client是用域名訪問的
1.如果客戶端是一台服務器,查看cas-server的debug日志,發現server在客戶端登錄成功后,會記錄下客戶端的域名和票據,當用戶從客戶端退出時,會調server的logout,server取出所有同一票據的客戶端域名,循環清除session,但如果server服務器沒有配置客戶端域名對應的ip host文件,server找不到該域名對應的主機,因此清不掉session,導致無法退出。
解決方案:在server服務器配置host文件,配置客戶端域名和ip映射。
2.如果客戶端是集群模式
- 單點注銷為保證注銷成功,需保證配置的域名、IP地址在單點登錄服務端可以請求到,這樣單點登錄在做回調的時候才可以通過存儲的st信息把登錄的客戶端注銷成功
- 集群環境下單點登錄注銷會存在注銷不成功情況,原因是單點登錄服務在做回調的時候回可能分發在非登錄的tomcat服務上
解決方案:
1:Nginx+tomcat+redis session共享,該實現方案,不管注銷落在哪個tomcat都可以把redis中session注銷成功。(未實踐)
2:修改cas-client源碼,單點登錄客戶端集群采用廣播的方式,注銷時向所有節點發起注銷session操作。(實踐成功)
基於cas-client-core-3.4.1實現
參考 http://blog.csdn.net/zhurhyme/article/details/74726008?locationNum=5&fps=1
基於cas-client-core-3.2.1實現
參考 https://www.jianshu.com/p/4c6f010c420e
web.xml修改以下配置
<!-- 單點登錄退出監聽 -->
<listener> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> </listener> <!-- 單點注銷過濾器。 -->
<filter> <filter-name>CAS Single Sign Out Filter</filter-name> <filter-class>com.cas.SingleSignOutFilter</filter-class> <init-param> <description>cas client cluster nodes</description> <param-name>clusterNodeUrls</param-name> <param-value>http://ip:8080/client1/,http://ip:8081/client2/</param-value> </init-param> </filter> <filter-mapping> <filter-name>CAS Single Sign Out Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
修改cas-client 的SingleSignOutFilter和SingleSignOutHandler
import java.io.IOException; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import org.jasig.cas.client.session.SessionMappingStorage; import org.jasig.cas.client.util.AbstractConfigurationFilter; public class SingleSignOutFilter extends AbstractConfigurationFilter { private static final SingleSignOutHandler handler = new SingleSignOutHandler(); public void init(FilterConfig filterConfig) throws ServletException { if (!isIgnoreInitConfiguration()) { handler.setArtifactParameterName(getPropertyFromInitParams(filterConfig, "artifactParameterName", "ticket")); handler.setLogoutParameterName(getPropertyFromInitParams(filterConfig, "logoutParameterName", "logoutRequest")); //clusterNodeUrls handler.setClusterNodeUrls(getPropertyFromInitParams(filterConfig, "clusterNodeUrls", "")); } handler.init(); } public void setArtifactParameterName(String name) { handler.setArtifactParameterName(name); } public void setLogoutParameterName(String name) { handler.setLogoutParameterName(name); } public void setSessionMappingStorage(SessionMappingStorage storage) { handler.setSessionMappingStorage(storage); } @Override public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { HttpServletRequest request = (HttpServletRequest) servletRequest; if (handler.isTokenRequest(request)) { handler.recordSession(request); } else if(handler.isLogoutRequest(request)){//cas-server logout請求 handler.destroySession(request); return; } else if(handler.isLogoutRequestFromClusterNode(request)){//接收其它節點發送的http logout請求 //清除本節點session handler.destroySessionFromClusterNode(request); return; } filterChain.doFilter(servletRequest, servletResponse); } @Override public void destroy() { } protected static SingleSignOutHandler getSingleSignOutHandler() { return handler; } }
import java.util.ArrayList; import java.util.List; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpSession; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.http.NameValuePair; import org.apache.http.client.HttpClient; import org.apache.http.client.entity.UrlEncodedFormEntity; import org.apache.http.client.methods.HttpPost; import org.apache.http.client.utils.HttpClientUtils; import org.apache.http.impl.client.DefaultHttpClient; import org.apache.http.message.BasicNameValuePair; import org.jasig.cas.client.session.HashMapBackedSessionMappingStorage; import org.jasig.cas.client.session.SessionMappingStorage; import org.jasig.cas.client.util.CommonUtils; import org.jasig.cas.client.util.XmlUtils; public final class SingleSignOutHandler { private final Log log = LogFactory.getLog(getClass()); private SessionMappingStorage sessionMappingStorage = new HashMapBackedSessionMappingStorage(); private String artifactParameterName = "ticket"; private String logoutParameterName = "logoutRequest"; private String logoutParameterClusterName = "logoutRequestCluster"; ///clusterNodeUrls private String clusterNodeUrls; public void setSessionMappingStorage(SessionMappingStorage storage) { this.sessionMappingStorage = storage; } public SessionMappingStorage getSessionMappingStorage() { return this.sessionMappingStorage; } public void setArtifactParameterName(String name) { this.artifactParameterName = name; } public void setLogoutParameterName(String name) { this.logoutParameterName = name; } public void setClusterNodeUrls(String clusterNodeUrls) { this.clusterNodeUrls = clusterNodeUrls; } public void init() { CommonUtils.assertNotNull(this.artifactParameterName,"artifactParameterName cannot be null."); CommonUtils.assertNotNull(this.logoutParameterName,"logoutParameterName