Spring/CAS文档或示例应用程序不需要预授权过滤器：

这提到j_spring_cas_security_check需要位于受CasAuthenticationFilter保护的URL下：

---

这提到需要用户详细信息服务，我有：

解决方案是为筛选器使用的url添加FilterProcessURL。我认为这是必需的，因为截取url条目映射到该位置。当CAS返回票证时，它无法到达该位置，因为用户尚未通过身份验证

<bean id="casFilter"
    class="org.springframework.security.cas.web.CasAuthenticationFilter">
    <property name="authenticationManager" ref="authenticationManager"/>
    <property name="filterProcessesUrl" value="/app/j_spring_cas_security_check"/>
</bean>