

在使用Spring Security + CAS时,我一直使用发送到CAS的回调URL(即服务属性)来碰到一个小障碍.我看过很多示例,例如,但是它们都使用硬编码的URL(甚至 Spring的CAS文档).一个典型的截图看起来像这样...

When working with Spring Security + CAS I keep hitting a small road block with the callback URL that is sent to CAS, ie the service property. I've looked at a bunch of examples such as this and this but they all use hard coded URLs (even Spring's CAS docs). A typical snip looks something like this...

  <bean id="serviceProperties" class="org.springframework.security.ui.cas.ServiceProperties">
    <property name="service" value="http://localhost:8080/click/j_spring_cas_security_check" />

首先,我不想对服务器名称或端口进行硬编码,因为我希望此WAR可部署在任何地方,并且我不希望我的应用程序在编译时绑定到特定的DNS条目.其次,我不明白为什么Spring无法自动检测应用程序的上下文该语句的第一部分仍然存在,但正如Raghuram在下面用此链接,出于安全原因,我们不能信任客户端的HTTP Host Header.

First, I don't want to hard code the server name or the port since I want this WAR to be deployable anywhere and I don't want my application tied to a particular DNS entry at compile time. Second, I don't understand why Spring can't auto detect my application's context The first part of that statement still stand but As Raghuram pointed out below with this link, we can't trust the HTTP Host Header from the client for security reasons.


Ideally I would like service URL to be exactly what the user requested (as long as the request is valid such as a sub domain of mycompany.com) so it is seamless or at the very least I would like to only specify some path relative my applications context root and have Spring determine the service URL on the fly. Something like the following...

  <bean id="serviceProperties" class="org.springframework.security.ui.cas.ServiceProperties">
    <property name="service" value="/my_cas_callback" />


  <bean id="serviceProperties" class="org.springframework.security.ui.cas.ServiceProperties">
    <property name="service" value="${container.and.app.derived.value.here}" />


Is any of this possible or easy or have I missed the obvious?


在Spring 2.6.5 Spring中,您可以扩展org.springframework.security.ui.cas.ServiceProperties

In Spring 2.6.5 spring you could extend org.springframework.security.ui.cas.ServiceProperties


In spring 3 the method is final you could get around this by subclassing the CasAuthenticationProvider and CasEntryPoint and then use with your own version of ServiceProperties and override the getService() method with a more dynamic implementation.


You could use the host header to calculate the the required domain and make it more secure by validating that only domains/subdomains under your control are used. Then append to this some configurable value.


Of course you would be at risk that your implementation was insecure though... so be careful.


It could end up looking like:

<bean id="serviceProperties" class="my.ServiceProperties">
    <property name="serviceRelativeUrl" value="/my_cas_callback" />
    <property name="validDomainPattern" value="*.mydomain.com" />


07-22 20:15