cannot be null."); CommonUtils.assertNotNull(this.sessionMappingStorage,"sessionMappingStorage cannote be null."); } public boolean isTokenRequest(HttpServletRequest request) { return CommonUtils.isNotBlank(CommonUtils.safeGetParameter(request,this.artifactParameterName)); } public boolean isLogoutRequest(HttpServletRequest request) { log.info("isLogoutRequest begin----"); log.info(request.getRequestURL()); log.info("request.getMethod()=" + request.getMethod()); log.info("CommonUtils.isNotBlank(CommonUtils.safeGetParameter(request, this.logoutParameterName,this.safeParameters))=" + CommonUtils.isNotBlank(CommonUtils.safeGetParameter(request, this.logoutParameterName))); log.info("isLogoutRequest end----"); return ("POST".equals(request.getMethod())) && (!isMultipartRequest(request)) && (CommonUtils.isNotBlank(CommonUtils.safeGetParameter(request, this.logoutParameterName))); } /** * 判斷是否是其它節點發送的logout通知 * @param request * @return */ public boolean isLogoutRequestFromClusterNode(HttpServletRequest request) { log.info("isLogoutRequestFromClusterNode begin---"); log.info("clusterNodeUrls=" + this.clusterNodeUrls); log.info("request.getParameter(this.logoutParameterClusterName)=" + request.getParameter(this.logoutParameterClusterName)); log.info("isLogoutRequestFromClusterNode end---"); return (!isMultipartRequest(request)) && ("true".equals(request.getParameter(this.logoutParameterClusterName))); } public void recordSession(HttpServletRequest request) { HttpSession session = request.getSession(true); String token = CommonUtils.safeGetParameter(request,this.artifactParameterName); log.info("--------recordSession-------------token:"+token); if (this.log.isDebugEnabled()) { this.log.debug("Recording session for token " + token); } try { this.sessionMappingStorage.removeBySessionById(session.getId()); } catch (Exception e) { } this.sessionMappingStorage.addSessionById(token, session); } public void destroySession(HttpServletRequest request) { log.info("destroySession begin---"); String logoutMessage = CommonUtils.safeGetParameter(request,this.logoutParameterName); if (this.log.isTraceEnabled()) { this.log.trace("Logout request:\n" + logoutMessage); } String token = XmlUtils.getTextForElement(logoutMessage, "SessionIndex"); if (CommonUtils.isNotBlank(token)) { HttpSession session = this.sessionMappingStorage.removeSessionByMappingId(token); if (session != null) {//session在當前節點 log.info("destroySession session在當前節點------"); String sessionID = session.getId(); if (this.log.isDebugEnabled()) { this.log.debug("Invalidating session [" + sessionID + "] for token [" + token + "]"); } try { session.invalidate(); } catch (IllegalStateException e) { this.log.debug("Error invalidating session.", e); } }else {//session不在當前節點 log.info("destroySession session不在當前節點------"); //清除其他節點,采用廣播形式發送http請求 destroySessionOfClusterNodes(token); } } log.info("destroySession end---"); } /** * 采用廣播形式發送http請求,通知其他節點清除session * @author xubo 2018-3-21 * @param token */ private void destroySessionOfClusterNodes(String token) { //廣播到所有節點 log.info("destroySessionOfClusterNodes--begin-----:" + token); if(this.clusterNodeUrls != null && this.clusterNodeUrls.length() > 0){ log.info(clusterNodeUrls); String[] clusters = this.clusterNodeUrls.split(","); for (String url : clusters) { HttpClient httpClient = new DefaultHttpClient(); HttpPost httpPostReq = new HttpPost(url); List<NameValuePair> paramList = new ArrayList<NameValuePair>(); paramList.add(new BasicNameValuePair(this.logoutParameterClusterName,"true")); paramList.add(new BasicNameValuePair(this.artifactParameterName,token)); try { httpPostReq.setEntity(new UrlEncodedFormEntity(paramList)); httpClient.execute(httpPostReq); } catch (Exception e) { log.debug("Error destroySessionOfClusterNodes.",e); }finally{ HttpClientUtils.closeQuietly(httpClient); } } } log.info("destroySessionOfClusterNodes--end-----:" + token); } /** * 接收從其它節點的通知,清除session * @author xubo 2018-3-21 * @param request */ public void destroySessionFromClusterNode(HttpServletRequest request){ String token = request.getParameter(this.artifactParameterName); log.info("destroySessionFromClusterNode----begin---:" + token); if(CommonUtils.isNotBlank(token)){ final HttpSession session = sessionMappingStorage.removeSessionByMappingId(token); if(session != null){ String sessionID = session.getId(); if(log.isDebugEnabled()){ log.debug("Invalidating session[" + sessionID +"] for token [" + token + "]"); } try { session.invalidate(); } catch (final IllegalStateException e) { log.debug("Error invalidating session",e); } } } log.info("destroySessionFromClusterNode----end---:" + token); } private boolean isMultipartRequest(HttpServletRequest request) { return (request.getContentType() != null) && (request.getContentType().toLowerCase().startsWith("multipart")); } }