0

我想在我的服务中使用 REST 协议。为此,我启用了 Rest Protocol 并尝试获取 TGT。此外,所有示例都基于我在 prod 环境中不想要的通用服务注册。

是不应在 prod 环境中使用的通用服务注册表示例。而且我没有在我的环境中使用它:

{
  /*
    Generic service definition that applies to https/imaps urls
    that wish to register with CAS for authentication.
  */
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "^(https|imaps)://.*",
  "name" : "HTTPS and IMAPS",
  "id" : 10000001,
}

相反,我有以下一个:

{
  "@class": "org.apereo.cas.services.RegexRegisteredService",
  // this service will match all the requests contains test in the request url
  "serviceId": "^https?:\\/\\/.*test($|\\/).*$",
  "name": "Test",
  "id": 1,
  "description": "Test service",
  "evaluationOrder": 2,
  "requiredHandlers": [
    "java.util.HashSet",
    [
      "TestHandler"
    ]
  ],
  "attributeReleasePolicy": {
    "@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
  },
  "properties": {
    "@class": "java.util.HashMap",
    "jwtAsServiceTicket": {
      "@class": "org.apereo.cas.services.DefaultRegisteredServiceProperty",
      "values": [
        "java.util.HashSet",
        [
          "true"
        ]
      ]
    }
  }
}

我无法按照此处的说明请求票证授予票证:

POST /cas/v1/tickets HTTP/1.0
'Content-type': 'Application/x-www-form-urlencoded'
username=battags&password=password&additionalParam1=paramvalue

我得到以下异常:

Unauthorized Service Access. Service [] is not found in service registry

当我调试代码时,我可以看到 TGT 已创建并且我的注册服务工作正常。由于JWTBuilder中对 CAS 服务器的注册服务检查而引发异常:

    val registeredService = payload.getRegisteredService() == null
        ? locateRegisteredService(serviceAudience)
        : payload.getRegisteredService();
    RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(registeredService);

这里 CAS 尝试检查是否允许服务访问。payload.getRegisteredService 返回 null 并使用 serviceAudience 调用 locateRegisteredService,然后 ensureServiceAccessIsAllowed 抛出异常。

问题是:serviceAudience总是用CAS server prefix填充,这意味着必须有一个与CAS server prefix匹配的服务定义。当我启用通用服务定义时,所有示例都有效,但当我删除它时,由于上述检查,TGT 不会返回。

任何想法,解决方案?我不想让每个人都能够创建 TGT,我可以添加仅与 CAS 前缀匹配的服务定义,但首先最好了解我是否遗漏了什么或者这是一个错误。

我的 Cas 版本:6.1.0

我的配置:

server.port=8095
server.servlet.context-path=/bouncer
cas.authn.policy.any.tryAll=false
cas.authn.policy.any.enabled=true
cas.serviceRegistry.initFromJson=true
cas.serviceRegistry.json.location=file:/services

我的构建:

<build>
    <plugins>
        <plugin>
            <groupId>org.apache.maven.plugins</groupId>
            <artifactId>maven-war-plugin</artifactId>
            <version>${maven-war-plugin.version}</version>
            <configuration>
                <warName>${project.artifactId}</warName>
                <failOnMissingWebXml>false</failOnMissingWebXml>
                <recompressZippedFiles>false</recompressZippedFiles>
                <archive>
                    <compress>false</compress>
                    <manifestFile>${manifestFileToUse}</manifestFile>
                </archive>
                <overlays>
                    <overlay>
                        <groupId>org.apereo.cas</groupId>
                        <artifactId>cas-server-webapp${app.server}</artifactId>
                        <excludes>
                            <exclude>WEB-INF/lib/log4j-api-2.12.1.jar</exclude>
                            <exclude>WEB-INF/lib/log4j-jcl-2.12.1.jar</exclude>
                            <exclude>WEB-INF/lib/log4j-jul-2.12.1.jar</exclude>
                            <exclude>WEB-INF/lib/log4j-slf4j18-impl-2.12.1.jar</exclude>
                            <exclude>WEB-INF/lib/log4j-web-2.12.1.jar</exclude>
                            <exclude>WEB-INF/lib/slf4j-api-1.8.0-beta4.jar</exclude>
                        </excludes>
                    </overlay>
                </overlays>
            </configuration>
        </plugin>
        <plugin>
            <groupId>org.apache.maven.plugins</groupId>
            <artifactId>maven-compiler-plugin</artifactId>
            <version>${maven-compiler-plugin.version}</version>
        </plugin>
    </plugins>
    <finalName>${project.artifactId}.jar</finalName>
</build>

