如何解决JASIG CAS:单点注销不起作用
| 我的单点登录工作正常,但是单点退出无效。 场景是这样的: 打开webapp1并重定向到CAS登录页面 输入详细信息并登录 打开也使用CAS的webapp2。用户已经登录,自动登录。 注销webapp1 尝试打开webapp1或webapp2(在另一个选项卡中)会将您重定向回登录页面。 但是,第3步中与webapp2的会话没有关闭,用户仍然可以使用该应用程序而没有任何问题。用户注销后,如何自动使会话无效? 这两个应用程序的注销按钮首先调用session.invalidate()
,然后重定向到https://localhost:8443/cas/logout
单一注销过滤器是web.xml文件中的第一个过滤器。我在web.xml中也有“ 2”字样。
以下是我的web.xml的摘录
<!-- CAS settings -->
<!-- Use filter init-param if your container does not support context params.
CAS Authentication Filter and CAS Validation Filter need a serverName init-param
in lieu of a context-param definition. -->
<context-param>
<param-name>serverName</param-name>
<param-value>https://localhost:8443</param-value>
</context-param>
<!-- Facilitates CAS single sign-out -->
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<!--
CAS client filters
Single sign-out filter MUST come first since it needs to be evaluated
before other filters.
-->
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<!--
IMPORTANT:
Use Saml11AuthenticationFilter for version 3.1.12 and later.
Use org.jasig.cas.client.authentication.AuthenticationFilter for previous
versions.
-->
<filter-class>
org.jasig.cas.client.authentication.Saml11AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://localhost:8443/cas/login</param-value>
</init-param>
<init-param>
<param-name>service</param-name>
<param-value>https://localhost:8443/JAdaptiv/default.action</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>
org.jasig.cas.client.validation.Saml11TicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://localhost:8443/cas</param-value>
</init-param>
<init-param>
<param-name>redirectAfterValidation</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<!-- Leniency of time checking in ms when validating SAML assertions. Consider
setting this parameter more liberally if you anticipate system clock drift
on your application servers relative to the CAS server. The default is 1000
(1s) and at least one person had problems with drift at that small a tolerance
value. A good approach is to start low and then increase by 1000 as needed
until problems stop. Note that increasing this value may have negative security
implications. Consider fixing clock drift problems as an alternative. -->
<param-name>tolerance</param-name>
<param-value>1000</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>
org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
解决方法
如果您使用的是SAML 1.1协议,请确保包含the4ѭ参数
https://wiki.jasig.org/display/CASC/Configuring+Single+Sign+Out
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
<init-param>
<param-name>artifactParameterName</param-name>
<param-value>SAMLart</param-value>
</init-param>
</filter>
,我还遇到了标准CAS协议的另一个问题,其中单点注销在集成服务器上起作用,但不在本地主机上起作用。
情境
用CAS上http://my-cas/cas
登录http://my-app-dev/app
和http://localhost:8080/app
注销CAShttp://my-cas/cas/logout
http://my-app-dev/app
现在将我弹回CAS
http://localhost:8080
-仍然登录!
我怀疑原因是CAS服务器无法向localhost:8080
发送登出消息,因为localhost
是在CAS服务器的上下文中解决的,因此它实际上并未与我的本地开发环境对话。
,我有同样的问题。我们有一个Java和一个PHP客户端。当我去ѭ14时,只有Java客户端注销了。
为了使单点注销可以在php客户端中工作,您必须进行以下更改:
phpCAS::handleLogoutRequests();
对于
phpCAS::handleLogoutRequests(false);
和瞧!
请参阅phpCAS示例中的文档
,在切换到spring配置之前,我的应用程序具有基本相同的配置。我看了看SVN,基本上,您配置的唯一区别是使用了Single Sign Out Listener
listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
能为您工作吗?当然,如果可以,请不要忘记将其添加到两个WebApp中。
更新:
我在文档中找到了侦听器的描述,它应该可以解决您的设置中缺少的内容
,您应该验证CAS服务器可以将HTTP请求发送到您的Web应用程序。查看CAS服务器的日志。
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。