Question

我有单点登录工作，但单点登出不起作用。

场景是这样的：

打开webapp1并重定向到CAS登录页面
输入详细信息并登录
打开也使用CAS的webapp2。用户已登录时自动登录。
退出webapp1
尝试打开webapp1或webapp2（在另一个标签页中），将您重定向回登录页面。
但是，步骤3中的webapp2会话未关闭，用户仍然可以毫无问题地使用该应用程序。如何在用户退出时自动使会话失效？

两个应用程序的注销按钮首先调用session.invalidate()，然后重定向到https://localhost:8443/cas/logout

单点注销过滤器是web.xml文件中的第一个过滤器。我在web.xml中也有SingleSignOutHttpSessionListener。

以下是我的web.xml摘录

<!-- CAS settings -->
<!-- Use filter init-param if your container does not support context params. 
    CAS Authentication Filter and CAS Validation Filter need a serverName init-param 
    in lieu of a context-param definition. -->
<context-param>
    <param-name>serverName</param-name>
    <param-value>https://localhost:8443</param-value>
</context-param>

  <!-- Facilitates CAS single sign-out -->
  <listener>
        <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
  </listener>

  <!--
  CAS client filters
  Single sign-out filter MUST come first since it needs to be evaluated
  before other filters.
  -->
  <filter>
        <filter-name>CAS Single Sign Out Filter</filter-name>
        <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
  </filter>

  <filter>
        <filter-name>CAS Authentication Filter</filter-name>
        <!--
        IMPORTANT:
        Use Saml11AuthenticationFilter for version 3.1.12 and later.
        Use org.jasig.cas.client.authentication.AuthenticationFilter for previous
        versions.
        -->
        <filter-class>
              org.jasig.cas.client.authentication.Saml11AuthenticationFilter</filter-class>
        <init-param>
              <param-name>casServerLoginUrl</param-name>
              <param-value>https://localhost:8443/cas/login</param-value>
        </init-param>
        <init-param>
        <param-name>service</param-name>
        <param-value>https://localhost:8443/JAdaptiv/default.action</param-value>
    </init-param>
  </filter>

  <filter>
        <filter-name>CAS Validation Filter</filter-name>
        <filter-class>
              org.jasig.cas.client.validation.Saml11TicketValidationFilter</filter-class>
        <init-param>
              <param-name>casServerUrlPrefix</param-name>
              <param-value>https://localhost:8443/cas</param-value>
        </init-param>
        <init-param>
              <param-name>redirectAfterValidation</param-name>
              <param-value>true</param-value>
        </init-param>
        <init-param>
              <!-- Leniency of time checking in ms when validating SAML assertions. Consider 
                    setting this parameter more liberally if you anticipate system clock drift 
                    on your application servers relative to the CAS server. The default is 1000 
                    (1s) and at least one person had problems with drift at that small a tolerance 
                    value. A good approach is to start low and then increase by 1000 as needed 
                    until problems stop. Note that increasing this value may have negative security 
                    implications. Consider fixing clock drift problems as an alternative. -->
              <param-name>tolerance</param-name>
              <param-value>1000</param-value>
        </init-param>
  </filter>

  <filter>
        <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
        <filter-class>
              org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
  </filter>

  <filter>
        <filter-name>CAS Assertion Thread Local Filter</filter-name>
        <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
  </filter>

  <filter-mapping>
        <filter-name>CAS Single Sign Out Filter</filter-name>
        <url-pattern>/*</url-pattern>
  </filter-mapping>

  <filter-mapping>
        <filter-name>CAS Authentication Filter</filter-name>
        <url-pattern>/*</url-pattern>
  </filter-mapping>

  <filter-mapping>
        <filter-name>CAS Validation Filter</filter-name>
        <url-pattern>/*</url-pattern>
  </filter-mapping>

  <filter-mapping>
        <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
        <url-pattern>/*</url-pattern>
  </filter-mapping>

  <filter-mapping>
    <filter-name>CAS Assertion Thread Local Filter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

Answer 1

我遇到了同样的问题。我们有一个java和一个PHP客户端。当我去http://mycasserver/logout时，只有java客户端退出。

要在php客户端中单点注销，你必须改变：

phpCAS::handleLogoutRequests();

的

phpCAS::handleLogoutRequests(false);

而且瞧！请参阅phpCAS examples

上的文档

Answer 2

如果您使用的是SAML 1.1协议，请确保包含artifactParameterName参数

https://wiki.jasig.org/display/CASC/Configuring+Single+Sign+Out

<filter>
   <filter-name>CAS Single Sign Out Filter</filter-name>
   <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
   <init-param>
      <param-name>artifactParameterName</param-name>
      <param-value>SAMLart</param-value>
   </init-param>
</filter>

Answer 3

我还遇到了标准CAS协议的另一个问题，即单点注销在集成服务器上运行，但不在本地主机上运行。

方案

使用http://my-app-dev/app

http://localhost:8080/app

http://my-cas/cas

退出CAS http://my-cas/cas/logout
http://my-app-dev/app现在将我反复给CAS
http://localhost:8080 - 仍然登录！

我怀疑原因是CAS服务器无法向localhost:8080发送退出消息，因为localhost已在 CAS 服务器的上下文中解析，因此它不会实际上是在谈谈我当地的开发环境。

Answer 4

在切换到弹簧配置之前，我的应用程序配置基本相同。我查看了SVN，基本上你配置的唯一区别就是使用了Single Sign Out Listener

listener>
    <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>

这对你有用吗？当然，如果有效，请不要忘记在两个WebApp上添加它。

更新：我在docs中找到了听众的描述，它应该做你设置中缺少的内容

Answer 5

您应该验证CAS服务器是否可以向您的webapp发送HTTP请求。查看CAS服务器的日志。

JASIG CAS：单点登出不起作用

5 个答案: