CAS服务凭单验证失败 [英] CAS service ticket validate failed

问题描述

我已点击链接 http：// /lukesampson.com/post/315838839/cas-on-windows-localhost-setup-in-5-mins ，然后cas服务器正常工作，登录网址为 http://10.1.1.26:8080/login ，验证网址为 http://10.1.1.26:8080/serviceValidate 。

然后我像下面这样测试它：

1. 致电 http://10.1.1.26:8080/login?service=http://10.1.1.9:8081/default.aspx


2. 我明白了服务票证成功，例如ST-9-pJ5UDxqKIHP2zuN3JGe4-cas


3. 然后我通过调用 http://10.1.1.26:8080/serviceValidate?ticket=ST-9-pJ5UDxqKIHP2zuN3JGe4-cas&ser​​vice=http://10.1.1.9:8081/default.aspx ，


4. 不幸的是，它总是返回无效的票证，

我尝试cas 1.0验证网址， http://10.1.1.26:8080/validate?ticket=ST-9-pJ5UDxqKIHP2zuN3JGe4-cas&ser​​vice=http://10.1.1.9:8081/default.aspx ，但是返回否。

然后我生成一个证书文件并将其放入密钥库，然后我尝试使用 https://10.1.1.26:8443 ，但是，验证仍然失败。

I更改了cas log4j配置，以打印所有调试信息，下面是日志

  2012-02-21 13:18： 36,371 DEBUG [org.springframework .web.servlet.DispatcherServlet 
]-<名称为'cas'的DispatcherServlet处理[/ cas-server-w 
 ebapp-3.4.11 / serviceValidate]的GET请求
 2012-02-21 13：18：36,381调试[org.springframework.webflow.mvc.servlet.FlowHandl 
 erMapping]-<找不到带有URI'/ cas-server-的请求的流映射webapp-3.4 
 .11 / serviceValidate'> 
 2012-02-21 13：18：36,381调试[org.springframework.web.servlet.handler.SimpleUrl 
 HandlerMapping]-<用手
 ler将[/ serviceValidate]映射到HandlerExecutionChain [org.jasig.cas.web.ServiceValidateController@302a4b]和1个拦截器> 
 2012-02-21 13：18：36,381调试[org.springframework.web.servlet.DispatcherServlet 
]-< [/ cas-server-webapp-3.4.11 / serviceValidate]是：-1> 
 2012-02-21 13：18：36,391信息[org.jasig.cas.CentralAuthenticationServiceImpl]-
< ServiceTicket [ST-1-pqIeCRqcafGBE6idoCcd-cas]已过期。 
 2012-02-21 13：18：36,391信息[com.github.inspektr.audit.support.Slf4jLoggingAudi 
 tTrailManager]-< Audit Trail record BEGIN 
 ====== ================================================== ===== 
世界卫生组织：审计：未知
内容：ST-1-pqIeCRqcafGBE6idoCcd-cas 
操作：SERVICE_TICKET_VALIDATE_FAILED 
申请时间：CAS 
时间：2月21日星期二13:18:36 EST 2012 
客户端IP地址：10.1.1.9 
服务器IP地址：10.1.1.26 
 ================= =========================================== 
  

我不理解，也不知道为什么来自其他帖子，我看到日志有类似写服务票到票务注册表，并检索服务票证，但是在我的日志中没有关于此的事

解决方案

我不确定100％因为我看不到您的配置，但是日志显示了此信息

 < ServiceTicket [ST-1-pqIeCRqcafGBE6idoCcd-cas]已过期。 
  

这意味着票证已经过期。 CAS中存在一个名为 ticketExpirationPolicies.xml 的配置文件，其中包含票证的有效时间。在我的CAS版本中，服务票证的到期时间设置为10000毫秒。步骤1和步骤3之间的时间可能比文件中的到期设置长（当然），这可能与我的文件设置不同

 <！-过期政策-> 
< bean id = serviceTicketExpirationPolicy class = org.jasig.cas.ticket.support.MultiTimeUseOrTimeoutExpirationPolicy> 
<！-此参数是票证在认为过期之前可以使用的次数。 -> 
< constructor-arg 
 index = 0 
 value = 1 /> 
 
<！-此参数是故障单在其视为过期之前可以存在的时间。 -> 
< constructor-arg 
 index = 1 
 value = 10000 /> 
< / bean> 
 
< bean id = grantingTicketExpirationPolicy class = org.jasig.cas.ticket.support.TimeoutExpirationPolicy> 
<！-此参数是故障单在其视为过期之前可以存在的时间。 -> 
< constructor-arg 
 index = 0 
 value = 7200000 /> 
< / bean> 
  

我认为您所遵循的教程的配置设置不完整。根据您尝试使用此CAS服务器实现的目标，您可能需要此处

I have followed a link http://lukesampson.com/post/315838839/cas-on-windows-localhost-setup-in-5-mins, then the cas server works correctly, the login url is http://10.1.1.26:8080/login, the validate url is http://10.1.1.26:8080/serviceValidate.

