CAS单次注销不起作用
[英]CAS Single logout not working
问题描述
I am implementing Single-Sign-On + Single-Log-Out in a Java EE environment through CAS. 
我正在通过CAS在Java EE环境中实现单点登录+单点注销。
On the authentication side I have the cas-server-webapp v4.0.1. 在身份验证方面,我有cas-server-webapp v4.0.1。 Then 2 simple Java + Spring MVC web apps with the cas-client-corev3.1.10 . 然后是2个带有cas-client-corev3.1.10简单Java + Spring MVC Web应用程序。
No issues regarding single sign on. 关于单点登录没有问题。 If I access /app1 I'm redirected to cas login page in cas-server-webapp. 如果我访问/ app1,则会重定向到cas-server-webapp中的cas登录页面。 After the user+pass input I get redirected to /app1 correctly authenticated. 在user + pass输入之后,我被重定向到正确验证的/ app1。 In addition, if I navigate to /app2, this one gets its auth ticket. 此外,如果我导航到/ app2,则此人将获得其身份验证票证。 So far so good. 到目前为止,一切都很好。
As for single logout, maybe I have misunderstood the doc : but this is what I do: 至于单次注销,也许我误解了doc :但这是我要做的:
app1 and app2 have each a Spring controller mapped for /logout url: app1和app2分别为/ logout url映射了一个Spring控制器:
@Controller
public class LogoutController {
@RequestMapping("/logout")
public String logout(HttpSession session){
session.invalidate();
return "redirect:https://cas-server-host:8443/cas/logout?service=http://cas-server-host:9080/cas1/action/index";
}
}
That is to say, I invalidate the http session and redirect to the cas server logout url so that the tickets get invalidated. 也就是说,我使http会话无效,并重定向到cas服务器注销URL,以便票证无效。
In the cas server log I see that it destroys the TGT ticket and sends a logout request to the CAS filter of each app: 在cas服务器日志中,我看到它破坏了TGT票证并将注销请求发送到每个应用程序的CAS过滤器:
DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] - <Removing ticket [TGT-9-inxrphuRfIFpkbPTvNf6v1bAx7RlR7IMeMUFU0aokNCdbZ43Ij-cas01.example.org] from registry.>
DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to retrieve ticket [TGT-9-inxrphuRfIFpkbPTvNf6v1bAx7RlR7IMeMUFU0aokNCdbZ43Ij-cas01.example.org]>
DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket [TGT-9-inxrphuRfIFpkbPTvNf6v1bAx7RlR7IMeMUFU0aokNCdbZ43Ij-cas01.example.org] found in registry.>
DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] - <Ticket found. Processing logout requests and then deleting the ticket...>
DEBUG [org.jasig.cas.logout.SamlCompliantLogoutMessageCreator] - <Generated logout message: [<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-13-TfRj1HnvAjpBjNIdaDvDMJUMXk7wffdXgB5" Version="2.0" IssueInstant="2015-02-10T12:18:18Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex>ST-16-aXpUJpwO4MQ09caXZRKX-cas01.example.org</samlp:SessionIndex></samlp:LogoutRequest>]>
DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - <Sending logout request for: [http://localhost:9080/cas2]>
DEBUG [org.jasig.cas.util.SimpleHttpClient] - <Attempting to access http://localhost:9080/cas2>
DEBUG [org.jasig.cas.logout.SamlCompliantLogoutMessageCreator] - <Generated logout message: [<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-14-BaKvuaIbwxg9Le9H3QIvWORfNSE0dxaxsCE" Version="2.0" IssueInstant="2015-02-10T12:18:20Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex>ST-15-zaX6aojKs0PiggCles6J-cas01.example.org</samlp:SessionIndex></samlp:LogoutRequest>]>
DEBUG [org.jasig.cas.util.SimpleHttpClient] - <Finished sending message to http://localhost:9080/cas2>
DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - <Sending logout request for: [http://localhost:9080/cas1]>
DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Removing ticket [TGT-9-inxrphuRfIFpkbPTvNf6v1bAx7RlR7IMeMUFU0aokNCdbZ43Ij-cas01.example.org] from registry>
DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to retrieve ticket [TGT-9-inxrphuRfIFpkbPTvNf6v1bAx7RlR7IMeMUFU0aokNCdbZ43Ij-cas01.example.org]>
DEBUG [org.jasig.cas.util.SimpleHttpClient] - <Attempting to access http://localhost:9080/cas1>
INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: TGT-9-inxrphuRfIFpkbPTvNf6v1bAx7RlR7IMeMUFU0aokNCdbZ43Ij-cas01.example.org
ACTION: TICKET_GRANTING_TICKET_DESTROYED
APPLICATION: CAS
WHEN: Tue Feb 10 12:18:20 CET 2015
CLIENT IP ADDRESS: 192.168.13.164
SERVER IP ADDRESS: 192.168.13.164
=============================================================
Now, suppose that I logged out from /cas1, I am sent back to the cas-server login page. 现在,假设我从/ cas1注销,我被发送回cas-server登录页面。 Without login again, if I access /app2, I am allowed to navigated this app as if I were still authenticated and I can access both its java.user.Principal and session. 无需再次登录,如果我访问/ app2,则可以浏览该应用程序,就像我仍然通过身份验证一样,并且可以访问其java.user.Principal和session。 How can this be possible? 这怎么可能? Shouldn't the logout request received in /app2 have destroyed the Principal and http session? / app2中收到的注销请求是否应该破坏了Principal和http会话?
1 个解决方案
解决方案1
5 已采纳 2015-02-10 12:08:40
...my fault, as expected I was missing something. ...我的错,正如预期的那样,我缺少了一些东西。 I had to include the Single Sign Out Filter and Listener in both apps : 我必须在两个应用程序中都包含“单一注销过滤器”和“侦听器”:
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter
</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern></filter-mapping>
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://cas-server-host:8443/cas/login</param-value>
</init-param>
<init-param>
<param-name>service</param-name>
<param-value>http://localhost:9080/cas1</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://cas-server-host:8443/cas/</param-value>
</init-param>
<init-param>
<param-name>service</param-name>
<param-value>http://localhost:9080/cas1</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.