CAS和Spring-Security:定期检查票证是否已过期 [英] CAS and Spring-Security: regularly check if a ticket has expired
问题描述
我有一个CAS服务器和一个通过Spring-Security配置的客户端。到目前为止,单一登录和单一注销都可以正常工作。
I have a CAS-Server and a Client configured via Spring-Security. Single Sign On and Single Logout are working fine so far.
我仍然面临会话超时的问题。据我了解,票证到期策略不受受保护的CAS客户端会话的闲置影响。因此,客户端必须积极地重新验证票证,以查看票证是否已过期且没有通过CAS服务器发布过期事件,就像执行单个注销时一样。
I'm still facing an issue with session timeout. As I understand the ticket expiration policy is not affected by idleness of the secured CAS client side session. So a client must actively revalidate a ticket to see if it has expired and is not being posted the expiration event by the CAS server as it is the case when a single logout is performed.
要强制我的Spring安全客户端定期检查票证是否到期,我可以将会话超时设置为一分钟左右的较低值。但是,这样做的缺点是我的所有会话数据都将被删除。不太用户友好。
To force my spring secured client to regularly check for the expiration of the ticket I might set the session timeout to a low value like a minute or so. But that has the drawback of all my session data to be removed. Not very user friendly.
有没有办法让spring-security定期检查票证是否仍然有效,而无需先破坏用户会话?
Is there a way to tell spring-security to regularly check if a ticket is still valid without destroying the user session first?
推荐答案
我对Javascript解决方案非常有信心,因为它只是强制本地注销的简单检查。虽然,它需要自定义您的CAS服务器,但是您不能这样做。
I would be pretty confident on the Javascript solution as it's just a simple check to force local logout. Though, it needs to customize your CAS server, that you cannot do.
您可以解决以下问题:在应用程序端使用较短的会话来强制进行定期重新认证,但是这意味着您将经常使应用程序会话无效并重新创建它。
You have the solution of having a shorter session on application side to force regular re-authentication, but this means that you will invalidate often your application session and recreate it.
更好的解决方案可以基于 gateway CAS协议的参数:如果未通过SSO认证,则使用此参数将不会生成服务凭单。因此,您可以:
A better solution can be based on the gateway parameter of the CAS protocol : using this parameter will not produce a service ticket if you are not SSO authenticated. So you could have :
- 一个应用程序过滤器,该过滤器每5分钟保存一次当前网址,并通过gateway =触发CAS往返true和特定服务:
http:// myserver / myapp / checkCasSession - 特定网址:/ checkCasSession:如果收到服务票,一切正常,CAS会话仍然有效,只是恢复了原始URL。如果没有服务凭单,则本地会话必须结束,并触发本地注销。
这篇关于CAS和Spring-Security:定期检查票证是否已过期的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
