spring - Cas 3.5.2 audit failed -
i new-hander cas. download cas-server-3.5.2 , cas-client-3.2.1,then deploy cas server tomcat 6 , 7. change configuration in deployementconfig.xml , other file disable ssl , enable mysql db. when open cas server page: http:// pc-name:8080/cas/login, can sigin on correct. when want sign onto http:// pc-name:8080/cas/services. prompt access denied:usernamenotfoundexception::y2
then integrate cas java webapp shiro-cas. can redirected login page following
http:// pc-name:8080/cas/login?service=http:// pc-name:8080/grsp/shiro-cas display following in cosole , redirected error page been fixed up.
2013-05-19 17:09:30,443 info [org.jasig.cas.authentication.authenticationmanagerimpl] -<org.jasig.cas.adaptors.jdbc.querydatabaseauthenticationhandler authenticated [username: y2]> 2013-05-19 17:09:30,458 info [org.jasig.cas.authentication.authenticationmanagerimpl] - <resolved principal y2> 2013-05-19 17:09:30,458 info [org.jasig.cas.authentication.authenticationmanagerimpl] - <org.jasig.cas.adaptors.jdbc.querydatabaseauthenticationhandler@13abee1 authenticated y2 credential [username: y2].> 2013-05-19 17:09:30,458 info [com.github.inspektr.audit.support.slf4jloggingaudittrailmanager] - <audit trail record begin ============================================================= who: [username: y2] what: supplied credentials: [username: y2] action: authentication_success application: cas when: sun may 19 17:09:30 cst 2013 client ip address: 127.0.0.1 server ip address: 127.0.0.1 ============================================================= > 2013-05-19 17:09:30,458 info [com.github.inspektr.audit.support.slf4jloggingaudittrailmanager] - <audit trail record begin ============================================================= who: [username: y2] what: tgt-4-b0zkj9xcuurqmkirvdb1ugbpkiqztzp7f0sxamotrdeyfagieo-yeyz-pc action: ticket_granting_ticket_created application: cas when: sun may 19 17:09:30 cst 2013 client ip address: 127.0.0.1 server ip address: 127.0.0.1 ============================================================= > 2013-05-19 17:09:30,458 info [org.jasig.cas.centralauthenticationserviceimpl] - <granted service ticket [st-7-9c3dcdatknxa0fc1zf6d-yeyz-pc] service [http:// yeyz-pc:8080/grsp/shiro-cas] user [y2]> 2013-05-19 17:09:30,458 info [com.github.inspektr.audit.support.slf4jloggingaudittrailmanager] - <audit trail record begin ============================================================= who: y2 what: st-7-9c3dcdatknxa0fc1zf6d-yeyz-pc http:// yeyz-pc:8080/grsp/shiro-cas action: service_ticket_created application: cas when: sun may 19 17:09:30 cst 2013 client ip address: 127.0.0.1 server ip address: 127.0.0.1 ============================================================= > 2013-05-19 17:09:30,522 error [org.jasig.cas.centralauthenticationserviceimpl] - <serviceticket [st-7-9c3dcdatknxa0fc1zf6d-yeyz-pc] service [http://yeyz-pc:8080/grsp/shiro-cas not match supplied service [http:// yeyc-pc:8080/grsp/shiro-cas]> 2013-05-19 17:09:30,522 info [com.github.inspektr.audit.support.slf4jloggingaudittrailmanager] - <audit trail record begin ============================================================= who: audit:unknown what: st-7-9c3dcdatknxa0fc1zf6d-yeyz-pc action: service_ticket_validate_failed application: cas when: sun may 19 17:09:30 cst 2013 client ip address: 127.0.0.1 server ip address: 127.0.0.1 ============================================================= >
my deployerconfigcontext.xml following:
<?xml version="1.0" encoding="utf-8"?> <!-- licensed jasig under 1 or more contributor license agreements. see notice file distributed work additional information regarding copyright ownership. jasig licenses file under apache license, version 2.0 (the "license"); may not use file except in compliance license. may obtain copy of license @ following location: http://www.apache.org/licenses/license-2.0 unless required applicable law or agreed in writing, software distributed under license distributed on "as is" basis, without warranties or conditions of kind, either express or implied. see license specific language governing permissions , limitations under license. --> <!-- | deployerconfigcontext.xml centralizes 1 file of declarative configuration | cas deployers need modify. | | file declares of spring-managed javabeans make cas deployment. | beans declared in file instantiated @ context initialization time spring | contextloaderlistener declared in web.xml. finds file because | file among declared in context parameter "contextconfiglocation". | | far common change need make in file change last bean | declaration replace default simpletestusernamepasswordauthenticationhandler | 1 implementing approach authenticating usernames , passwords. +--> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance" xmlns:p="http://www.springframework.org/schema/p" xmlns:tx="http://www.springframework.org/schema/tx" xmlns:sec="http://www.springframework.org/schema/security" xsi:schemalocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.1.