CAS 单点注销不起作用
CAS Single logout not working
我正在通过 CAS 在 Java EE 环境中实施单点登录 + 单点注销。
在身份验证方面,我有 cas-server-webapp v4.0.1。然后是 2 个简单的 Java + Spring MVC 网络应用程序 cas-client-corev3.1.10.
没有关于单点登录的问题。如果我访问 /app1,我将被重定向到 cas-server-webapp 中的 cas 登录页面。在 user+pass 输入后,我被重定向到 /app1 正确验证。此外,如果我导航到 /app2,这一个会得到它的授权票。到目前为止一切顺利。
关于单点退出,可能是我误解了doc:但是我是这样的:
app1 和 app2 各有一个 Spring 控制器映射到 /logout url:
@Controller
public class LogoutController {
@RequestMapping("/logout")
public String logout(HttpSession session){
session.invalidate();
return "redirect:https://cas-server-host:8443/cas/logout?service=http://cas-server-host:9080/cas1/action/index";
}
}
也就是说,我使http会话失效,并重定向到cas服务器注销url,使票证失效。
在 cas 服务器日志中我看到它破坏了 TGT 票证并向每个应用程序的 CAS 过滤器发送注销请求:
DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] - <Removing ticket [TGT-9-inxrphuRfIFpkbPTvNf6v1bAx7RlR7IMeMUFU0aokNCdbZ43Ij-cas01.example.org] from registry.>
DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to retrieve ticket [TGT-9-inxrphuRfIFpkbPTvNf6v1bAx7RlR7IMeMUFU0aokNCdbZ43Ij-cas01.example.org]>
DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket [TGT-9-inxrphuRfIFpkbPTvNf6v1bAx7RlR7IMeMUFU0aokNCdbZ43Ij-cas01.example.org] found in registry.>
DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] - <Ticket found. Processing logout requests and then deleting the ticket...>
DEBUG [org.jasig.cas.logout.SamlCompliantLogoutMessageCreator] - <Generated logout message: [<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-13-TfRj1HnvAjpBjNIdaDvDMJUMXk7wffdXgB5" Version="2.0" IssueInstant="2015-02-10T12:18:18Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex>ST-16-aXpUJpwO4MQ09caXZRKX-cas01.example.org</samlp:SessionIndex></samlp:LogoutRequest>]>
DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - <Sending logout request for: [http://localhost:9080/cas2]>
DEBUG [org.jasig.cas.util.SimpleHttpClient] - <Attempting to access http://localhost:9080/cas2>
DEBUG [org.jasig.cas.logout.SamlCompliantLogoutMessageCreator] - <Generated logout message: [<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-14-BaKvuaIbwxg9Le9H3QIvWORfNSE0dxaxsCE" Version="2.0" IssueInstant="2015-02-10T12:18:20Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex>ST-15-zaX6aojKs0PiggCles6J-cas01.example.org</samlp:SessionIndex></samlp:LogoutRequest>]>
DEBUG [org.jasig.cas.util.SimpleHttpClient] - <Finished sending message to http://localhost:9080/cas2>
DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - <Sending logout request for: [http://localhost:9080/cas1]>
DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Removing ticket [TGT-9-inxrphuRfIFpkbPTvNf6v1bAx7RlR7IMeMUFU0aokNCdbZ43Ij-cas01.example.org] from registry>
DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to retrieve ticket [TGT-9-inxrphuRfIFpkbPTvNf6v1bAx7RlR7IMeMUFU0aokNCdbZ43Ij-cas01.example.org]>
DEBUG [org.jasig.cas.util.SimpleHttpClient] - <Attempting to access http://localhost:9080/cas1>
INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: TGT-9-inxrphuRfIFpkbPTvNf6v1bAx7RlR7IMeMUFU0aokNCdbZ43Ij-cas01.example.org
ACTION: TICKET_GRANTING_TICKET_DESTROYED
APPLICATION: CAS
WHEN: Tue Feb 10 12:18:20 CET 2015
CLIENT IP ADDRESS: 192.168.13.164
SERVER IP ADDRESS: 192.168.13.164
=============================================================
现在,假设我从 /cas1 注销,我被送回 cas 服务器登录页面。无需再次登录,如果我访问 /app2,我可以像仍然通过身份验证一样浏览此应用程序,并且我可以访问它的 java.user.Principal 和会话。这怎么可能? /app2 中收到的注销请求是否应该破坏了 Principal 和 http 会话?
...我的错,果然少了点什么。我必须在两个应用程序中包含单点注销过滤器和监听器:
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter
</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern></filter-mapping>
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://cas-server-host:8443/cas/login</param-value>
</init-param>
<init-param>
<param-name>service</param-name>
<param-value>http://localhost:9080/cas1</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://cas-server-host:8443/cas/</param-value>
</init-param>
<init-param>
<param-name>service</param-name>
<param-value>http://localhost:9080/cas1</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
我正在通过 CAS 在 Java EE 环境中实施单点登录 + 单点注销。
在身份验证方面,我有 cas-server-webapp v4.0.1。然后是 2 个简单的 Java + Spring MVC 网络应用程序 cas-client-corev3.1.10.
