单点登录TicketValidationException

Question

我创建的服务器和客户端，客户端没有配置虚拟目录“/ EIP”，可以正常使用;如果用一个虚拟目录配置会出现以下问题：

服务器错误消息

 

ERROR org.jasig.cas.CentralAuthenticationServiceImpl 
-ServiceTicket ST-11-SLvleOutvxi7VEy53Q07-cas01.example.org with service 
http://localhost:9999/eip/eip/ 
does not match supplied service 
http://localhost:9999/eip/eip/eip/ 

客户端错误消息

 
2014-01-25 15:52:56,799 WARN [org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter] - 
org.jasig.cas.client.validation.TicketValidationException: 
     XXX'ST-2-KORiek3rHflhLctqzGT5-cas01.example.org'XXXXXXXX  
    at org.jasig.cas.client.validation.Cas20ServiceTicketValidator.parseResponseFromServer(Cas20ServiceTicketValidator.java:86) 
    at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:217) 
    at org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:169) 
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) 
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) 
    at org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:116) 
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) 
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) 
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) 
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) 
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) 
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) 
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) 
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) 
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857) 
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) 
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) 
    at java.lang.Thread.run(Thread.java:662) 

我用的是服务端为：CAS-服务器3.5.2 ， 以下是我对此文件的配置：deployerConfigContext.xml

 