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> <!-- | bean declares our authenticationmanager. centralauthenticationservice service bean | declared in applicationcontext.xml picks authenticationmanager reference id, | "authenticationmanager". deployers able use default authenticationmanager | implementation , not need change class of bean. include whole | authenticationmanager here in userconfigcontext.xml can see things | need change in context. +--> <bean id="authenticationmanager" class="org.jasig.cas.authentication.authenticationmanagerimpl"> <!-- uncomment metadata populator allow clearpass capture , cache password switch turn on clearpass. <property name="authenticationmetadatapopulators"> <list> <bean class="org.jasig.cas.extension.clearpass.cachecredentialsmetadatapopulator"> <constructor-arg index="0" ref="credentialscache" /> </bean> </list> </property> --> <!-- | list of credentialtoprincipalresolvers identify principal trying authenticate. | authenticationmanagerimpl considers them in order, finding credentialtoprincipalresolver | supports presented credentials. | | authenticationmanagerimpl uses these resolvers 2 purposes. first, uses them identify principal | attempting authenticate cas /login . in default configuration, defaultcredentialstoprincipalresolver | fills role. if using other kind of credentials usernamepasswordcredentials, need replace | defaultcredentialstoprincipalresolver credentialstoprincipalresolver supports credentials | using. | | second, authenticationmanagerimpl uses these resolvers identify service requesting proxy granting ticket. | in default configuration, httpbasedservicecredentialstoprincipalresolver serves purpose. | need change list if identifying services more or other callback url. +--> <property name="credentialstoprincipalresolvers"> <list> <!-- | usernamepasswordcredentialstoprincipalresolver supports usernamepasswordcredentials use /login | default , produces simpleprincipal instances conveying username credentials. | | if you've changed loginformaction use credentials other usernamepasswordcredentials | need change bean declaration (or add additional declarations) declare credentialstoprincipalresolver supports | credentials using. +--> <bean class="org.jasig.cas.authentication.principal.usernamepasswordcredentialstoprincipalresolver" > <property name="attributerepository" ref="attributerepository" /> </bean> <!-- | httpbasedservicecredentialstoprincipalresolver supports httpbasedcredentials. supports cas 2.0 approach of | authenticating services ssl callback, extracting callback url credentials , representing | simpleservice identified callback url. | | if representing services more or other https url whereat able | receive proxy callback, need change bean declaration (or add additional declarations). +--> <bean class="org.jasig.cas.authentication.principal.httpbasedservicecredentialstoprincipalresolver" /> </list> </property> <!-- | whereas credentialstoprincipalresolvers identify credentials might authenticate, | authenticationhandlers authenticate credentials. here declare authenticationhandlers | authenticate principals credentialstoprincipalresolvers identified. cas try these handlers in turn | until finds 1 both supports credentials presented , succeeds in authenticating. +--> <property name="authenticationhandlers"> <list> <!-- | authentication handler authenticates services means of callback via ssl, thereby validating | server side ssl certificate. +--> <bean class="org.jasig.cas.authentication.handler.support.httpbasedservicecredentialsauthenticationhandler" p:httpclient-ref="httpclient" p:requiresecure="false" /> <!-- | authentication handler declaration every cas deployer need change before deploying cas | production. default simpletestusernamepasswordauthenticationhandler authenticates usernamepasswordcredentials | username equals password. need replace authenticationhandler implements | local authentication strategy. might accomplish coding new such handler , declaring | edu.someschool.its.cas.myspecialhandler here, or might use 1 of handlers provided in adaptors modules. +--> <!-- yyz comment it. <bean class="org.jasig.cas.authentication.handler.support.simpletestusernamepasswordauthenticationhandler" /> --> <bean class="org.jasig.cas.adaptors.jdbc.querydatabaseauthenticationhandler"> <property name="datasource" ref="casdatasource" /> <property name="sql" value="select pwd user username = ?" /> <!-- encrypt pwd <property name="passwordencoder" ref="passwordencoder" /> --> </bean> </list> </property> </bean> <!-- bean defines security roles services management application. simple deployments can use in-memory version. more robust deployments want use option, such jdbc version. name of should remain "userdetailsservice" in order spring security find it. --> <!-- <sec:user name="@@this should replaced@@" password="notused" authorities="role_admin" />--> <sec:user-service id="userdetailsservice"> <sec:user name="@@this should replaced@@" password="notused" authorities="role_admin" /> </sec:user-service> <!