SSO单点登录系列6：cas单点登录防止登出退出后刷新后退ticket失效报500错

相关文章推荐

刚毅的鼠标 · 驻印度使馆在印主流媒体刊登西藏专版《乃堆拉： ...· 7 月前 ·

聪明的啤酒 · 数字中国建设发展成就与变革_中央网络安全和信 ...· 10 月前 ·

阳刚的板凳 · 全球最火的5大乐团，酷玩乐队仅排第四，第一名 ...· 1 年前 ·

飘逸的地瓜 · 合肥地铁8号线一期全线洞通_施工_区间_隧道· 1 年前 ·

另类的煎饼果子 · 新疆人为《中国好声音》亚军帕尔哈提加油_新浪新闻· 2 年前 ·

这个问题之前就发现过，最近有几个哥们一直在问我这个怎么搞，我手上在做另一个项目，cas就暂时搁浅了几周。现在我们来一起改一下你的应用(client2/3)的web.xml来解决这个2b问题，首先看下错误描述:

问题：我登录了client2，又登录了client3，现在我把client2退出了，在client3里面我F5刷新了一下，结果页面报错：

未能够识别出目标 'ST-41-2VcnVMguCDWJX5zHaaaD-cas01.example.org'票根

[html] view plain copy

type Exception report

message org.jasig.cas.client.validation.TicketValidationException:

description The server encountered an internal error that prevented it from fulfilling this request.

exception

javax.servlet.ServletException: org.jasig.cas.client.validation.TicketValidationException:

鏈兘澶熻瘑鍒嚭鐩爣 'ST-41-2VcnVMguCDWJX5zHaaaD-cas01.example.org'绁ㄦ牴

org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:155)

org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:99)

org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:96)

org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)

root cause

org.jasig.cas.client.validation.TicketValidationException:

鏈兘澶熻瘑鍒嚭鐩爣 'ST-41-2VcnVMguCDWJX5zHaaaD-cas01.example.org'绁ㄦ牴

org.jasig.cas.client.validation.Cas20ServiceTicketValidator.parseResponseFromServer(Cas20ServiceTicketValidator.java:73)

org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:188)

org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:132)

org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:99)

org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:96)

org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)

note The full stack trace of the root cause is available in the Apache Tomcat/7.0.37 logs.

猜都能猜出来，我注销了，ticket已经失效了，现在我又发回到server端，它就报错了。（客户端发过去就报错了），以下就是cas ticket失效处理的一个很简单的解决办法，复杂的话，需要修改client源码进行异常处理。

1.所以针对这个情况，我只能在web.xml中下手了，（你也可以修改客户端的jar包中的一些 Java 类，自己去做这个异常处理，接收所有在cas使用过程中会出错的处理，全部跳转到错误页面中，让掉线的人重新登录。在这里，我们采用web.xml配置一下）

2.这是官网解释：https://wiki.jasig.org/display/CASC/Configuring+the+Jasig+CAS+Client+for+Java+in+the+web.xml 它的解释：

The correct order of the filters in web.xml is necessary:

AuthenticationFilter

TicketValidationFilter (whichever one is chosen)

HttpServletRequestWrapperFilter

AssertionThreadLocalFilter

3.这是一个哥们之前解释的：我贴出来。

单点登出，客户端配置。我尝试使用SAML作为认证和Ticket校验，但是调试时发现单点登出取标识的方式只能识别CAS的认证和校验。
认证：org.jasig.cas.client.authentication.AuthenticationFilter
校验：org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter
过滤器顺序：
1. CAS Single Sign Out Filter
2. CAS Validation Filter
3. CAS Authentication Filter
4. CAS HttpServletRequest Wrapper Filter
5. CAS Assertion Thread Local Filter
特别注意Validation在Authentication之前，因为我使用的是Cas20ProxyReceivingTicketValidationFilter。根据CAS文档描述：If you are using proxy validation, you should map the validation filter before the authentication filter.

4.ok，放上我的web.xml文件，废掉之前的cas验证过滤器(CAS Filter)。使用另一个过滤器(CAS Authentication Filter)，并且增加另外三个过滤器（CAS Validation Filter, CAS HttpServletRequest Wrapper Filter, CAS Assertion Thread Local Filter），注意过滤器的顺序.

[html] view plain copy

<? xml version= "1.0" encoding= "UTF-8" ?>

< web-app xmlns= "http://java.sun.com/xml/ns/javaee"

xmlns:xsi= "http://www.w3.org/2001/XMLSchema-instance" version= "2.5"

xsi:schemaLocation= "http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" >

