浏览 3668 次
|
精华帖 (0) :: 良好帖 (0) :: 新手帖 (0) :: 隐藏帖 (0)
|
|
|---|---|
| 作者 | 正文 |
|
发表时间:2011-11-13
最近研究cas,发现在设置ticketGrantingTicket超时后,打开https://tski.com:8443/cas 仍然显示成功
ticketExpirationPolicies.xml <!-- This argument is the time a ticket can exist before its considered expired. 设置为5秒超时--> <bean id="grantingTicketExpirationPolicy" class="org.jasig.cas.ticket.support.TimeoutExpirationPolicy"> <constructor-arg index="0" value="5000" /> </bean> ticketRegistry.xml <!-- 10秒检查一次是否有ticket需要clean --> <bean id="triggerJobDetailTicketRegistryCleaner" class="org.springframework.scheduling.quartz.SimpleTriggerBean" p:jobDetail-ref="jobDetailTicketRegistryCleaner" p:startDelay="2000" p:repeatInterval="10000" /> 仍然显示成功 
所以猜测,TGT超时与使用https://tski.com:8443/cas/logout 不同地方在于,后者清除了cookie中的TGT 于是找到logout的处理代码 org.jasig.cas.web.LogoutController
protected ModelAndView handleRequestInternal(
final HttpServletRequest request, final HttpServletResponse response)
throws Exception {
final String ticketGrantingTicketId = this.ticketGrantingTicketCookieGenerator.retrieveCookieValue(request);
final String service = request.getParameter("service");
if (ticketGrantingTicketId != null) {
this.centralAuthenticationService
.destroyTicketGrantingTicket(ticketGrantingTicketId);
//清除cookie
this.ticketGrantingTicketCookieGenerator.removeCookie(response);
this.warnCookieGenerator.removeCookie(response);
}
if (this.followServiceRedirects && service != null) {
return new ModelAndView(new RedirectView(service));
}
return new ModelAndView(this.logoutView);
}
而TGT超时时,cas server 不能获取cookie 继续猜测,打开https://tski.com:8443/cas时,cas server只判断了cookie中是否有TGT,但是没判断org.jasig.cas.ticket.registry.TicketRegistry中是否还存在TGT。 找到login-webflow.xml
<!-- 在flowScope.ticketGrantingTicketId && flowScope.service 为null的情况下,页面会跳转到viewGenericLoginSuccess -->
<on-start>
<evaluate expression="initialFlowSetupAction" />
</on-start>
<decision-state id="ticketGrantingTicketExistsCheck">
<if test="flowScope.ticketGrantingTicketId neq null" then="hasServiceCheck" else="gatewayRequestCheck" />
</decision-state>
...
<decision-state id="hasServiceCheck">
<if test="flowScope.service != null" then="renewRequestCheck" else="viewGenericLoginSuccess" />
</decision-state>
所以现在要确认flowScope.ticketGrantingTicketId , flowScope.service 是什么东西 找到org.jasig.cas.web.flow.InitialFlowSetupAction
protected Event doExecute(final RequestContext context) throws Exception {
final HttpServletRequest request = WebUtils.getHttpServletRequest(context);
if (!this.pathPopulated) {
... }
//ticketGrantingTicketId是从cookie里取的,问题很清楚了
context.getFlowScope().put(
"ticketGrantingTicketId", this.ticketGrantingTicketCookieGenerator.retrieveCookieValue(request));
context.getFlowScope().put(
"warnCookieValue",
Boolean.valueOf(this.warnCookieGenerator.retrieveCookieValue(request)));
//service 只有在从其他系统跳转到cas server时才可能不是null
final Service service = WebUtils.getService(this.argumentExtractors,
context);
if (service != null && logger.isDebugEnabled()) {
logger.debug("Placing service in FlowScope: " + service.getId());
}
context.getFlowScope().put("service", service);
return result("success");
}
最后,修改代码 org.jasig.cas.web.flow.InitialFlowSetupAction
//注入 ticketRegistry
@NotNull
private TicketRegistry ticketRegistry;
public TicketRegistry getTicketRegistry() {
return ticketRegistry;
}
public void setTicketRegistry(TicketRegistry ticketRegistry) {
this.ticketRegistry = ticketRegistry;
}
protected Event doExecute(final RequestContext context) throws Exception {
final HttpServletRequest request = WebUtils.getHttpServletRequest(context);
if (!this.pathPopulated) {
... }
//从ticketRegistry中获取TGT
context.getFlowScope().put(
"ticketGrantingTicketId", ticketRegistry.getTicket(this.ticketGrantingTicketCookieGenerator.retrieveCookieValue(request)));
context.getFlowScope().put(
"warnCookieValue",
Boolean.valueOf(this.warnCookieGenerator.retrieveCookieValue(request)));
final Service service = WebUtils.getService(this.argumentExtractors,
context);
if (service != null && logger.isDebugEnabled()) {
logger.debug("Placing service in FlowScope: " + service.getId());
}
context.getFlowScope().put("service", service);
return result("success");
}
修改cas-servlet.xml <!-- 最后一行 p:ticketRegistry-ref="ticketRegistry" ,注入ticketRegistry --> <bean id="initialFlowSetupAction" class="org.jasig.cas.web.flow.InitialFlowSetupAction" p:argumentExtractors-ref="argumentExtractors" p:warnCookieGenerator-ref="warnCookieGenerator" p:ticketGrantingTicketCookieGenerator-ref="ticketGrantingTicketCookieGenerator" p:ticketRegistry-ref="ticketRegistry"/> 声明:ITeye文章版权属于作者,受法律保护。没有作者书面许可不得转载。
推荐链接
|
| 返回顶楼 | |
