JASIG CAS:单点注销不起作用

发布于 2024-11-09 19:13:25 字数 5207 浏览 5 评论 0原文

我的单点登录工作得很好,但单点退出不起作用。

场景是这样的:

  1. 打开 webapp1 并重定向到 CAS 登录页面
  2. 输入详细信息并登录
  3. 打开也使用 CAS 的 webapp2。自动登录,因为用户已登录。
  4. 注销 webapp1
  5. 尝试打开 webapp1 或 webapp2(在另一个选项卡中)会将您重定向回登录页面。
  6. 但是,步骤 3 中与 webapp2 的会话并未关闭,用户仍然可以毫无问题地使用该应用程序。如何在用户退出时自动使会话失效?

两个应用程序的注销按钮首先调用 session.invalidate(),然后重定向到 https://localhost:8443/cas/logout

单点注销过滤器是web.xml 文件中的第一个过滤器。我还在 web.xml 中有 SingleSignOutHttpSessionListener

以下是我的 web.xml 的摘录

<!-- CAS settings -->
<!-- Use filter init-param if your container does not support context params. 
    CAS Authentication Filter and CAS Validation Filter need a serverName init-param 
    in lieu of a context-param definition. -->
<context-param>
    <param-name>serverName</param-name>
    <param-value>https://localhost:8443</param-value>
</context-param>

  <!-- Facilitates CAS single sign-out -->
  <listener>
        <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
  </listener>

  <!--
  CAS client filters
  Single sign-out filter MUST come first since it needs to be evaluated
  before other filters.
  -->
  <filter>
        <filter-name>CAS Single Sign Out Filter</filter-name>
        <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
  </filter>

  <filter>
        <filter-name>CAS Authentication Filter</filter-name>
        <!--
        IMPORTANT:
        Use Saml11AuthenticationFilter for version 3.1.12 and later.
        Use org.jasig.cas.client.authentication.AuthenticationFilter for previous
        versions.
        -->
        <filter-class>
              org.jasig.cas.client.authentication.Saml11AuthenticationFilter</filter-class>
        <init-param>
              <param-name>casServerLoginUrl</param-name>
              <param-value>https://localhost:8443/cas/login</param-value>
        </init-param>
        <init-param>
        <param-name>service</param-name>
        <param-value>https://localhost:8443/JAdaptiv/default.action</param-value>
    </init-param>
  </filter>

  <filter>
        <filter-name>CAS Validation Filter</filter-name>
        <filter-class>
              org.jasig.cas.client.validation.Saml11TicketValidationFilter</filter-class>
        <init-param>
              <param-name>casServerUrlPrefix</param-name>
              <param-value>https://localhost:8443/cas</param-value>
        </init-param>
        <init-param>
              <param-name>redirectAfterValidation</param-name>
              <param-value>true</param-value>
        </init-param>
        <init-param>
              <!-- Leniency of time checking in ms when validating SAML assertions. Consider 
                    setting this parameter more liberally if you anticipate system clock drift 
                    on your application servers relative to the CAS server. The default is 1000 
                    (1s) and at least one person had problems with drift at that small a tolerance 
                    value. A good approach is to start low and then increase by 1000 as needed 
                    until problems stop. Note that increasing this value may have negative security 
                    implications. Consider fixing clock drift problems as an alternative. -->
              <param-name>tolerance</param-name>
              <param-value>1000</param-value>
        </init-param>
  </filter>

  <filter>
        <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
        <filter-class>
              org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
  </filter>

  <filter>
        <filter-name>CAS Assertion Thread Local Filter</filter-name>
        <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
  </filter>

  <filter-mapping>
        <filter-name>CAS Single Sign Out Filter</filter-name>
        <url-pattern>/*</url-pattern>
  </filter-mapping>

  <filter-mapping>
        <filter-name>CAS Authentication Filter</filter-name>
        <url-pattern>/*</url-pattern>
  </filter-mapping>

  <filter-mapping>
        <filter-name>CAS Validation Filter</filter-name>
        <url-pattern>/*</url-pattern>
  </filter-mapping>

  <filter-mapping>
        <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
        <url-pattern>/*</url-pattern>
  </filter-mapping>

  <filter-mapping>
    <filter-name>CAS Assertion Thread Local Filter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

I have single sign on working beautifully, but single sign-out is not working.

