yale cas 单点登陆有关问题
日期:2014-05-17 浏览次数:20864 次
yale cas 单点登陆问题。
把cas server配置在localhost,如果把cas client也配置在localhost就是正常的,但把cas client配置在其它机器(在client的jvm导入证书),在认证页面输入用户名和密码提交通过后,就出错,即跳不回原来的页面,用了各种方法(尝试用IP来做证书的名称,做client和server两份证书,在client端的Tomcat也开放8443端口等其它),还是抛出以下错误:
严重: Servlet.service() for servlet jsp threw exception
edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://192.168.3.99:8443/cas/proxyValidate] ticket=[ST-2-TCtDXiiXy7DanHIDz5RgKadIbmjXYcjeblW-20] service=[http%3A%2F%2F192.168.3.121%2Fcas%2Fdm20.jsp] renew=false]]]
at edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:52)
at edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:455)
at edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:541)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
at java.lang.Thread.run(Thread.java:595)
Caused by: java.io.IOException: HTTPS hostname wrong: should be <192.168.3.99>
at sun.net.www.protocol.https.HttpsClient.checkURLSpoofing(HttpsClient.java:490)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:415)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:170)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:913)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
at edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:84)
at edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java:212)
at edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:50)
网上有人说到这个问题的解决方法:
是Client里面抛出,是当我们不使用证书的CN去访问域名的时候(比如下文是用IP访问而且证书的CN是该IP对应的域名而非该IP),CASClient无法信任,因为你证书的CN命名写着abc.com,1
把cas server配置在localhost,如果把cas client也配置在localhost就是正常的,但把cas client配置在其它机器(在client的jvm导入证书),在认证页面输入用户名和密码提交通过后,就出错,即跳不回原来的页面,用了各种方法(尝试用IP来做证书的名称,做client和server两份证书,在client端的Tomcat也开放8443端口等其它),还是抛出以下错误:
严重: Servlet.service() for servlet jsp threw exception
edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://192.168.3.99:8443/cas/proxyValidate] ticket=[ST-2-TCtDXiiXy7DanHIDz5RgKadIbmjXYcjeblW-20] service=[http%3A%2F%2F192.168.3.121%2Fcas%2Fdm20.jsp] renew=false]]]
at edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:52)
at edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:455)
at edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:541)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
at java.lang.Thread.run(Thread.java:595)
Caused by: java.io.IOException: HTTPS hostname wrong: should be <192.168.3.99>
at sun.net.www.protocol.https.HttpsClient.checkURLSpoofing(HttpsClient.java:490)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:415)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:170)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:913)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
at edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:84)
at edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java:212)
at edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:50)
网上有人说到这个问题的解决方法:
是Client里面抛出,是当我们不使用证书的CN去访问域名的时候(比如下文是用IP访问而且证书的CN是该IP对应的域名而非该IP),CASClient无法信任,因为你证书的CN命名写着abc.com,1
免责声明: 本文仅代表作者个人观点,与爱易网无关。其原创性以及文中陈述文字和内容未经本站证实,对本文以及其中全部或者部分内容、文字的真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
