CAS服务器跨子域ST票证 [英] CAS server cross subdomain ST ticket

查看:92
本文介绍了CAS服务器跨子域ST票证的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我有自己的Jasig CAS服务器:

I have own Jasig CAS server:

https://cas.example.com

另外,我有两个子域(应用程序)连接到此CAS服务器,例如:

Also, I have two subdomains(applications) connected to this CAS server, for example:

https://ui.example.com
https://api.example.com

我可以通过以下请求为 https://ui.example.com 成功创建ST票证:

I can successfully create ST ticket for https://ui.example.com with a following request:

https://cas.example.com/login?service=https://ui.example.com

响应:

https://cas.example.com/?ticket=ST-5-p5rVK3OWBKPzwAAZteNw-cas.example.com/

但我无法将此票用于 https://api.example.com 

https://api.example.com/api/v1.0/account?ticket=ST-5-p5rVK3OWBKPzwAAZteNw-cas.example.com

,出现以下错误:

access to this resource is forbidden","errors":[{"field":"BadCredentialsException","message":"\n            Ticket \u0027ST-5-p5rVK3OWBKPzwAAZteNw-cas-dev.cfwdev.com\u0027 does not match supplied service. The original service was \u0027https://ui.example.com/\u0027 and the supplied service was \u0027https://api.example.com/api/v1.0/account

这是我的服务配置:

{
  "@class" : "org.jasig.cas.services.RegexRegisteredService",
  "serviceId" : "^(http?|https?)://.*example.com/.*",
  "name" : "example.com dev
  "theme" : example
  "id" : 20000002,
  "description" : "example.com dev environment",
  "proxyPolicy" : {
    "@class" : "org.jasig.cas.services.RegexMatchingRegisteredServiceProxyPolicy",
    "pattern" : "^(http?|https?)://.*example.com/.*"
  },
  "evaluationOrder" : 2,
  "usernameAttributeProvider" : {
    "@class" : "org.jasig.cas.services.DefaultRegisteredServiceUsernameProvider"
  },
  "logoutType" : "BACK_CHANNEL",
  "attributeReleasePolicy" : {
    "@class" : "org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy",
    "principalAttributesRepository" : {
      "@class" : "org.jasig.cas.authentication.principal.DefaultPrincipalAttributesRepository"
    },
    "authorizedToReleaseCredentialPassword" : false,
    "authorizedToReleaseProxyGrantingTicket" : false
  },
  "accessStrategy" : {
    "@class" : "org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy",
    "enabled" : true,
    "ssoEnabled" : true
  }
}

是否可以发行一张将被这两个子域接受的ST票证 https://ui.example.com https://api.example.com 吗?

Is it possible to issue one ST ticket that will be accepted by both of these subdomains https://ui.example.com and https://api.example.com ?

推荐答案

Jasig CAS无法实现

It is impossible with Jasig CAS

这篇关于CAS服务器跨子域ST票证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