CAS服务凭单验证失败 [英] CAS service ticket validate failed
问题描述
我已点击链接 http:// /lukesampson.com/post/315838839/cas-on-windows-localhost-setup-in-5-mins ,然后cas服务器正常工作,登录网址为 http://10.1.1.26:8080/login ,验证网址为 http://10.1.1.26:8080/serviceValidate 。
然后我像下面这样测试它:
- 致电 http://10.1.1.26:8080/login?service=http://10.1.1.9:8081/default.aspx
- 我明白了服务票证成功,例如ST-9-pJ5UDxqKIHP2zuN3JGe4-cas
- 然后我通过调用 http://10.1.1.26:8080/serviceValidate?ticket=ST-9-pJ5UDxqKIHP2zuN3JGe4-cas&service=http://10.1.1.9:8081/default.aspx ,
- 不幸的是,它总是返回无效的票证,
我尝试cas 1.0验证网址, http://10.1.1.26:8080/validate?ticket=ST-9-pJ5UDxqKIHP2zuN3JGe4-cas&service=http://10.1.1.9:8081/default.aspx ,但是返回否。
然后我生成一个证书文件并将其放入密钥库,然后我尝试使用 https://10.1.1.26:8443 ,但是,验证仍然失败。
I更改了cas log4j配置,以打印所有调试信息,下面是日志
2012-02-21 13:18: 36,371 DEBUG [org.springframework .web.servlet.DispatcherServlet
]-<名称为'cas'的DispatcherServlet处理[/ cas-server-w
ebapp-3.4.11 / serviceValidate]的GET请求
2012-02-21 13:18:36,381调试[org.springframework.webflow.mvc.servlet.FlowHandl
erMapping]-<找不到带有URI'/ cas-server-的请求的流映射webapp-3.4
.11 / serviceValidate'>
2012-02-21 13:18:36,381调试[org.springframework.web.servlet.handler.SimpleUrl
HandlerMapping]-<用手
ler将[/ serviceValidate]映射到HandlerExecutionChain [org.jasig.cas.web.ServiceValidateController@302a4b]和1个拦截器>
2012-02-21 13:18:36,381调试[org.springframework.web.servlet.DispatcherServlet
]-< [/ cas-server-webapp-3.4.11 / serviceValidate]是:-1>
2012-02-21 13:18:36,391信息[org.jasig.cas.CentralAuthenticationServiceImpl]-
< ServiceTicket [ST-1-pqIeCRqcafGBE6idoCcd-cas]已过期。
2012-02-21 13:18:36,391信息[com.github.inspektr.audit.support.Slf4jLoggingAudi
tTrailManager]-< Audit Trail record BEGIN
====== ================================================== =====
世界卫生组织:审计:未知
内容:ST-1-pqIeCRqcafGBE6idoCcd-cas
操作:SERVICE_TICKET_VALIDATE_FAILED
申请时间:CAS
时间:2月21日星期二13:18:36 EST 2012
客户端IP地址:10.1.1.9
服务器IP地址:10.1.1.26
================= ===========================================
我不理解,也不知道为什么来自其他帖子,我看到日志有类似写服务票到票务注册表,并检索服务票证,但是在我的日志中没有关于此的事
我不确定100%因为我看不到您的配置,但是日志显示了此信息
< ServiceTicket [ST-1-pqIeCRqcafGBE6idoCcd-cas]已过期。
这意味着票证已经过期。 CAS中存在一个名为 ticketExpirationPolicies.xml
的配置文件,其中包含票证的有效时间。在我的CAS版本中,服务票证的到期时间设置为10000毫秒。步骤1和步骤3之间的时间可能比文件中的到期设置长(当然),这可能与我的文件设置不同
<!-过期政策->
< bean id = serviceTicketExpirationPolicy class = org.jasig.cas.ticket.support.MultiTimeUseOrTimeoutExpirationPolicy>
<!-此参数是票证在认为过期之前可以使用的次数。 ->
< constructor-arg
index = 0
value = 1 />
<!-此参数是故障单在其视为过期之前可以存在的时间。 ->
< constructor-arg
index = 1
value = 10000 />
< / bean>
< bean id = grantingTicketExpirationPolicy class = org.jasig.cas.ticket.support.TimeoutExpirationPolicy>
<!-此参数是故障单在其视为过期之前可以存在的时间。 ->
< constructor-arg
index = 0
value = 7200000 />
< / bean>
我认为您所遵循的教程的配置设置不完整。根据您尝试使用此CAS服务器实现的目标,您可能需要此处
I have followed a link http://lukesampson.com/post/315838839/cas-on-windows-localhost-setup-in-5-mins, then the cas server works correctly, the login url is http://10.1.1.26:8080/login, the validate url is http://10.1.1.26:8080/serviceValidate.