-- yyz add supportting db datasource --> <bean id="casdatasource" class="org.apache.commons.dbcp.basicdatasource"> <property name="driverclassname"><value>com.mysql.jdbc.driver</value></property> <property name="url"><value>jdbc:mysql://localhost/test</value></property> <property name="username"><value>test</value></property> <property name="password"> <value>test</value></property> </bean> <bean id="datasource" class="org.apache.commons.dbcp.basicdatasource"> <property name="driverclassname"><value>com.mysql.jdbc.driver</value></property> <property name="url"><value>jdbc:mysql://localhost/test</value></property> <property name="username"><value>test</value></property> <property name="password"> <value>test</value></property> </bean> <!-- 无 <bean class="org.jasig.cas.authentication.handler.md5passwordencoder" /> md5--> <bean id="passwordencoder" class="org.jasig.cas.authentication.handler.defaultpasswordencoder"> <constructor-arg index="0" value="sha" /> </bean> <!-- end yyz --> <!-- yyz comment :- http://www.blogjava.net/tufanshu/archive/2011/01/21/343290.html :- http://stackoverflow.com/questions/4882298/getting-more-attributes-from-cas-than-just-user-id bean defines attributes service may return. example uses stub/mock version. real implementation may go against database or ldap server. id should remain "attributerepository" though. <bean id="attributerepository" class="org.jasig.services.persondir.support.stubpersonattributedao"> <property name="backingmap"> <map> <entry key="uid" value="uid" /> <entry key="edupersonaffiliation" value="edupersonaffiliation" /> <entry key="groupmembership" value="groupmembership" /> </map> </property> </bean> --> <bean id="attributerepository" class="org.jasig.services.persondir.support.jdbc.singlerowjdbcpersonattributedao"> <constructor-arg index="0" ref="casdatasource" /> <!-- <constructor-arg index="1" value="select id uid, pwd ph user username=?" /> --> <constructor-arg index="1" value="select * user {0}" /> <property name="queryattributemapping"> <map> <entry key="username" value="username"/ </map> </property> <property name="resultattributemapping"> <map> <entry key="id" value="uid" /> <entry key="pwd" value="ph" /> <entry key="id" value="userid"/> --> <entry key="username" value="username"/> </map> </property> </bean> <!-- commented yyz according to: https://wiki.jasig.org/display/casum/configuring sample, in-memory data store serviceregistry. real implementation want replace jpa-backed serviceregistry dao name of bean should remain "serviceregistrydao".--> <bean id="serviceregistrydao" class="org.jasig.cas.services.inmemoryserviceregistrydaoimpl"> <property name="registeredservices"> <list> <bean class="org.jasig.cas.services.regexregisteredservice"> <property name="id" value="0" /> <property name="name" value="http , imap" /> <property name="description" value="allows http(s) , imap(s) protocols" /> <property name="serviceid" value="^(https?|imaps?)://.*" /> <property name="evaluationorder" value="10000001" /> </bean> <!-- use following definition instead of above further restrict access services within domain (including subdomains). note example.com must replaced domain wish permit. --> <!-- <bean class="org.jasig.cas.services.regexregisteredservice"> <property name="id" value="1" /> <property name="name" value="http , imap on example.com" /> <property name="description" value="allows http(s) , imap(s) protocols on example.com" /> <property name="serviceid" value="^(https?|imaps?)://([a-za-z0-9_-]+\.)*example\.com/.*" /> <property name="evaluationorder" value="0" /> </bean> --> </list> </property> </bean> <!-- yyz added replace above - - > <bean id="serviceregistrydao" class="org.jasig.cas.services.jpaserviceregistrydaoimpl" p:entitymanagerfactory-ref="entitymanagerfactory" /> <bean id="entitymanagerfactory" class="org.springframework.orm.jpa.localcontainerentitymanagerfactorybean"> <property name="datasource" ref="datasource"/> <property name="jpavendoradapter"> <bean class="org.springframework.orm.jpa.vendor.hibernatejpavendoradapter"> <property name="generateddl" value="true"/> <property name="showsql" value="true" /> </bean> </property> <property name="jpaproperties"> <props> <prop key="hibernate.dialect">org.hibernate.dialect.mysqldialect</prop> <prop key="hibernate.hbm2ddl.auto">update</prop> </props> </property> </bean> <bean id="transactionmanager" class="org.springframework.orm.jpa.jpatransactionmanager"> <property name="entitymanagerfactory" ref="entitymanagerfactory"/> </bean> <tx:annotation-driven transaction-manager="transactionmanager"/> < ! - - yyz added end -->
your service ticket fails validation because there error in configuration such host names different in serviceids. if @ log entry:
[http://yeyz-pc:8080/grsp/shiro-cas not match supplied service [http:// yeyc-pc:8080/grsp/shiro-cas]
the first host is: yeyz-pc second host is: yeyc-pc
one host has "z" , 1 has "c".
Comments
Post a Comment