The scenario is like this:

  1. Open webapp1 and get redirected to CAS login page
  2. Enter details and login
  3. Open webapp2 which also uses CAS. Automatically logs in, as the user already signed in.
  4. Log out of webapp1
  5. Try to open webapp1 or webapp2 (in another tab) redirects you back to the login page.
  6. However, the session to webapp2 in step 3 is not closed and the user can still use the application without any problems. How do I automatically invalidate the session when the user signs out?

The log off button for both applications first call session.invalidate() and then redirects to https://localhost:8443/cas/logout

The single sign out filter is the first filter in the web.xml file. I also have the SingleSignOutHttpSessionListener in web.xml.

Following is the extract from my web.xml

<!-- CAS settings -->
<!-- Use filter init-param if your container does not support context params. 
    CAS Authentication Filter and CAS Validation Filter need a serverName init-param 
    in lieu of a context-param definition. -->
<context-param>
    <param-name>serverName</param-name>
    <param-value>https://localhost:8443</param-value>
</context-param>

  <!-- Facilitates CAS single sign-out -->
  <listener>
        <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
  </listener>

  <!--
  CAS client filters
  Single sign-out filter MUST come first since it needs to be evaluated
  before other filters.
  -->
  <filter>
        <filter-name>CAS Single Sign Out Filter</filter-name>
        <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
  </filter>

  <filter>
        <filter-name>CAS Authentication Filter</filter-name>
        <!--
        IMPORTANT:
        Use Saml11AuthenticationFilter for version 3.1.12 and later.
        Use org.jasig.cas.client.authentication.AuthenticationFilter for previous
        versions.
        -->
        <filter-class>
              org.jasig.cas.client.authentication.Saml11AuthenticationFilter</filter-class>
        <init-param>
              <param-name>casServerLoginUrl</param-name>
              <param-value>https://localhost:8443/cas/login</param-value>
        </init-param>
        <init-param>
        <param-name>service</param-name>
        <param-value>https://localhost:8443/JAdaptiv/default.action</param-value>
    </init-param>
  </filter>

  <filter>
        <filter-name>CAS Validation Filter</filter-name>
        <filter-class>
              org.jasig.cas.client.validation.Saml11TicketValidationFilter</filter-class>
        <init-param>
              <param-name>casServerUrlPrefix</param-name>
              <param-value>https://localhost:8443/cas</param-value>
        </init-param>
        <init-param>
              <param-name>redirectAfterValidation</param-name>
              <param-value>true</param-value>
        </init-param>
        <init-param>
              <!-- Leniency of time checking in ms when validating SAML assertions. Consider 
                    setting this parameter more liberally if you anticipate system clock drift 
                    on your application servers relative to the CAS server. The default is 1000 
                    (1s) and at least one person had problems with drift at that small a tolerance 
                    value. A good approach is to start low and then increase by 1000 as needed 
                    until problems stop. Note that increasing this value may have negative security 
                    implications. Consider fixing clock drift problems as an alternative. -->
              <param-name>tolerance</param-name>
              <param-value>1000</param-value>
        </init-param>
  </filter>

  <filter>
        <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
        <filter-class>
              org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
  </filter>

  <filter>
        <filter-name>CAS Assertion Thread Local Filter</filter-name>
        <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
  </filter>

  <filter-mapping>
        <filter-name>CAS Single Sign Out Filter</filter-name>
        <url-pattern>/*</url-pattern>
  </filter-mapping>

  <filter-mapping>
        <filter-name>CAS Authentication Filter</filter-name>
        <url-pattern>/*</url-pattern>
  </filter-mapping>

  <filter-mapping>
        <filter-name>CAS Validation Filter</filter-name>
        <url-pattern>/*</url-pattern>
  </filter-mapping>

