CAS Single LogOut(SLO)不起作用-CAS 4.2.3 [英] CAS Single LogOut(SLO) not working - CAS 4.2.3

查看:639
本文介绍了CAS Single LogOut(SLO)不起作用-CAS 4.2.3的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我在CAS中遇到单一注销"问题.我正在使用CAS服务器4.2.3和Spring 3.2.我的客户定制应用程序是在Spring Security上配置的.遵循以下文档, http ://docs.spring.io/spring-security/site/docs/3.2.9.RELEASE/reference/htmlsingle/#cas-singlelogout

I am having issues with Single LogOut in CAS. I am using CAS server 4.2.3 and Spring 3.2. My client casified applications are configured on spring security. Followed the following documentation, http://docs.spring.io/spring-security/site/docs/3.2.9.RELEASE/reference/htmlsingle/#cas-singlelogout

我有2个cas客户端Web应用程序.当我从一个cas客户端Web应用程序中注销并刷新已经登录的第二个cas客户端应用程序中的页面时(在同一浏览器中的另一个选项卡中),我认为登录页面会显示为已经从第一个cas客户端应用程序执行了一次LogOut.但这是行不通的.

I have 2 cas client web application. When I logout from one of the cas client web application, and refresh the page in the 2nd cas client application which I already logged in (in the same browser in a different tab), I would think that the login page would show up as I already did a single LogOut from the 1st cas client application. But it doesn't work.

我不确定我缺少什么.我已经发布了web.xml,spring-security.xml,logout.jsp和cas.log的代码片段

I am not sure what I am missing. I have posted the code snippet of web.xml, spring-security.xml, logout.jsp and cas.log

任何帮助或指针,我们将不胜感激.

Any help or pointers is greatly appreciated.

web.xml 

<filter>
    <filter-name>characterEncodingFilter</filter-name>
    <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
    <init-param>
        <param-name>encoding</param-name>
        <param-value>UTF-8</param-value>
    </init-param>
</filter>

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>characterEncodingFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<listener>
    <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>

<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

spring-security.xml 

<bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">
    <property name="service" value="https://<hostname>:8444/WebApp3/j_spring_cas_security_check" />
    <property name="sendRenew" value="false" />
</bean>

<sec:http use-expressions="true" entry-point-ref="casEntryPoint">
    <sec:intercept-url pattern="/login/*" access="permitAll()" />
    <sec:intercept-url pattern="/lib/**" access="permitAll()" />
    <sec:intercept-url pattern="/**" access="isAuthenticated()" />
    <sec:form-login login-page="/ingress.do" default-target-url="/ingress.do" always-use-default-target="false"
        authentication-failure-url="/login.jsp" />

    <sec:logout logout-success-url="/logout.jsp" />
    <sec:custom-filter ref="requestSingleLogoutFilter" before="LOGOUT_FILTER" />
    <sec:custom-filter ref="singleLogoutFilter" before="CAS_FILTER" />
    <sec:custom-filter position="CAS_FILTER" ref="casFilter" />

</sec:http>

<bean id="singleLogoutFilter" class="org.jasig.cas.client.session.SingleSignOutFilter" />

<bean id="requestSingleLogoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
    <constructor-arg value="https://<hostname>/cas/logout" />
    <constructor-arg>
        <bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
    </constructor-arg>
    <property name="filterProcessesUrl" value="/logout/cas" />
</bean>

<bean id="casFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter">
    <property name="authenticationManager" ref="authenticationManager" />
</bean>

<bean id="casEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
    <property name="loginUrl" value="https://<hostname>/cas/login" />
    <property name="serviceProperties" ref="serviceProperties" />
</bean>

<sec:authentication-manager alias="authenticationManager">
    <sec:authentication-provider ref="casAuthenticationProvider" />
</sec:authentication-manager>

<bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
    <property name="authenticationUserDetailsService">
        <bean class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
            <constructor-arg ref="userService" />
        </bean>
    </property>
    <property name="serviceProperties" ref="serviceProperties" />
    <property name="ticketValidator">
        <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
            <constructor-arg index="0" value="https://<hostname>/cas" />
        </bean>
    </property>
    <property name="key" value="an_id_for_this_auth_provider_only" />
</bean>

<bean id="userService" class="org.hpi.iris.services.CustomUserDetailsService" />

<bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
    <constructor-arg value="/" />
    <constructor-arg>
        <list>
            <bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
        </list>
    </constructor-arg>
</bean>

<bean id="servletContext" class="org.springframework.web.context.support.ServletContextFactoryBean" />

<bean id="etf" class="org.springframework.security.web.access.ExceptionTranslationFilter">
    <property name="authenticationEntryPoint" ref="casEntryPoint" />
</bean>

