我们正在尝试将现有的Web应用程序从Spring 2.x升级到Spring 3,并相信我们已经处于最后一个问题,然后才能再次运行。我们使用CAS,并且可以访问JASIG CAS登录,但是当我们登录时它会出现404错误。我们的服务器管理员从CAS服务器拉出Catalina日志并且它表明登录成功并且它正在返回到申请。但是在tomcat服务器的调试输出中,它表示匿名用户拒绝访问,我不是。
Web.xml代码段
<context-param>
<param-name>log4jConfigLocation</param-name>
<param-value>/WEB-INF/classes/log4j.properties</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
的applicationContext.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:task="http://www.springframework.org/schema/task"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<import resource="classpath:edu/umt/brp/spring/run-env.xml"/>
<!-- NEW SECURITY (Begin) -->
<security:http access-denied-page="/myAccessDeniedPage" entry-point-ref="casProcessingFilterEntryPoint">
<security:port-mappings>
<!--<security:port-mapping http="8080" https="8081"/> -->
<security:port-mapping http="8080" https="443"/>
</security:port-mappings>
<security:intercept-url pattern="/infoGriz.html*" access="ROLE_EMPLOYEE" />
<security:intercept-url pattern="/**/frameset**" access="ROLE_EMPLOYEE" />
<!-- <security:logout logout-url="/logout" logout-success-url="https://logintest.umt.edu/cas/logout" invalidate-session="true"/> -->
<!-- next line may fix problem -->
<security:logout logout-url="/logout" logout-success-url="${casLogoutUrl}" invalidate-session="true"/>
</security:http>
<security:global-method-security secured-annotations="enabled" jsr250-annotations="enabled" />
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="casAuthenticationProvider" />
</security:authentication-manager>
<security:ldap-server id="ldapServer" url="${ldapUrl}"/>
<bean id="userService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService">
<constructor-arg>
<bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<constructor-arg index="0" value="cn=users,dc=umt,dc=edu"/>
<constructor-arg index="1" value="(uid={0})"/>
<constructor-arg index="2" ref="ldapServer" />
</bean>
</constructor-arg>
<constructor-arg>
<bean class="edu.umt.brp.security.AuthoritiesPopulator">
<constructor-arg ref="ldapServer" />
<constructor-arg value="cn=groups,dc=umt,dc=edu" />
<property name="groupSearchFilter" value="(uniqueMember={0})"/>
<property name="searchSubtree" value="true"/>
<property name="grouperServiceUrl" value="${grouperServiceUrl}"/>
<property name="grouperUser" value="${grouperUser}"/>
<property name="grouperPass" value="${grouperPass}"/>
</bean>
</constructor-arg>
<property name="userDetailsMapper">
<bean class="org.springframework.security.ldap.userdetails.PersonContextMapper"/>
</property>
</bean>
<bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">
<property name="service" value="${applicationHost}/infoGriz/j_spring_cas_security_check"/>
<property name="sendRenew" value="false"/>
</bean>
<bean id="casProcessingFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationFailureHandler">
<bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<property name="defaultFailureUrl" value="http://www.google.com"/>
</bean>
</property>
</bean>
<bean id="casProcessingFilterEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
<property name="loginUrl" value="${casLoginUrl}"/>
<property name="serviceProperties" ref="serviceProperties"/>
</bean>
<bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider" >
<property name="userDetailsService" ref="userService"/>
<property name="serviceProperties" ref="serviceProperties" />
<property name="ticketValidator">
<bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
<constructor-arg index="0" value="${casValidateUrl}" />
</bean>
</property>
<property name="key" value="an_id_for_this_auth_provider_only"/>
</bean>
<!-- NEW SECURITY (End) -->
我们有另一个已经在Spring 3上的Web应用程序,以及我们用作模型的spring security 3.0.2,但两者之间似乎没有任何不同。如果有任何其他文件有帮助,请告诉我。
谢谢,
伊恩
答案 0 :(得分:0)
基于Spring Security 3 reference,您还需要将 CAS身份验证过滤器添加到安全配置中:
<security:http ... >
<security:custom-filter position="CAS_FILTER" ref="casProcessingFilter" />
</security:http>
我的问题是/infoGriz.html*和/infoGriz/j_spring_cas_security_check之间的关系是什么?如果您希望intercept-url标记捕获第二个标记,则不会![/ p>
答案 1 :(得分:-1)
如果您使用的是Spring Security 4,请将其添加到xml
<csrf disabled="true"/>