JASIG CAS:单点注销不起作用
我的单点登录工作得很好,但单点退出不起作用。
场景是这样的:
- 打开 webapp1 并重定向到 CAS 登录页面
- 输入详细信息并登录
- 打开也使用 CAS 的 webapp2。自动登录,因为用户已登录。
- 注销 webapp1
- 尝试打开 webapp1 或 webapp2(在另一个选项卡中)会将您重定向回登录页面。
- 但是,步骤 3 中与 webapp2 的会话并未关闭,用户仍然可以毫无问题地使用该应用程序。如何在用户退出时自动使会话失效?
两个应用程序的注销按钮首先调用 session.invalidate(),然后重定向到 https://localhost:8443/cas/logout
单点注销过滤器是web.xml 文件中的第一个过滤器。我还在 web.xml 中有 SingleSignOutHttpSessionListener 。
以下是我的 web.xml 的摘录
<!-- CAS settings -->
<!-- Use filter init-param if your container does not support context params.
CAS Authentication Filter and CAS Validation Filter need a serverName init-param
in lieu of a context-param definition. -->
<context-param>
<param-name>serverName</param-name>
<param-value>https://localhost:8443</param-value>
</context-param>
<!-- Facilitates CAS single sign-out -->
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<!--
CAS client filters
Single sign-out filter MUST come first since it needs to be evaluated
before other filters.
-->
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<!--
IMPORTANT:
Use Saml11AuthenticationFilter for version 3.1.12 and later.
Use org.jasig.cas.client.authentication.AuthenticationFilter for previous
versions.
-->
<filter-class>
org.jasig.cas.client.authentication.Saml11AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://localhost:8443/cas/login</param-value>
</init-param>
<init-param>
<param-name>service</param-name>
<param-value>https://localhost:8443/JAdaptiv/default.action</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>
org.jasig.cas.client.validation.Saml11TicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://localhost:8443/cas</param-value>
</init-param>
<init-param>
<param-name>redirectAfterValidation</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<!-- Leniency of time checking in ms when validating SAML assertions. Consider
setting this parameter more liberally if you anticipate system clock drift
on your application servers relative to the CAS server. The default is 1000
(1s) and at least one person had problems with drift at that small a tolerance
value. A good approach is to start low and then increase by 1000 as needed
until problems stop. Note that increasing this value may have negative security
implications. Consider fixing clock drift problems as an alternative. -->
<param-name>tolerance</param-name>
<param-value>1000</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>
org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
I have single sign on working beautifully, but single sign-out is not working.
The scenario is like this:
- Open webapp1 and get redirected to CAS login page
- Enter details and login
- Open webapp2 which also uses CAS. Automatically logs in, as the user already signed in.
- Log out of webapp1
- Try to open webapp1 or webapp2 (in another tab) redirects you back to the login page.
- However, the session to webapp2 in step 3 is not closed and the user can still use the application without any problems. How do I automatically invalidate the session when the user signs out?
The log off button for both applications first call session.invalidate() and then redirects to https://localhost:8443/cas/logout
The single sign out filter is the first filter in the web.xml file. I also have the SingleSignOutHttpSessionListener in web.xml.
Following is the extract from my web.xml
<!-- CAS settings -->
<!-- Use filter init-param if your container does not support context params.
CAS Authentication Filter and CAS Validation Filter need a serverName init-param
in lieu of a context-param definition. -->
<context-param>
<param-name>serverName</param-name>
<param-value>https://localhost:8443</param-value>
</context-param>
<!-- Facilitates CAS single sign-out -->
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<!--
CAS client filters
Single sign-out filter MUST come first since it needs to be evaluated
before other filters.
-->
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<!--
IMPORTANT:
Use Saml11AuthenticationFilter for version 3.1.12 and later.
Use org.jasig.cas.client.authentication.AuthenticationFilter for previous
versions.
-->
<filter-class>
org.jasig.cas.client.authentication.Saml11AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://localhost:8443/cas/login</param-value>
</init-param>
<init-param>
<param-name>service</param-name>
<param-value>https://localhost:8443/JAdaptiv/default.action</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>
org.jasig.cas.client.validation.Saml11TicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://localhost:8443/cas</param-value>
</init-param>
<init-param>
<param-name>redirectAfterValidation</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<!-- Leniency of time checking in ms when validating SAML assertions. Consider
setting this parameter more liberally if you anticipate system clock drift
on your application servers relative to the CAS server. The default is 1000
(1s) and at least one person had problems with drift at that small a tolerance
value. A good approach is to start low and then increase by 1000 as needed
until problems stop. Note that increasing this value may have negative security
implications. Consider fixing clock drift problems as an alternative. -->
<param-name>tolerance</param-name>
<param-value>1000</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>
org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
我还遇到了标准 CAS 协议的另一个问题,其中单点注销在集成服务器上工作,但不能从本地主机进行。
场景
http://my 上的 CAS 登录到http://my-app-dev/app和http://localhost:8080/app-cas/cashttp://my-cas/cas/logouthttp://my-app-dev/app现在会反弹我到 CAShttp://localhost:8080- 仍然登录!我怀疑原因是 CAS 服务器无法向
localhost:8080发送注销消息,因为localhost在 CAS 服务器的上下文,所以它实际上并没有与我的本地开发环境对话。I also had another issue with standard CAS protocol, where single sign-out worked on an integration server but not from localhost.
Scenario
http://my-app-dev/appandhttp://localhost:8080/appwith CAS onhttp://my-cas/cashttp://my-cas/cas/logouthttp://my-app-dev/appnow bounces me to CAShttp://localhost:8080- still logged in!I suspect the reason is the CAS server couldn't send a sign-out message to
localhost:8080becauselocalhostis resolved in the CAS server's context, so it doesn't actually talk to my local dev environment.如果您使用的是 SAML 1.1 协议,请确保包含
artifactParameterName参数https://wiki.jasig.org/display/CASC/Configuring+Single+Sign+Out
If you're using SAML 1.1 protocol be sure that you included the
artifactParameterNameparameterhttps://wiki.jasig.org/display/CASC/Configuring+Single+Sign+Out
我也有同样的问题。我们有一个 java 和一个 php 客户端。当我访问 http://mycasserver/logout 时,只有 java 客户端注销了。
为了在 php 客户端中使用单点登录,您必须更改:
for
瞧!
请参阅 phpCAS 示例 中的文档
I had the same problem. We had a java and a php client. When I went to
http://mycasserver/logoutonly the java client logged out.For the single sign out to work in the php client, you have to change:
for
And Voila!
Refer to the documentation at phpCAS examples
在切换到 spring 配置之前,我的应用程序的配置基本相同。我查看了 SVN,基本上与您的配置的唯一区别是使用 单点注销侦听器
这对您有用吗?当然,如果有效的话,不要忘记将其添加到两个 WebApp 上。
更新:
我在 docs,它应该执行您的设置中缺少的操作
I've had basically the same configuration for my application before I switched to the spring configuration. I had a look on the SVN and basically the only difference to your config is the use of the Single Sign Out Listener
Could this work for you? Of course don't forget to add it on both WebApps if it works.
UPDATE:
I found the description of the listener in the docs, and it should do what's missing in your setting
您应该验证 CAS 服务器是否可以向您的 Web 应用程序发送 HTTP 请求。查看 CAS 服务器的日志。
You should verify that the CAS server can send a HTTP request to your webapp. Have a look in the logs of the CAS server.