没有关于单点登录的问题。如果我访问 /app1,我将被重定向到 cas-server-webapp 中的 cas 登录页面。在 user+pass 输入后,我被重定向到 /app1 正确验证。此外,如果我导航到 /app2,这一个会得到它的授权票。到目前为止一切顺利。
关于单点退出,可能是我误解了doc:但是我是这样的:
app1 和 app2 各有一个 Spring 控制器映射到 /logout url:
@Controller
public class LogoutController {
@RequestMapping("/logout")
public String logout(HttpSession session){
session.invalidate();
return "redirect:https://cas-server-host:8443/cas/logout?service=http://cas-server-host:9080/cas1/action/index";
}
}
也就是说,我使http会话失效,并重定向到cas服务器注销url,使票证失效。
在 cas 服务器日志中我看到它破坏了 TGT 票证并向每个应用程序的 CAS 过滤器发送注销请求:
DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] - <Removing ticket [TGT-9-inxrphuRfIFpkbPTvNf6v1bAx7RlR7IMeMUFU0aokNCdbZ43Ij-cas01.example.org] from registry.>
DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to retrieve ticket [TGT-9-inxrphuRfIFpkbPTvNf6v1bAx7RlR7IMeMUFU0aokNCdbZ43Ij-cas01.example.org]>
DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket [TGT-9-inxrphuRfIFpkbPTvNf6v1bAx7RlR7IMeMUFU0aokNCdbZ43Ij-cas01.example.org] found in registry.>
DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] - <Ticket found. Processing logout requests and then deleting the ticket...>
DEBUG [org.jasig.cas.logout.SamlCompliantLogoutMessageCreator] - <Generated logout message: [<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-13-TfRj1HnvAjpBjNIdaDvDMJUMXk7wffdXgB5" Version="2.0" IssueInstant="2015-02-10T12:18:18Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex>ST-16-aXpUJpwO4MQ09caXZRKX-cas01.example.org</samlp:SessionIndex></samlp:LogoutRequest>]>
DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - <Sending logout request for: [http://localhost:9080/cas2]>
DEBUG [org.jasig.cas.util.SimpleHttpClient] - <Attempting to access http://localhost:9080/cas2>
DEBUG [org.jasig.cas.logout.SamlCompliantLogoutMessageCreator] - <Generated logout message: [<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-14-BaKvuaIbwxg9Le9H3QIvWORfNSE0dxaxsCE" Version="2.0" IssueInstant="2015-02-10T12:18:20Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex>ST-15-zaX6aojKs0PiggCles6J-cas01.example.org</samlp:SessionIndex></samlp:LogoutRequest>]>
DEBUG [org.jasig.cas.util.SimpleHttpClient] - <Finished sending message to http://localhost:9080/cas2>
DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - <Sending logout request for: [http://localhost:9080/cas1]>
DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Removing ticket [TGT-9-inxrphuRfIFpkbPTvNf6v1bAx7RlR7IMeMUFU0aokNCdbZ43Ij-cas01.example.org] from registry>
DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to retrieve ticket [TGT-9-inxrphuRfIFpkbPTvNf6v1bAx7RlR7IMeMUFU0aokNCdbZ43Ij-cas01.example.org]>
DEBUG [org.jasig.cas.util.SimpleHttpClient] - <Attempting to access http://localhost:9080/cas1>
INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: TGT-9-inxrphuRfIFpkbPTvNf6v1bAx7RlR7IMeMUFU0aokNCdbZ43Ij-cas01.example.org
ACTION: TICKET_GRANTING_TICKET_DESTROYED
APPLICATION: CAS
WHEN: Tue Feb 10 12:18:20 CET 2015
CLIENT IP ADDRESS: 192.168.13.164
SERVER IP ADDRESS: 192.168.13.164
=============================================================
现在,假设我从 /cas1 注销,我被送回 cas 服务器登录页面。无需再次登录,如果我访问 /app2,我可以像仍然通过身份验证一样浏览此应用程序,并且我可以访问它的 java.user.Principal 和会话。这怎么可能? /app2 中收到的注销请求是否应该破坏了 Principal 和 http 会话?
...我的错,果然少了点什么。我必须在两个应用程序中包含单点注销过滤器和监听器:
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter
</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern></filter-mapping>
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://cas-server-host:8443/cas/login</param-value>
</init-param>
<init-param>
<param-name>service</param-name>
<param-value>http://localhost:9080/cas1</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://cas-server-host:8443/cas/</param-value>
</init-param>
<init-param>
<param-name>service</param-name>
<param-value>http://localhost:9080/cas1</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>