使用CAS的Spring Security - SessionTimeout配置

时间:2013-12-04 07:54:36

标签: session-timeout cas spring-security-cas

我已经使用CAS实现了Spring Security,并且正在尝试配置会话超时。我看到ticketExpirationPolicies.xml中的设置值会对此有所帮助。我尝试过配置值,但会话永远不会过期。我也试过在web.xml中设置会话到期时间。这是我的spring-application-context配置:

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:context="http://www.springframework.org/schema/context" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/context 
http://www.springframework.org/schema/context/spring-context-3.1.xsd">
    <context:property-placeholder />
    <http auto-config='true' entry-point-ref="casEntryPoint">
        <intercept-url pattern="/**" access="ROLE_ADMIN" />
        <custom-filter position="CAS_FILTER" ref="casFilter" />
        <logout logout-success-url="/j_spring_cas_security_logout" />
        <custom-filter ref="requestSingleLogoutFilter" before="LOGOUT_FILTER" />
        <custom-filter ref="singleLogoutFilter" before="CAS_FILTER" />
    </http>
    <beans:bean id="singleLogoutFilter"
        class="org.jasig.cas.client.session.SingleSignOutFilter" />
    <beans:bean id="requestSingleLogoutFilter"
        class="org.springframework.security.web.authentication.logout.LogoutFilter">
        <beans:constructor-arg value="https://myipaddress:8443/cas/logout" />
        <beans:constructor-arg>
            <beans:bean
                class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
        </beans:constructor-arg>
        <beans:property name="filterProcessesUrl" value="/j_spring_cas_security_logout" />
    </beans:bean>
    <beans:bean id="casFilter"
        class="org.springframework.security.cas.web.CasAuthenticationFilter">
        <beans:property name="authenticationManager" ref="authenticationManager" />
        <beans:property name="authenticationSuccessHandler">
            <beans:bean
                class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">
                <beans:property name="defaultTargetUrl" value="/" />
            </beans:bean>
        </beans:property>
    </beans:bean>
    <beans:bean id="casEntryPoint"
        class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
        <beans:property name="loginUrl"
            value="https://myipaddress:8443/cas/login" />
        <beans:property name="serviceProperties" ref="serviceProperties" />
    </beans:bean>
    <beans:bean id="serviceProperties"
        class="org.springframework.security.cas.ServiceProperties">
        <beans:property name="service"
            value="https://myipaddress:8443/myApp/j_spring_cas_security_check" />
        <beans:property name="sendRenew" value="false" />
    </beans:bean>
    <authentication-manager alias="authenticationManager">
        <authentication-provider ref="casAuthenticationProvider" />
    </authentication-manager>
    <beans:bean id="casAuthenticationProvider"
        class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
        <beans:property name="userDetailsService" ref="userService" />
        <beans:property name="serviceProperties" ref="serviceProperties" />
        <beans:property name="ticketValidator">
            <beans:bean
                class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
                <beans:constructor-arg index="0"
                    value="https://myipaddress:8443/cas" />
            </beans:bean>
        </beans:property>
        <beans:property name="key"
            value="an_id_for_this_auth_provider_only" />
    </beans:bean>
    <user-service id="userService">
        <user name="user1" password="user1" authorities="ROLE_ADMIN" />
    </user-service>

</beans:beans>

我在web.xml中有单点登录配置:

<listener>
    <listener-class>
        org.jasig.cas.client.session.SingleSignOutHttpSessionListener
    </listener-class>
  </listener>
    <filter>
        <filter-name>characterEncodingFilter</filter-name>
        <filter-class>
            org.springframework.web.filter.CharacterEncodingFilter
        </filter-class>
        <init-param>
            <param-name>encoding</param-name>
            <param-value>UTF-8</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>characterEncodingFilter</filter-name>
            <url-pattern>/*</url-pattern>
    </filter-mapping>

1 个答案:

答案 0 :(得分:1)

我找到了解决方案。对于通过CAS进行身份验证的每个Web应用程序,需要在web.xml中设置自己的会话超时设置。一旦会话超时,它就会在CAS服务器上进行身份验证。如果票证有更长的使用寿命,您将被重定向到defaultTargetUrl(如果已指定)。如果故障单已过期,系统将再次提示您输入凭据。

我的配置方式是,将票证到期时保持与我的Web应用程序中的会话超时相同。一旦会话在我的Web应用程序中超时,它就会发现票证已经过期,因为有效期与Web应用程序的有效性相同,并提示再次登录。

相关问题
最新问题