<bean id="wrappingFilter" class="org.jasig.cas.client.util.HttpServletRequestWrapperFilter" />

logout.jsp 

<a href="logout/cas">Logout of in all applications</a>

cas.log 

2016-09-19 15:47:09,995 DEBUG [org.jasig.cas.logout.SamlCompliantLogoutMessageCreator] - Generated logout message: [<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-1-qFurZ54zaXVbviIalCkZ93lDbYuBAT6m5qE" Version="2.0" IssueInstant="2016-09-19T15:47:09Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex>ST-2-Ag6SgNIyvMUGT9mKNkEo-<hostname></samlp:SessionIndex></samlp:LogoutRequest>]
2016-09-19 15:47:09,995 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - Sending logout request for: [https://<hostname>:8444/WebApp3/j_spring_cas_security_check]
2016-09-19 15:47:10,000 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - Prepared logout message to send is [org.jasig.cas.logout.LogoutManagerImpl$LogoutHttpMessage@1771cadc[url=https://<hostname>:8444/WebApp3/j_spring_cas_security_check,message=<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-1-qFurZ54zaXVbviIalCkZ93lDbYuBAT6m5qE" Version="2.0" IssueInstant="2016-09-19T15:47:09Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex>ST-2-Ag6SgNIyvMUGT9mKNkEo-<hostname></samlp:SessionIndex></samlp:LogoutRequest>,asynchronous=true,contentType=application/x-www-form-urlencoded]]
2016-09-19 15:47:10,068 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - Captured logout request [org.jasig.cas.logout.DefaultLogoutRequest@655231e3[ticketId=ST-2-Ag6SgNIyvMUGT9mKNkEo-<hostname>,service=https://<hostname>:8444/WebApp3/j_spring_cas_security_check,status=SUCCESS]]
2016-09-19 15:47:10,069 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to retrieve ticket [TGT-**********************************************lfaFE4hhow-<hostname>]
2016-09-19 15:47:10,071 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Ticket [TGT-**********************************************lfaFE4hhow-<hostname>] found in registry.
2016-09-19 15:47:10,072 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Removing children of ticket [TGT-**********************************************lfaFE4hhow-<hostname>] from the registry.
2016-09-19 15:47:10,084 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Removing ticket [TGT-**********************************************lfaFE4hhow-<hostname>] from the registry.
2016-09-19 15:47:10,099 DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] - Publishing org.jasig.cas.support.events.CasTicketGrantingTicketDestroyedEvent@b348523[ticketGrantingTicket=TGT-**********************************************lfaFE4hhow-<hostname>]
2016-09-19 15:47:10,100 DEBUG [org.jasig.cas.audit.spi.AssertionAsReturnValuePrincipalResolver] - Trying to see if target's return value is instance of [Assertion]...
2016-09-19 15:47:10,100 DEBUG [org.jasig.cas.audit.spi.AssertionAsReturnValuePrincipalResolver] - Resolving principal from the delegate principal resolver: [org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver@3d5cf9c4]...
2016-09-19 15:47:10,100 DEBUG [org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver] - Resolving argument [String] for audit
2016-09-19 15:47:10,100 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to retrieve ticket [TGT-**********************************************lfaFE4hhow-<hostname>]
2016-09-19 15:47:10,101 DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] - Ticket [TGT-**********************************************lfaFE4hhow-<hostname>] by type [Ticket] cannot be found in the ticket registry.
2016-09-19 15:47:10,109 DEBUG [org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver] - Could not locate ticket [TGT-**********************************************lfaFE4hhow-<hostname>] in the registry
2016-09-19 15:47:10,110 DEBUG [org.jasig.cas.audit.spi.AssertionAsReturnValuePrincipalResolver] - Meaningful principal id could not be resolved by [org.jasig.cas.audit.spi.AssertionAsReturnValuePrincipalResolver@4dafaeaa]. Returning [audit:unknown]...
2016-09-19 15:47:10,110 DEBUG [org.jasig.cas.web.support.TGCCookieRetrievingCookieGenerator] - Removed cookie with name [TGC]
2016-09-19 15:47:10,110 DEBUG [org.jasig.cas.web.WarningCookieRetrievingCookieGenerator] - Removed cookie with name [CASPRIVACY]
2016-09-19 15:47:10,118 DEBUG [org.jasig.cas.services.web.RegisteredServiceThemeBasedViewResolver] - View resolved: /WEB-INF/view/jsp/default/ui/casLogoutView.jsp
2016-09-19 15:47:10,179 DEBUG [org.jasig.cas.authentication.FileTrustStoreSslSocketFactory] - Connecting socket to <hostname>/<hostip>:8444 with timeout 5000
2016-09-19 15:47:10,181 DEBUG [org.jasig.cas.authentication.FileTrustStoreSslSocketFactory] - Enabled protocols: [TLSv1, TLSv1.1, TLSv1.2]
2016-09-19 15:47:10,181 DEBUG [org.jasig.cas.authentication.FileTrustStoreSslSocketFactory] - Enabled cipher suites:[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
2016-09-19 15:47:10,181 DEBUG [org.jasig.cas.authentication.FileTrustStoreSslSocketFactory] - Starting handshake
2016-09-19 15:47:10,205 DEBUG [org.jasig.cas.authentication.FileTrustStoreSslSocketFactory] - Secure session established
2016-09-19 15:47:10,206 DEBUG [org.jasig.cas.authentication.FileTrustStoreSslSocketFactory] -  negotiated protocol: TLSv1.2
2016-09-19 15:47:10,206 DEBUG [org.jasig.cas.authentication.FileTrustStoreSslSocketFactory] -  negotiated cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
2016-09-19 15:47:10,206 DEBUG [org.jasig.cas.authentication.FileTrustStoreSslSocketFactory] -  peer principal: CN=<hostname>, OU=HPI, O=HP, L=Bloomington, ST=MN, C=US
2016-09-19 15:47:10,206 DEBUG [org.jasig.cas.authentication.FileTrustStoreSslSocketFactory] -  issuer principal: CN=<hostname>, OU=HPI, O=HP, L=Bloomington, ST=MN, C=US
2016-09-19 15:47:31,024 DEBUG [org.jasig.cas.util.CasSpringBeanJobFactory] - Created job org.jasig.cas.services.DefaultServicesManagerImpl$ServiceRegistryReloaderJob@4340fcf7 for bundle org.quartz.spi.TriggerFiredBundle@8f5988b