<dependencies>
            <!--START: Extend CAS as WebApp-->
            <dependency>
                <groupId>org.apereo.cas</groupId>
                <artifactId>cas-server-webapp${app.server}</artifactId>
                <version>${cas.version}</version>
                <type>war</type>
                <scope>runtime</scope>
            </dependency>
            <!--END-->

            <!--START: Logback Gelf(Graylog Extended Log Format) integration-->
            <dependency>
                <groupId>de.siegmar</groupId>
                <artifactId>logback-gelf</artifactId>
                <version>${logback-gelf.version}</version>
                <exclusions>
                    <exclusion>
                        <groupId>ch.qos.logback</groupId>
                        <artifactId>logback-classic</artifactId>
                    </exclusion>
                    <exclusion>
                        <groupId>ch.qos.logback</groupId>
                        <artifactId>logback-core</artifactId>
                    </exclusion>
                    <exclusion>
                        <groupId>org.slf4j</groupId>
                        <artifactId>slf4j-api</artifactId>
                    </exclusion>
                </exclusions>
            </dependency>
            <!--END-->

            <!--START: Java 11 integration problems, use older logback and slf4j until it is supported-->
            <dependency>
                <groupId>ch.qos.logback</groupId>
                <artifactId>logback-classic</artifactId>
                <version>${logback-classic.version}</version>
                <exclusions>
                    <exclusion>
                        <groupId>org.slf4j</groupId>
                        <artifactId>slf4j-api</artifactId>
                    </exclusion>
                </exclusions>
            </dependency>

            <dependency>
                <groupId>org.slf4j</groupId>
                <artifactId>slf4j-api</artifactId>
                <version>${slf4j-api.version}</version>
            </dependency>
            <!--END-->

            <!-- TODO: Problem The following two deps are needed for sending traces to zipkin -->
            <!-- Problem: https://github.com/spring-cloud/spring-cloud-sleuth/issues/1193 -->
            <dependency>
                <groupId>org.apereo.cas</groupId>
                <artifactId>cas-server-support-sleuth</artifactId>
                <version>${cas.version}</version>
                <exclusions>
                    <exclusion>
                        <groupId>org.slf4j</groupId>
                        <artifactId>slf4j-api</artifactId>
                    </exclusion>
                </exclusions>
            </dependency>

            <!--this one is needed, because else an exception will be thrown caused
               by: java.lang.NoClassDefFoundError: com/netflix/servo/monitor/Monitors-->
            <dependency>
                <groupId>com.netflix.servo</groupId>
                <artifactId>servo-core</artifactId>
                <version>${servo-core.version}</version>
                <exclusions>
                    <exclusion>
                        <groupId>org.slf4j</groupId>
                        <artifactId>slf4j-api</artifactId>
                    </exclusion>
                </exclusions>
            </dependency>

            <!-- START: Support JWT/CAS Protocol: https://apereo.github.io/cas/6.0.x/installation/Configure-ServiceTicket-JWT.html -->
            <dependency>
                <groupId>org.apereo.cas</groupId>
                <artifactId>cas-server-support-token-tickets</artifactId>
                <version>${cas.version}</version>
                <exclusions>
                    <exclusion>
                        <groupId>org.slf4j</groupId>
                        <artifactId>slf4j-api</artifactId>
                    </exclusion>
                </exclusions>
            </dependency>
            <!--END-->

            <!-- START: REST Endpoints enabled for cli authentications -->
            <dependency>
                <groupId>org.apereo.cas</groupId>
                <artifactId>cas-server-support-rest-tokens</artifactId>
                <version>${cas.version}</version>

                <exclusions>
                    <exclusion>
                        <groupId>org.slf4j</groupId>
                        <artifactId>slf4j-api</artifactId>
                    </exclusion>
                </exclusions>
            </dependency>
            <!--END-->

            <!-- START: JSON Service Registry Enabled -->
            <dependency>
                <groupId>org.apereo.cas</groupId>
                <artifactId>cas-server-support-json-service-registry</artifactId>
                <version>${cas.version}</version>
                <exclusions>
                    <exclusion>
                        <groupId>org.slf4j</groupId>
                        <artifactId>slf4j-api</artifactId>
                    </exclusion>
                    <exclusion>
                        <groupId>javax.el</groupId>
                        <artifactId>el-api</artifactId>
                    </exclusion>
                </exclusions>
            </dependency>
            <!--END-->

