如何在Spring的CAS服务属性中正确设置服务URL [英] How to correctly set the service URL in Spring's CAS service properties

问题描述

在使用Spring Security + CAS时，我一直使用发送到CAS的回调URL(即服务属性)来碰到一个小障碍.我看过很多示例，例如此和此，但是它们都使用硬编码的URL(甚至

When working with Spring Security + CAS I keep hitting a small road block with the callback URL that is sent to CAS, ie the service property. I've looked at a bunch of examples such as this and this but they all use hard coded URLs (even Spring's CAS docs). A typical snip looks something like this...

  <bean id="serviceProperties" class="org.springframework.security.ui.cas.ServiceProperties">
    <property name="service" value="http://localhost:8080/click/j_spring_cas_security_check" />
  </bean>

首先，我不想对服务器名称或端口进行硬编码，因为我希望此WAR可部署在任何地方，并且我不希望我的应用程序在编译时绑定到特定的DNS条目.其次，我不明白为什么Spring无法自动检测应用程序的上下文和请求的URL来自动构建URL.该语句的第一部分仍然存在，但正如Raghuram在下面用此链接，出于安全原因，我们不能信任客户端的HTTP Host Header.

First, I don't want to hard code the server name or the port since I want this WAR to be deployable anywhere and I don't want my application tied to a particular DNS entry at compile time. Second, I don't understand why Spring can't auto detect my application's context and the request's URL to automagically build the URL. The first part of that statement still stand but As Raghuram pointed out below with this link, we can't trust the HTTP Host Header from the client for security reasons.

理想情况下，我希望服务URL恰好是用户请求的内容(只要请求是有效的，例如mycompany.com的子域)，因此它是无缝的，或者至少我只想指定一些我的应用程序上下文根目录的相对路径，并让Spring即时确定服务URL.类似于以下内容...

Ideally I would like service URL to be exactly what the user requested (as long as the request is valid such as a sub domain of mycompany.com) so it is seamless or at the very least I would like to only specify some path relative my applications context root and have Spring determine the service URL on the fly. Something like the following...

  <bean id="serviceProperties" class="org.springframework.security.ui.cas.ServiceProperties">
    <property name="service" value="/my_cas_callback" />
  </bean>

或...

  <bean id="serviceProperties" class="org.springframework.security.ui.cas.ServiceProperties">
    <property name="service" value="${container.and.app.derived.value.here}" />
  </bean>

这一切可能还是容易的，或者我错过了显而易见的事情?

Is any of this possible or easy or have I missed the obvious?

推荐答案

在Spring 2.6.5 Spring中，您可以扩展org.springframework.security.ui.cas.ServiceProperties

In Spring 2.6.5 spring you could extend org.springframework.security.ui.cas.ServiceProperties

在春季3中，该方法是最终的方法，您可以通过将CasAuthenticationProvider和CasEntryPoint子类化，然后将其与自己的ServiceProperty版本一起使用，并使用更动态的实现来覆盖getService()方法.

In spring 3 the method is final you could get around this by subclassing the CasAuthenticationProvider and CasEntryPoint and then use with your own version of ServiceProperties and override the getService() method with a more dynamic implementation.

您可以使用主机头来计算所需的域，并通过验证仅使用您控制下的域/子域来使其更安全.然后附加一些可配置的值.

You could use the host header to calculate the the required domain and make it more secure by validating that only domains/subdomains under your control are used. Then append to this some configurable value.

当然，您可能会面临实施不安全的风险……所以要小心.

Of course you would be at risk that your implementation was insecure though... so be careful.

最终可能看起来像这样:

It could end up looking like:

<bean id="serviceProperties" class="my.ServiceProperties">
    <property name="serviceRelativeUrl" value="/my_cas_callback" />
    <property name="validDomainPattern" value="*.mydomain.com" />
</bean>

这篇关于如何在Spring的CAS服务属性中正确设置服务URL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！