> xmlns="http://www.springframework.org/schema/beans" 
>  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
>  xmlns:p="http://www.springframework.org/schema/p" 
>  xmlns:tx="http://www.springframework.org/schema/tx" 
>  xmlns:sec="http://www.springframework.org/schema/security" 
>  xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd 
>  http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.1.xsd 
>  http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> 
> CentralAuthenticationService service bean   | declared in 
> applicationContext.xml picks up this AuthenticationManager by 
> reference to its id,   | "authenticationManager". Most deployers 
> will be able to use the default AuthenticationManager   | 
> implementation and so do not need to change the class of this bean. 
> We include the whole  | AuthenticationManager here in the 
> userConfigContext.xml so that you can see the things you will   | need 
> to change in context.   +-->   class="org.jasig.cas.authentication.AuthenticationManagerImpl"> 
>       This switch effectively will turn on clearpass.   
>   
>    
>     
>    
>       --> 
>    AuthenticationManagerImpl considers them in order, finding a 
> CredentialToPrincipalResolver which   | supports the presented 
> credentials.   |   | AuthenticationManagerImpl uses these resolvers 
> for two purposes. First, it uses them to identify the Principal   | 
> attempting to authenticate to CAS /login . In the default 
> configuration, it is the DefaultCredentialsToPrincipalResolver   | 
> that fills this role. If you are using some other kind of credentials 
> than UsernamePasswordCredentials, you will need to replace   | 
> DefaultCredentialsToPrincipalResolver with a 
> CredentialsToPrincipalResolver that supports the credentials you are 
>   | using.   |   | Second, AuthenticationManagerImpl uses these 
> resolvers to identify a service requesting a proxy granting ticket. 
>   | In the default configuration, it is the 
> HttpBasedServiceCredentialsToPrincipalResolver that serves this 
> purpose.    | You will need to change this list if you are 
> identifying services by something more or other than their callback 
> URL.   +-->   
>   
>         | UsernamePasswordCredentialsToPrincipalResolver supports the UsernamePasswordCredentials that we use for /login 
>     | by default and produces SimplePrincipal instances conveying the username from the credentials. 
>     | 
>     | If you've changed your LoginFormAction to use credentials other than UsernamePasswordCredentials then you will also 
>     | need to change this bean declaration (or add additional declarations) to declare a CredentialsToPrincipalResolver that 
> supports the 
>     | Credentials you are using. 
>     +--> 
>    > 
>     
>    
>         | HttpBasedServiceCredentialsToPrincipalResolver supports HttpBasedCredentials. It supports the CAS 2.0 approach of 
>     | authenticating services by SSL callback, extracting the callback URL from the Credentials and representing it as a 
>     | SimpleService identified by that callback URL. 
>     | 
>     | If you are representing services by something more or other than an HTTPS URL whereat they are able to 
>     | receive a proxy callback, you will need to change this bean declaration (or add additional declarations). 
>     +--> 
>         class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" 
> />      
> 
>  some Credentials might authenticate,    | AuthenticationHandlers 
> actually authenticate credentials. Here we declare the 
> AuthenticationHandlers that   | authenticate the Principals that the 
> CredentialsToPrincipalResolvers identified. CAS will try these 
> handlers in turn   | until it finds one that both supports the 
> Credentials presented and succeeds in authenticating.    +--> 
>     
>         | This is the authentication handler that authenticates services by means of callback via SSL, thereby validating 
>     | a server side SSL certificate. 
>     +--> 
>         p:httpClient-ref="httpClient"/> 
>         | This is the authentication handler declaration that every CAS deployer will need to change before deploying CAS 
>     | into production. The default SimpleTestUsernamePasswordAuthenticationHandler authenticates 
> UsernamePasswordCredentials 
>     | where the username equals the password. You will need to replace this with an AuthenticationHandler that implements your 
>     | local authentication strategy. You might accomplish this by coding a new such handler and declaring 
>     | edu.someschool.its.cas.MySpecialHandler here, or you might use one of the handlers provided in the adaptors modules. 
>     +--> 
>     
>      
>            value="select password from a_user where lower(userName) = lower(?)" /> 
>     
>         
>         class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" 
> /> 
>     -->       
> 
> 
> Management application. Simple deployments can use the in-memory 
> version. More robust deployments will want to use another option, 
> such as the Jdbc version.   The name of this should remain 
> "userDetailsService" in order for Spring Security to find it.  --> 
>  --> 
> 
>  
>   
>    A real implementation  may go against a database or LDAP server. The 
> id should remain "attributeRepository" though.  -->  id="attributeRepository" 
>  class="org.jasig.services.persondir.support.StubPersonAttributeDao"> 
>     
>    
>     
>            -->  class="org.jasig.services.persondir.support.jdbc.SingleRowJdbcPersonAttributeDao" 
> id="attributeRepository"> 
>   
>   
>   
>    
>     
>    
>   
>   
>    
>     
>     
>    
>      replace this with the JPA-backed ServiceRegistry DAO The name of this 
> bean should remain "serviceRegistryDao". -->   id="serviceRegistryDao" 
>   class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl"> 
>    
>     
>      
>       
>       
>       
>       
>       
>       
>       
>         
>           id 
>           username 
>           idcard 
>           phone 
>         
>       
>      
>           Use the following definition instead of the above to further restrict access 
>      to services within your domain (including subdomains). 
>      Note that example.com must be replaced with the domain you wish to permit. 
>      --> 
>           
>       
>       
>       
>       
>       
>      
>      --> 
>     
>    
>   
> 
> class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" 
> /> 
>  
>  
>  
>      p:freeMemoryWarnThreshold="10" /> 
>     NOTE 
>   The following ticket registries support SessionMonitor: 
>    * DefaultTicketRegistry 
>    * JpaTicketRegistry 
>   Remove this monitor if you use an unsupported registry. 
>   --> 
>      p:ticketRegistry-ref="ticketRegistry" 
>    p:serviceTicketCountWarnThreshold="5000" 
>    p:sessionCountWarnThreshold="100000" /> 
>  
>   
>  
>  
>   oracle.jdbc.driver.OracleDriver 
>  
>  
>  jdbc:oracle:thin:@10.124.32.56:1521:orcl --> 
>   jdbc:oracle:thin:@192.168.0.13:1522:SERVER10 
>   jdbc:oracle:thin:@127.0.0.1:1522:work--> 
>  
>  
>   gzedieip 
>  
>  
>   gzkit 
>  
> 
> 

谁知道是什么原因，谢谢

Answer 1

最后解决的问题是，客户端配置，不管程序没有虚拟目录，客户端配置是没有必要添加一个虚拟目录