  <filter-mapping>
        <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
        <url-pattern>/*</url-pattern>
  </filter-mapping>

  <filter-mapping>
    <filter-name>CAS Assertion Thread Local Filter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(5

祁梦 2024-11-16 19:13:25

我还遇到了标准 CAS 协议的另一个问题,其中单点注销在集成服务器上工作,但不能从本地主机进行。

场景

  • 使用 http://my 上的 CAS 登录到 http://my-app-dev/apphttp://localhost:8080/app -cas/cas
  • 退出 CAS http://my-cas/cas/logout
  • http://my-app-dev/app 现在会反弹我到 CAS
  • http://localhost:8080 - 仍然登录!

我怀疑原因是 CAS 服务器无法向 localhost:8080 发送注销消息,因为 localhostCAS 服务器的上下文,所以它实际上并没有与我的本地开发环境对话。

I also had another issue with standard CAS protocol, where single sign-out worked on an integration server but not from localhost.

Scenario

  • log into both http://my-app-dev/app and http://localhost:8080/app with CAS on http://my-cas/cas
  • log out of CAS http://my-cas/cas/logout
  • http://my-app-dev/app now bounces me to CAS
  • http://localhost:8080 - still logged in!

I suspect the reason is the CAS server couldn't send a sign-out message to localhost:8080 because localhost is resolved in the CAS server's context, so it doesn't actually talk to my local dev environment.

最美的太阳 2024-11-16 19:13:25

如果您使用的是 SAML 1.1 协议,请确保包含 artifactParameterName 参数

https://wiki.jasig.org/display/CASC/Configuring+Single+Sign+Out

<filter>
   <filter-name>CAS Single Sign Out Filter</filter-name>
   <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
   <init-param>
      <param-name>artifactParameterName</param-name>
      <param-value>SAMLart</param-value>
   </init-param>
</filter>

If you're using SAML 1.1 protocol be sure that you included the artifactParameterName parameter

https://wiki.jasig.org/display/CASC/Configuring+Single+Sign+Out

<filter>
   <filter-name>CAS Single Sign Out Filter</filter-name>
   <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
   <init-param>
      <param-name>artifactParameterName</param-name>
      <param-value>SAMLart</param-value>
   </init-param>
</filter>
魔法少女 2024-11-16 19:13:25

我也有同样的问题。我们有一个 java 和一个 php 客户端。当我访问 http://mycasserver/logout 时,只有 java 客户端注销了。

为了在 php 客户端中使用单点登录,您必须更改:

phpCAS::handleLogoutRequests();

for

phpCAS::handleLogoutRequests(false);

瞧!
请参阅 phpCAS 示例 中的文档

I had the same problem. We had a java and a php client. When I went to http://mycasserver/logout only the java client logged out.

For the single sign out to work in the php client, you have to change:

phpCAS::handleLogoutRequests();

for

phpCAS::handleLogoutRequests(false);

And Voila!
Refer to the documentation at phpCAS examples

轻拂→两袖风尘 2024-11-16 19:13:25

在切换到 spring 配置之前,我的应用程序的配置基本相同。我查看了 SVN,基本上与您的配置的唯一区别是使用 单点注销侦听器

listener>
    <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>

这对您有用吗?当然,如果有效的话,不要忘记将其添加到两个 WebApp 上。

更新:
我在 docs,它应该执行您的设置中缺少的操作

I've had basically the same configuration for my application before I switched to the spring configuration. I had a look on the SVN and basically the only difference to your config is the use of the Single Sign Out Listener

listener>
    <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>

Could this work for you? Of course don't forget to add it on both WebApps if it works.

UPDATE:
I found the description of the listener in the docs, and it should do what's missing in your setting

如梦初醒的夏天 2024-11-16 19:13:25

您应该验证 CAS 服务器是否可以向您的 Web 应用程序发送 HTTP 请求。查看 CAS 服务器的日志。

You should verify that the CAS server can send a HTTP request to your webapp. Have a look in the logs of the CAS server.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文