Then I tested it like below:
- call http://10.1.1.26:8080/login?service=http://10.1.1.9:8081/default.aspx
- I get the service ticket successfully, such as ST-9-pJ5UDxqKIHP2zuN3JGe4-cas
- then I validate the service ticket by calling http://10.1.1.26:8080/serviceValidate?ticket=ST-9-pJ5UDxqKIHP2zuN3JGe4-cas&service=http://10.1.1.9:8081/default.aspx,
- unfortunately, it always return invalid ticket,
in order to fix it, I try cas 1.0 validate url, http://10.1.1.26:8080/validate?ticket=ST-9-pJ5UDxqKIHP2zuN3JGe4-cas&service=http://10.1.1.9:8081/default.aspx, but it return "no".
Then I generate a certificate file and put it into keystore, then I tried all the above steps by using https://10.1.1.26:8443, howevery, the validation was still failed.
I changed the cas log4j configuration, to print all debug information, and below is the log
2012-02-21 13:18:36,371 DEBUG [org.springframework.web.servlet.DispatcherServlet
] - <DispatcherServlet with name 'cas' processing GET request for [/cas-server-w
ebapp-3.4.11/serviceValidate]>
2012-02-21 13:18:36,381 DEBUG [org.springframework.webflow.mvc.servlet.FlowHandl
erMapping] - <No flow mapping found for request with URI '/cas-server-webapp-3.4
.11/serviceValidate'>
2012-02-21 13:18:36,381 DEBUG [org.springframework.web.servlet.handler.SimpleUrl
HandlerMapping] - <Mapping [/serviceValidate] to HandlerExecutionChain with hand
ler [org.jasig.cas.web.ServiceValidateController@302a4b] and 1 interceptor>
2012-02-21 13:18:36,381 DEBUG [org.springframework.web.servlet.DispatcherServlet
] - <Last-Modified value for [/cas-server-webapp-3.4.11/serviceValidate] is: -1>
2012-02-21 13:18:36,391 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] -
<ServiceTicket [ST-1-pqIeCRqcafGBE6idoCcd-cas] has expired.>
2012-02-21 13:18:36,391 INFO [com.github.inspektr.audit.support.Slf4jLoggingAudi
tTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: ST-1-pqIeCRqcafGBE6idoCcd-cas
ACTION: SERVICE_TICKET_VALIDATE_FAILED
APPLICATION: CAS
WHEN: Tue Feb 21 13:18:36 EST 2012
CLIENT IP ADDRESS: 10.1.1.9
SERVER IP ADDRESS: 10.1.1.26
=============================================================
What I don't understand and don't know why is from other post I saw log has something like " write service ticket to ticket registry, and retrieve service ticket ", but there is nothing about that in my log
I'm not 100% sure because I can't see your configuration, but the log says this
<ServiceTicket [ST-1-pqIeCRqcafGBE6idoCcd-cas] has expired.>
Which means that the ticket has already expired. There exists a config-file in CAS called ticketExpirationPolicies.xml
which contains the times a ticket is valid. In my CAS-version the expiration period for a service ticket is set to 10000ms. Maybe the time between you step 1 and 3 is longer than the expiration setting in your file (of course) which could differ from mine
<!-- Expiration policies -->
<bean id="serviceTicketExpirationPolicy" class="org.jasig.cas.ticket.support.MultiTimeUseOrTimeoutExpirationPolicy">
<!-- This argument is the number of times that a ticket can be used before its considered expired. -->
<constructor-arg
index="0"
value="1" />
<!-- This argument is the time a ticket can exist before its considered expired. -->
<constructor-arg
index="1"
value="10000" />
</bean>
<bean id="grantingTicketExpirationPolicy" class="org.jasig.cas.ticket.support.TimeoutExpirationPolicy">
<!-- This argument is the time a ticket can exist before its considered expired. -->
<constructor-arg
index="0"
value="7200000" />
</bean>
The tutorial that you follow in my opinion is not complete in its configuration settings. Depending on what you try to achieve with this CAS-server you could need some of the customization described here
这篇关于CAS服务凭单验证失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!