最近研究cas,发现在设置ticketGrantingTicket超时后,打开https://tski.com:8443/cas 仍然显示成功
ticketExpirationPolicies.xml
<!-- This argument is the time a ticket can exist before its considered expired. 设置为5秒超时-->
<bean id="grantingTicketExpirationPolicy" class="org.jasig.cas.ticket.support.TimeoutExpirationPolicy">
<constructor-arg
index="0"
value="5000" />
</bean>
ticketRegistry.xml
<!-- 10秒检查一次是否有ticket需要clean -->
<bean id="triggerJobDetailTicketRegistryCleaner" class="org.springframework.scheduling.quartz.SimpleTriggerBean"
p:jobDetail-ref="jobDetailTicketRegistryCleaner"
p:startDelay="2000"
p:repeatInterval="10000" />
仍然显示成功
所以猜测,TGT超时与使用https://tski.com:8443/cas/logout 不同地方在于,后者清除了cookie中的TGT
于是找到logout的处理代码
org.jasig.cas.web.LogoutController
protected ModelAndView handleRequestInternal(
final HttpServletRequest request, final HttpServletResponse response)
throws Exception {
final String ticketGrantingTicketId = this.ticketGrantingTicketCookieGenerator.retrieveCookieValue(request);
final String service = request.getParameter("service");
if (ticketGrantingTicketId != null) {
this.centralAuthenticationService
.destroyTicketGrantingTicket(ticketGrantingTicketId);
//清除cookie
this.ticketGrantingTicketCookieGenerator.removeCookie(response);
this.warnCookieGenerator.removeCookie(response);
}
if (this.followServiceRedirects && service != null) {
return new ModelAndView(new RedirectView(service));
}
return new ModelAndView(this.logoutView);
}
而TGT超时时,cas server 不能获取cookie
继续猜测,打开https://tski.com:8443/cas时,cas server只判断了cookie中是否有TGT,但是没判断org.jasig.cas.ticket.registry.TicketRegistry中是否还存在TGT。
找到login-webflow.xml
<!-- 在flowScope.ticketGrantingTicketId && flowScope.service 为null的情况下,页面会跳转到viewGenericLoginSuccess -->
<on-start>
<evaluate expression="initialFlowSetupAction" />
</on-start>
<decision-state id="ticketGrantingTicketExistsCheck">
<if test="flowScope.ticketGrantingTicketId neq null" then="hasServiceCheck" else="gatewayRequestCheck" />
</decision-state>
...
<decision-state id="hasServiceCheck">
<if test="flowScope.service != null" then="renewRequestCheck" else="viewGenericLoginSuccess" />
</decision-state>
所以现在要确认flowScope.ticketGrantingTicketId , flowScope.service 是什么东西
找到org.jasig.cas.web.flow.InitialFlowSetupAction
protected Event doExecute(final RequestContext context) throws Exception {
final HttpServletRequest request = WebUtils.getHttpServletRequest(context);
if (!this.pathPopulated) {
... }
//ticketGrantingTicketId是从cookie里取的,问题很清楚了
context.getFlowScope().put(
"ticketGrantingTicketId", this.ticketGrantingTicketCookieGenerator.retrieveCookieValue(request));
context.getFlowScope().put(
"warnCookieValue",
Boolean.valueOf(this.warnCookieGenerator.retrieveCookieValue(request)));
//service 只有在从其他系统跳转到cas server时才可能不是null
final Service service = WebUtils.getService(this.argumentExtractors,
context);
if (service != null && logger.isDebugEnabled()) {
logger.debug("Placing service in FlowScope: " + service.getId());
}
context.getFlowScope().put("service", service);
return result("success");
}
最后,修改代码
org.jasig.cas.web.flow.InitialFlowSetupAction
//注入 ticketRegistry
@NotNull
private TicketRegistry ticketRegistry;
public TicketRegistry getTicketRegistry() {