推荐答案

显然,我找到了一个问题的答案,即我从一个CAS客户端注销,而另一个CAS客户端没有注销.为此,CAS服务器需要了解所有已注册的服务.

Apparently I figured out an answer for the question where I logout out of one CAS client, the other CAS client doesn't get logged out. For this to happen, CAS server needs to understand all the registered services.

我认为CAS服务管理工具对此负责.但是,这对我没有用.看来CAS管理服务没有执行此操作.尽管安装了服务管理工具并将其链接到我的CAS服务器仍然无法正常工作.

I thought that CAS service management tool was responsible for doing this. However, that did not work for me. It looks like CAS management service doesn't do it. In spite of installing a service management tool and linking it to my CAS server did not work.

我必须更进一步,并添加一些与RegexRegisteredService相关的配置文件.认为此配置已存在于服务管理工具中,就像我之前提到的那样,CAS服务器似乎并没有意识到这一点.因此,我不得不将这些文件从服务管理工具复制到CAS服务器.在CAS服务器中,我将其放置在以下位置:../WEB-INF/classes/services.文件名通常类似于AppName-UniqueID.json

I had to go a step further and add few configuration files related to RegexRegisteredService. Thought this configuration is present in service management tool, CAS server doesn't seem to recognize that, like I mentioned before. Hence, I had to copy those files from service management tool to CAS server. In CAS server, i placed it in the following location, ../WEB-INF/classes/services. The file name is usually like AppName-UniqueID.json

json文件看起来像这样

The json file would look something like this,

{
"@class" : "org.jasig.cas.services.RegexRegisteredService",
"serviceId" : "https://<hostname>/AppName/j_spring_cas_security_check",
"name" : "App Name",
"id" : 7042148554761,
"logoutType" : "BACK_CHANNEL",
"logoutUrl" : "https://<hostname>/AppName/<Logout URL>"
}

请记住,您需要为每个cas客户端应用程序使用单独的文件.

Remember, you need to have separate file for each cas client application.

完成此步骤后,当我从其他CAS客户端控制台中的1个CAS客户端注销时,便能够看到来自CAS服务器的响应.现在,剩下的工作需要在CAS客户端完成,以便从CAS识别此注销操作并注销本地会话,这就是我现在正在做的事情.

Once I did this step, I was able to see the response from CAS server, when i logout from 1 CAS client, in other CAS client console. Now, the rest of the work needs to be done in the CAS client side to recognize this logout action from CAS and logout the local session, which is what I am working on now.

我是CAS新手.根据我的经验,我发现CAS文档有点模糊.它可能需要更多的清晰度.

I am new to CAS. In my experience, I found the CAS documentation little vague. It probably needs little more clarity.

这篇关于CAS Single LogOut(SLO)不起作用-CAS 4.2.3的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
Java开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