CAS：无法验证ProxyTicketValidator [英] CAS: Unable to validate ProxyTicketValidator

问题描述

我当前正在尝试设置CAS服务器，并使用它登录多个本地应用程序。

I'm currently trying to setup a CAS server and use it to login at several local applications.

Cas服务器（https）：localhost：8443（这是正常工作）

Cas Server(https): localhost:8443 (this is working correctly)

应用程序：本地主机：82

Application: localhost:82

当我进入本地主机：82时，它会立即重定向到本地主机：8443。当我尝试登录时，它返回到localhost：82 /？ticket = ST-7-THoxHvfK5FoZZsejrSLh-cas01.example.org，但显示此错误：

When i go to localhost:82, it instantly redirects to localhost:8443. When i try to login, it returns to localhost:82/?ticket=ST-7-THoxHvfK5FoZZsejrSLh-cas01.example.org, but it shows this error:

edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://localhost:8443/cas/serviceValidate] ticket=[ST-5-oYvT4kciKnE3Ibx1CtRd-cas01.example.org] service=[http%3A%2F%2Flocalhost%3A82%2F] renew=false entireResponse=[
..(complete page's HTML code)..
]]]]
edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:52)
edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:455)
edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)

当我尝试登录时，Tomcat在服务器日志中显示以下内容。这向我表明localhost：82已通过身份验证，对吧？

When I am trying to login, Tomcat shows the following in the server log. This indicates to me that localhost:82 is authenticated, right?

2015-04-03 09:22:40,544 INFO                     [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] -   <AcceptUsersAuthenticationHandler successfully authenticated admin+password>
2015-04-03 09:22:40,544 INFO  [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <Authenticated admin with credentials [admin+password].>
2015-04-03 09:22:40,544 INFO  [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail   record BEGIN
=============================================================
WHO: audit:unknown
WHAT: supplied credentials: [admin+password]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Fri Apr 03 09:22:40 CEST 2015
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=============================================================

>
2015-04-03 09:22:40,545 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: TGT-3-I53UgV3LJICJLLtxgKcAIgSmLniIGCuPZsqWs0jLa146Secypw-cas01.example.org
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Fri Apr 03 09:22:40 CEST 2015
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=============================================================

>
2015-04-03 09:22:40,546 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-7-THoxHvfK5FoZZsejrSLh-cas01.example.org] for service [http://localhost:82/] for user [admin]>
2015-04-03 09:22:40,546 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: admin
WHAT: ST-7-THoxHvfK5FoZZsejrSLh-cas01.example.org for http://localhost:82/
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Fri Apr 03 09:22:40 CEST 2015
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=============================================================

>
2015-04-03 09:22:40,622 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-8-ISpe32fFhErzCeFcfUgJ-cas01.example.org] for service [http://localhost:82/favicon.ico] for user [admin]>
2015-04-03 09:22:40,622 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: admin
WHAT: ST-8-ISpe32fFhErzCeFcfUgJ-cas01.example.org for http://localhost:82/favicon.ico
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Fri Apr 03 09:22:40 CEST 2015
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=============================================================

> 

我根据wiki.jasig.org/display/CASUM/Demo创建了SSL证书。我已经完成了
keytool -genkey -alias tomcat -keypass changeit -keyalg RSA （名字/姓氏=本地主机），
keytool -export -alias tomcat -keypass changeit-文件server.crt 和
keytool -import -file server.crt -keypass changeit -keystore ..＼ \jre\lib\security\cacerts

I created a SSL certificate according to wiki.jasig.org/display/CASUM/Demo. I have done keytool -genkey -alias tomcat -keypass changeit -keyalg RSA (with first/last name = localhost), keytool -export -alias tomcat -keypass changeit -file server.crt and keytool -import -file server.crt -keypass changeit -keystore ..\jre\lib\security\cacerts

在Tomcat server.xml中我添加了

And in the Tomcat server.xml i added

<Connector port="8443" maxHttpHeaderSize="8192"maxThreads="150" minSpareThreads="25" 
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
keystoreFile="C:\workspace\.keystore"
keystorePass="changeit"
truststoreFile="C:/Program Files/Java/jdk1.7.0_76/jre/lib/security/cacerts" 
SSLEnabled="true" protocol="org.apache.coyote.http11.Http11Protocol" />

谁能给我一个线索，从哪里找到解决这个问题的方法？任何帮助，将不胜感激！

Can anyone give me a clue where to find the solution for this problem? Any help would be appreciated!

推荐答案

每当您请求带有pgtUrl的serviceValidate CAS都会尝试创建一个pgt并将其发送到您的pgtUrl。

Whenever you request serviceValidate with pgtUrl CAS will attempt to create a pgt and send it to your pgtUrl.

在此处签出演练。

如果您的应用程序在pgtUrl没有服务，CAS将记录这些错误。如果未在应用程序中实现代理票证，则不应使用pgtUrl作为参数进行请求。通常可以通过不设置代理回调URL来完成。

If your application does not have a service at pgtUrl CAS will log these errors. If you are not implementing proxy ticketing in your application then you should not make requests with pgtUrl as a parameter. This can usually be done by not setting a proxy callback url.

如果要实现代理票证，则回调必须为https URL。然后，您可以使用参数获取代理凭单。

If you are implementing proxy ticketing then the callback needs to be an https URL. You can then use the parameters to get the proxy ticket.

在我的情况下，我在grails中使用spring-security-cas插件。该文档建议设置 cas.proxyCallbackUrl 和 cas.proxyReceptorUrl ，但是当设置这些时，CAS日志充满错误。我发现设置了pgtUrl是因为已配置。一旦删除此配置，错误就会消失。

In my case I was using the spring-security-cas plugin in grails. The documentation recommends to set cas.proxyCallbackUrl and cas.proxyReceptorUrl, but when these are set the CAS log filled with errors. I found out that pgtUrl was set because the configuration was set. Once I removed this configuration the errors went away.

我建议不要将pgtUrl发送到serviceValidate并查看错误是否消失。

I recommend not sending pgtUrl to serviceValidate and see if the error goes away.

这篇关于CAS：无法验证ProxyTicketValidator的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！