return ticketRegistry;
}
public void setTicketRegistry(TicketRegistry ticketRegistry) {
this.ticketRegistry = ticketRegistry;
}
protected Event doExecute(final RequestContext context) throws Exception {
final HttpServletRequest request = WebUtils.getHttpServletRequest(context);
if (!this.pathPopulated) {
... }
//从ticketRegistry中获取TGT
context.getFlowScope().put(
"ticketGrantingTicketId", ticketRegistry.getTicket(this.ticketGrantingTicketCookieGenerator.retrieveCookieValue(request)));
context.getFlowScope().put(
"warnCookieValue",
Boolean.valueOf(this.warnCookieGenerator.retrieveCookieValue(request)));
final Service service = WebUtils.getService(this.argumentExtractors,
context);
if (service != null && logger.isDebugEnabled()) {
logger.debug("Placing service in FlowScope: " + service.getId());
}
context.getFlowScope().put("service", service);
return result("success");
}
修改cas-servlet.xml
<!-- 最后一行 p:ticketRegistry-ref="ticketRegistry" ,注入ticketRegistry -->
<bean id="initialFlowSetupAction" class="org.jasig.cas.web.flow.InitialFlowSetupAction"
p:argumentExtractors-ref="argumentExtractors"
p:warnCookieGenerator-ref="warnCookieGenerator"
p:ticketGrantingTicketCookieGenerator-ref="ticketGrantingTicketCookieGenerator"
p:ticketRegistry-ref="ticketRegistry"/>
- 大小: 33.7 KB
分享到:
相关推荐
#DockerFile用于具有cas-management的JASIG CAS Jasig Cas 4.1映像 ##先决条件 码头工人 JVM和Maven(战争大楼) 码头工人组成 ssl证书 ## image build mvn clean package; docker-compose rm -f; docker-compose ...
jasig cas 单点登录环境搭建详细资料
jasig cas4.1.4+oracle数据库认证,可以直接部署到 tomcat中去。自己建表user_info。
用Cas是实现单点登录,分别为服务器端的3.4.2的源代码,和客户端3.1.6的源代码
jasig开源单点登录框架的时序图
cas-client-core-3.2.1.jar LoginImpl.java LoginServlet.java SSOClientFilter.java web.xml 电子政务平台单点登录集成手册v4.0-2017年2月9日.docx
基于JASIG+CAS统一认证平台的设计和实现
予org.jasig.cas.client.util.CommonUtils 加入 public static void disableSSLVerification(){ try { // Create a trust manager that does not validate certificate chains TrustManager[] ...
东北大学信息化建设——基于JASIG CAS的统一身份认证系统 概述 •统一认证与单点登录 •CAS •东北大学统一认证服务
原版cas单点登录源码和wa包,原版sso,官网下载太慢,所以特地放到csdn
server 地址: ...n 下载 restlet 相关 http://www.restlet.org/downloads/ , 解压后将下面 jar 拷贝到 D:\server\apache-tomcat-6.0.18\webapps\cas\WEB-INF\lib: ( 它奶奶地这一步骤很折腾 ) ...
jasig cas-server,用于解决多个应用之间单点登录与注销。
NULL 博文链接:https://iintothewind.iteye.com/blog/2013272
jasig-cas-4.0.x-覆盖模板
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter <param-name>casServerUrlPrefix <param-value>http://192.168.156.120:8080/cas</param-value> <param-name>serverName ...
Jasig CAS(中央身份验证服务)的一个非常基本的 REST 客户端; #要求 #部署 npm install Download source from remote repositories #使用组件 设置支持 REST 的 Jasig CAS 实例后(有关更多信息,请访问 ),...
Jasig Cas 仅使用 https 协议工作,上面的证书用于验证我们正在针对正确的服务器进行身份验证。 转到 sso-poc/client1 并键入 mvn spring-boot:run -Dspring.profiles.active=liquibase 这将初
然后在核心应用配置文件中加入以下三个地址: #cas.server.url=https://zhang.com:8443/CasServer cas.server.url=http://127.0.0.1:8088/CasServer cas.project.url=http://127.0.0.1:8080/NX_IMP #cas.logout.url=...
CASServer负责完成对用户的认证工作,CASServer需要独立部署,CASServer处理用户名/密码等凭证(Credentials)验证,它可能会到数据库检索一条用户帐号信息,也可能在XML文件中检索用户密码,CAS均提供一种灵活但统一...
这是已经调整过的cas服务端,maven项目 已完成内容 登录页面已做调整 验证码功能 记住我功能 多数据源支持(根据传入参数client确定用哪个数据源和sql语句) 运行该项目 先建立sys_account表,直接导入sys_...