0
我有自己的Jasig CAS服務器:CAS服務器跨子域ST票
https://cas.example.com
而且,我有兩個子域(應用程序)連接到該CAS服務器,例如:
https://ui.example.com
https://api.example.com
我可以成功創建ST票https://ui.example.com有以下要求:
https://cas.example.com/login?service=https://ui.example.com
響應:
https://cas.example.com/?ticket=ST-5-p5rVK3OWBKPzwAAZteNw-cas.example.com/
,但我無法使用此票爲https://api.example.com
https://api.example.com/api/v1.0/account?ticket=ST-5-p5rVK3OWBKPzwAAZteNw-cas.example.com
有以下錯誤:
access to this resource is forbidden","errors":[{"field":"BadCredentialsException","message":"\n Ticket \u0027ST-5-p5rVK3OWBKPzwAAZteNw-cas-dev.cfwdev.com\u0027 does not match supplied service. The original service was \u0027https://ui.example.com/\u0027 and the supplied service was \u0027https://api.example.com/api/v1.0/account
這是我的服務配置:
{
"@class" : "org.jasig.cas.services.RegexRegisteredService",
"serviceId" : "^(http?|https?)://.*example.com/.*",
"name" : "example.com dev
"theme" : example
"id" : 20000002,
"description" : "example.com dev environment",
"proxyPolicy" : {
"@class" : "org.jasig.cas.services.RegexMatchingRegisteredServiceProxyPolicy",
"pattern" : "^(http?|https?)://.*example.com/.*"
},
"evaluationOrder" : 2,
"usernameAttributeProvider" : {
"@class" : "org.jasig.cas.services.DefaultRegisteredServiceUsernameProvider"
},
"logoutType" : "BACK_CHANNEL",
"attributeReleasePolicy" : {
"@class" : "org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy",
"principalAttributesRepository" : {
"@class" : "org.jasig.cas.authentication.principal.DefaultPrincipalAttributesRepository"
},
"authorizedToReleaseCredentialPassword" : false,
"authorizedToReleaseProxyGrantingTicket" : false
},
"accessStrategy" : {
"@class" : "org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled" : true
}
}
是否有可能發行一張ST票將被這兩個子域名https://ui.example.com和https://api.example.com接受?
你可以支持任何東西嗎? – NathanOliver
我在Jasig CAS Google小組提出了同樣的問題,答案是 - 我需要使用PT代替ST,但這不是我的情況。 – alexanoid