Typically the service registry entries use patterns. Ant or regex are typical types of patterns.
For example: https://my.domain.com/a/** That should match any child resource under /a. If you don't use a pattern, you are allowing only the exact URL. Even an explicit vs implicit port can cause a failure. E.g. the above pattern does not match an explicit port 443. Thanks, Carl On Oct 2, 2014 7:07 PM, "Michael Keith" <[email protected]> wrote: > https://my.domain.com/a/j_spring_security_check > https://my.domain.com/b/j_spring_security_check > > Like I said: Each of those is an application unto itself. Each > application has many RESTful services - each of which I may be required (at > some point in time) to allow a different application to invoke. > > I say all of that because I assume that I can create a separate entry > within the *RegisteredServiceImpl* table for the RESTful service I am > trying to call. However, that isn't going to scale very well if / when I > have to allow various applications the ability to invoke various RESTful > services in different applications. > > As of right now, we have a half dozen application participating in SSO. > Each application has 1-2 dozen RESTful services that their UI invokes at > various times. It would be unreasonable to have a "service" entry within > the *RegisteredServiceImpl* table for each and every one of them when the > application they're running inside is already registered. > > On Thu, Oct 2, 2014 at 6:53 PM, Carl Waldbieser <[email protected]> > wrote: > >> What do your service registry entries look like? >> >> Thanks, >> Carl Waldbieser >> On Oct 2, 2014 4:24 PM, "Michael Keith" <[email protected]> wrote: >> >>> I'm missing something and I could use a bit of help. >>> >>> I (obviously) have a CAS Server configured and running. I have two >>> clients (Services) authenticated against said server. Both clients are >>> actual applications that perform a myriad of functions. Each application >>> has its own UI. The UI, in both cases, communicates to the backend >>> application via RESTful service calls. >>> >>> This works *fine* when I log into a single application and go through >>> whatever it is I want to do. >>> >>> However, I now have a requirement to have Application B invoke one of >>> the RESTful URLs within Application A. >>> >>> ************************************* >>> Application A: >>> URL - https://my.domain.com/a >>> Desired Service URL - https://my.domain.com/a/rest/my/service >>> ************************************* >>> >>> When I attempt to to have Application B retrieve a Proxy Ticket from >>> Application A, all goes well and I get the following: >>> >>> 2014-10-02 15:59:12,390 INFO >>> [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit >>> trail record BEGIN >>> ============================================================= >>> WHO: https://my.domain.com/b/j_spring_cas_security_proxyreceptor >>> WHAT: ST-14-oScXwVbhdJ7mPwWujgMp-XXXXX.XXXXX.com for >>> https://my.domain.com/a/j_spring_cas_security_check >>> ACTION: SERVICE_TICKET_CREATED >>> APPLICATION: CAS >>> WHEN: Thu Oct 02 15:59:12 EDT 2014 >>> CLIENT IP ADDRESS: 999.999.999.999 >>> SERVER IP ADDRESS: 999.999.999.999 >>> ============================================================= >>> > >>> >>> >>> ****************************************************************************************************************************************************************************** >>> >>> ****************************************************************************************************************************************************************************** >>> >>> ****************************************************************************************************************************************************************************** >>> >>> When I attempt to actually use the Proxy Ticket I get mixed results. >>> What I *want* to do is invoke *https://my.domain.com/a/rest/my/service >>> <https://my.domain.com/a/rest/my/service>* When I try to do that, I am >>> met with the following: >>> >>> 2014-10-02 16:05:32,732 WARN >>> [org.jasig.cas.CentralAuthenticationServiceImpl] - <ServiceManagement: >>> Service does not exist is not enabled, and thus not allowed to validate >>> tickets. Service: [https://my.domain.com/a/rest/my/service]> >>> 2014-10-02 16:05:32,733 INFO >>> [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit >>> trail record BEGIN >>> ============================================================= >>> WHO: audit:unknown >>> WHAT: ST-14-oScXwVbhdJ7mPwWujgMp-XXXXX.XXXXX.com >>> ACTION: SERVICE_TICKET_VALIDATE_FAILED >>> APPLICATION: CAS >>> WHEN: Thu Oct 02 16:05:32 EDT 2014 >>> CLIENT IP ADDRESS: 172.19.10.247 >>> SERVER IP ADDRESS: 172.19.10.247 >>> ============================================================= >>> > >>> <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> >>> <cas:authenticationFailure code='Service not allowed to validate >>> tickets.'> >>> Service not allowed to validate tickets. >>> </cas:authenticationFailure> >>> </cas:serviceResponse> >>> >>> 10068974 02-10-2014 16:05:32.736 [http-bio-8443-exec-26] DEBUG >>> o.s.s.c.web.CasAuthenticationFilter - Authentication request failed: >>> org.springframework.security.authentication.BadCredentialsException: >>> Service not allowed to validate tickets. >>> >>> >>> ****************************************************************************************************************************************************************************** >>> >>> ****************************************************************************************************************************************************************************** >>> >>> ****************************************************************************************************************************************************************************** >>> >>> However, if I just invoke the Application's URL (*https://my.domain.com/a >>> <https://my.domain.com/a>*), I get the following: >>> >>> 2014-10-02 16:05:17,181 INFO >>> [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit >>> trail record BEGIN >>> ============================================================= >>> WHO: audit:unknown >>> WHAT: ST-14-oScXwVbhdJ7mPwWujgMp-XXXXX.XXXXX.com >>> ACTION: SERVICE_TICKET_VALIDATED >>> APPLICATION: CAS >>> WHEN: Thu Oct 02 16:05:17 EDT 2014 >>> CLIENT IP ADDRESS: 172.19.10.247 >>> SERVER IP ADDRESS: 172.19.10.247 >>> ============================================================= >>> > >>> 2014-10-02 16:05:17,182 DEBUG >>> [org.jasig.cas.web.ServiceValidateController] - <Successfully validated >>> service ticket: ST-14-oScXwVbhdJ7mPwWujgMp-XXXXX.XXXXX.com> >>> >>> >>> ****************************************************************************************************************************************************************************** >>> >>> ****************************************************************************************************************************************************************************** >>> >>> ****************************************************************************************************************************************************************************** >>> >>> I understand what the error is telling me - the service at >>> [*https://my.domain.com/a/rest/my/service >>> <https://my.domain.com/a/rest/my/service>*] is not registered within >>> CAS. However, it *is* registered in CAS. I want to invoke one of the >>> RESTful Services contained within the CAS "Service" (Client). What am I >>> missing? How can I accomplish my goal? Is this not possible? >>> >>> -- >>> Sincerely, >>> Michael Keith >>> >>> -- >>> You are currently subscribed to [email protected] as: >>> [email protected] >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> > > > -- > Sincerely, > Michael Keith > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