Then I tested it like below:

1. call http://10.1.1.26:8080/login?service=http://10.1.1.9:8081/default.aspx
2. I get the service ticket successfully, such as ST-9-pJ5UDxqKIHP2zuN3JGe4-cas
3. then I validate the service ticket by calling http://10.1.1.26:8080/serviceValidate?ticket=ST-9-pJ5UDxqKIHP2zuN3JGe4-cas&service=http://10.1.1.9:8081/default.aspx,
4. unfortunately, it always return invalid ticket,

in order to fix it, I try cas 1.0 validate url, http://10.1.1.26:8080/validate?ticket=ST-9-pJ5UDxqKIHP2zuN3JGe4-cas&service=http://10.1.1.9:8081/default.aspx, but it return "no".

Then I generate a certificate file and put it into keystore, then I tried all the above steps by using https://10.1.1.26:8443, howevery, the validation was still failed.

I changed the cas log4j configuration, to print all debug information, and below is the log

2012-02-21 13:18:36,371 DEBUG [org.springframework.web.servlet.DispatcherServlet
] - <DispatcherServlet with name 'cas' processing GET request for [/cas-server-w
ebapp-3.4.11/serviceValidate]>
2012-02-21 13:18:36,381 DEBUG [org.springframework.webflow.mvc.servlet.FlowHandl
erMapping] - <No flow mapping found for request with URI '/cas-server-webapp-3.4
.11/serviceValidate'>
2012-02-21 13:18:36,381 DEBUG [org.springframework.web.servlet.handler.SimpleUrl
HandlerMapping] - <Mapping [/serviceValidate] to HandlerExecutionChain with hand
ler [org.jasig.cas.web.ServiceValidateController@302a4b] and 1 interceptor>
2012-02-21 13:18:36,381 DEBUG [org.springframework.web.servlet.DispatcherServlet
] - <Last-Modified value for [/cas-server-webapp-3.4.11/serviceValidate] is: -1>
2012-02-21 13:18:36,391 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] -
<ServiceTicket [ST-1-pqIeCRqcafGBE6idoCcd-cas] has expired.>
2012-02-21 13:18:36,391 INFO [com.github.inspektr.audit.support.Slf4jLoggingAudi
tTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: ST-1-pqIeCRqcafGBE6idoCcd-cas
ACTION: SERVICE_TICKET_VALIDATE_FAILED
APPLICATION: CAS
WHEN: Tue Feb 21 13:18:36 EST 2012
CLIENT IP ADDRESS: 10.1.1.9
SERVER IP ADDRESS: 10.1.1.26
=============================================================

What I don't understand and don't know why is from other post I saw log has something like " write service ticket to ticket registry, and retrieve service ticket ", but there is nothing about that in my log

解决方案

I'm not 100% sure because I can't see your configuration, but the log says this

<ServiceTicket [ST-1-pqIeCRqcafGBE6idoCcd-cas] has expired.>

Which means that the ticket has already expired. There exists a config-file in CAS called ticketExpirationPolicies.xml which contains the times a ticket is valid. In my CAS-version the expiration period for a service ticket is set to 10000ms. Maybe the time between you step 1 and 3 is longer than the expiration setting in your file (of course) which could differ from mine

<!-- Expiration policies -->
<bean id="serviceTicketExpirationPolicy" class="org.jasig.cas.ticket.support.MultiTimeUseOrTimeoutExpirationPolicy">
    <!-- This argument is the number of times that a ticket can be used before its considered expired. -->
    <constructor-arg
        index="0"
        value="1" />

    <!-- This argument is the time a ticket can exist before its considered expired.  -->
    <constructor-arg
        index="1"
        value="10000" />
</bean>

<bean id="grantingTicketExpirationPolicy" class="org.jasig.cas.ticket.support.TimeoutExpirationPolicy">
    <!-- This argument is the time a ticket can exist before its considered expired.  -->
    <constructor-arg
        index="0"
        value="7200000" />
</bean>

The tutorial that you follow in my opinion is not complete in its configuration settings. Depending on what you try to achieve with this CAS-server you could need some of the customization described here

这篇关于CAS服务凭单验证失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！