            <!--START: OIDC Protocol enabled-->
            <dependency>
                <groupId>org.apereo.cas</groupId>
                <artifactId>cas-server-support-oidc</artifactId>
                <version>${cas.version}</version>
                <exclusions>
                    <exclusion>
                        <groupId>org.slf4j</groupId>
                        <artifactId>slf4j-api</artifactId>
                    </exclusion>
                </exclusions>
            </dependency>
            <!--END-->

            <!--START: Enable consul client -->
            <dependency>
                <groupId>org.apereo.cas</groupId>
                <artifactId>cas-server-support-consul-client</artifactId>
                <version>${cas-server-support-consul-client.version}</version>

                <exclusions>
                    <exclusion>
                        <groupId>org.slf4j</groupId>
                        <artifactId>slf4j-api</artifactId>
                    </exclusion>
                </exclusions>
            </dependency>
            <!--END-->

            <!--START: Enable Custom Authentication for CAS: https://apereo.github.io/cas/6.0.x/installation/Configuring-Custom-Authentication.html-->
            <dependency>
                <groupId>org.apereo.cas</groupId>
                <artifactId>cas-server-core-authentication-api</artifactId>
                <version>${cas.version}</version>
                <exclusions>
                    <exclusion>
                        <groupId>org.slf4j</groupId>
                        <artifactId>slf4j-api</artifactId>
                    </exclusion>
                </exclusions>
            </dependency>

            <dependency>
                <groupId>org.apereo.cas</groupId>
                <artifactId>cas-server-core-api-configuration-model</artifactId>
                <version>${cas.version}</version>
                <exclusions>
                    <exclusion>
                        <groupId>org.slf4j</groupId>
                        <artifactId>slf4j-api</artifactId>
                    </exclusion>
                </exclusions>
            </dependency>

            <dependency>
                <groupId>org.apereo.cas</groupId>
                <artifactId>cas-server-core-web-api</artifactId>
                <version>${cas.version}</version>
                <exclusions>
                    <exclusion>
                        <groupId>org.slf4j</groupId>
                        <artifactId>slf4j-api</artifactId>
                    </exclusion>
                </exclusions>
            </dependency>
            <!--END-->

            <!--START: Enable Logback Support: https://apereo.github.io/cas/6.0.x/logging/Logging-Logback.html#logback-logging-->
            <dependency>
                <groupId>org.apereo.cas</groupId>
                <artifactId>cas-server-support-logback</artifactId>
                <version>${cas.version}</version>

                <exclusions>
                    <exclusion>
                        <groupId>ch.qos.logback</groupId>
                        <artifactId>logback-classic</artifactId>
                    </exclusion>

                    <exclusion>
                        <groupId>ch.qos.logback</groupId>
                        <artifactId>logback-core</artifactId>
                    </exclusion>
                    <exclusion>
                        <groupId>org.slf4j</groupId>
                        <artifactId>slf4j-api</artifactId>
                    </exclusion>
                    <!-- NotNull annotation comes from this package conflicts with hibarnate for ConsulProperties class-->
                    <exclusion>
                        <groupId>edu.washington.cs.types.checker</groupId>
                        <artifactId>checker-framework</artifactId>
                    </exclusion>
                </exclusions>
            </dependency>
            <!--END-->

        </dependencies>
4

1 回答 1

2

任何想法,解决方案?我不想让每个人都能够创建 TGT,我可以添加仅与 CAS 前缀匹配的服务定义,但首先最好了解我是否遗漏了什么或者这是一个错误。

你没有错过任何东西。这对我来说听起来像是一个错误。作为一种解决方法,我现在将添加与 CAS 前缀匹配的服务定义。

听起来这个问题可能只表现出来,因为你正在使用这个:

<dependency>
    <groupId>org.apereo.cas</groupId>
    <artifactId>cas-server-support-token-tickets</artifactId>
    <version>${cas.version}</version>
    <exclusions>
        <exclusion>
            <groupId>org.slf4j</groupId>
            <artifactId>slf4j-api</artifactId>
        </exclusion>
    </exclusions>
</dependency>

如果您不需要这个,那么您可以将其删除以消除问题。否则,现在,您应该添加仅与 CAS 前缀匹配的服务定义的解决方法。

PS您可以尝试切换到,6.1.2但我认为在这种情况下不会有所作为;无论如何切换是个好主意。

于 2019-12-18T14:37:03.190 回答