< filter >

< filter-name >spring filter </ filter-name >

< filter-class >

org.springframework.web.filter.CharacterEncodingFilter

</ filter-class >

< init-param >

< param-name >encoding </ param-name >

< param-value >UTF-8 </ param-value >

</ init-param >

</ filter >

< filter-mapping >

< filter-name >spring filter </ filter-name >

< url-pattern >/* </ url-pattern >

</ filter-mapping >

< listener >

< listener-class >

org.jasig.cas.client.session.SingleSignOutHttpSessionListener

</ listener-class >

</ listener >

< filter >

< filter-name >CAS Single Sign Out Filter </ filter-name >

< filter-class >

org.jasig.cas.client.session.SingleSignOutFilter

</ filter-class >

</ filter >

< filter-mapping >

< filter-name >CAS Single Sign Out Filter </ filter-name >

< url-pattern >/* </ url-pattern >

</ filter-mapping >

< filter >

< filter-name >CAS Validation Filter </ filter-name >

< filter-class >

org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter

</ filter-class >

< init-param >

< param-name >casServerUrlPrefix </ param-name >

< param-value >

http://192.168.168.141:8080/casServer

</ param-value >

</ init-param >

< init-param >

< param-name >serverName </ param-name >

< param-value >192.168.168.141:8080 </ param-value >

</ init-param >

< init-param >

< param-name >useSession </ param-name >

< param-value >true </ param-value >

</ init-param >

< init-param >

< param-name >exceptionOnValidationFailure </ param-name >

< param-value >false </ param-value >

</ init-param >

< init-param >

< param-name >redirectAfterValidation </ param-name >

< param-value >true </ param-value >

</ init-param >

</ filter >

< filter-mapping >

< filter-name >CAS Validation Filter </ filter-name >

< url-pattern >/* </ url-pattern >

</ filter-mapping >

< filter >

< filter-name >CAS Authentication Filter </ filter-name >

< filter-class >

org.jasig.cas.client.authentication.AuthenticationFilter

</ filter-class >

< init-param >

< param-name >casServerLoginUrl </ param-name >

< param-value >

http://192.168.168.141:8080/casServer/login

</ param-value >

</ init-param >

< init-param >

< param-name >serverName </ param-name >

< param-value >http://192.168.168.141:8080 </ param-value >

</ init-param >

</ filter >

< filter-mapping >

< filter-name >CAS Authentication Filter </ filter-name >

< url-pattern >/* </ url-pattern >

</ filter-mapping >

<!-- 3.用于单点登录去服务器端认证(之前使用的这种)

< filter >

< filter-name >CAS Filter </ filter-name >

< filter-class >

edu.yale.its.tp.cas.client.filter.CASFilter

</ filter-class >

< init-param >

< param-name >

edu.yale.its.tp.cas.client.filter.loginUrl

</ param-name >

< param-value >

http://192.168.168.141:8080/casServer/login

</ param-value >

</ init-param >

< init-param >

< param-name >

edu.yale.its.tp.cas.client.filter.validateUrl

</ param-name >

< param-value >

http://192.168.168.141:8080/casServer/serviceValidate

</ param-value >

</ init-param >

< init-param >

< param-name >

edu.yale.its.tp.cas.client.filter.serverName

</ param-name >

< param-value >192.168.168.141:8080 </ param-value >

</ init-param >

</ filter >

< filter >

< filter-name >CAS HttpServletRequest Wrapper Filter </ filter-name >

< filter-class >

org.jasig.cas.client.util.HttpServletRequestWrapperFilter

</ filter-class >

</ filter >

< filter-mapping >

< filter-name >CAS HttpServletRequest Wrapper Filter </ filter-name >

< url-pattern >/* </ url-pattern >

</ filter-mapping >

< filter >

< filter-name >CAS Assertion Thread Local Filter </ filter-name >

< filter-class >

org.jasig.cas.client.util.AssertionThreadLocalFilter

</ filter-class >

</ filter >

< filter-mapping >

< filter-name >CAS Assertion Thread Local Filter </ filter-name >

< url-pattern >/* </ url-pattern >

</ filter-mapping >

< servlet >

< servlet-name >Query </ servlet-name >

< servlet-class >servlet.Query </ servlet-class >

</ servlet >

< servlet-mapping >

< servlet-name >Query </ servlet-name >

< url-pattern >/query </ url-pattern >

</ servlet-mapping >

< welcome-file-list >

< welcome-file >index.jsp </ welcome-file >

</ welcome-file-list >

</ web-app >

<%@ page language= "java" import= "java.util.*" pageEncoding= "utf-8"%>

<% @page import= "edu.yale.its.tp.cas.client.filter.CASFilter"%>

<% @page import= "org.jasig.cas.client.util.AssertionThreadLocalFilter"%>

<% @page import= "org.jasig.cas.client.util.HttpServletRequestWrapperFilter"%>

<% @page import= "org.jasig.cas.client.authentication.AttributePrincipal"%>

<% @page import= "org.jasig.cas.client.util.AbstractCasFilter"%>

<% @page import= "org.jasig.cas.client.validation.Assertion"%>

登录成功，这是客户端 2

//String username = (String) session.getAttribute(CASFilter.CAS_FILTER_USER);

//String username2 = (String)AssertionHolder.getAssertion().getPrincipal().getName();

String username = "";

AttributePrincipal principal = (AttributePrincipal) request.getUserPrincipal();

if(principal != null){

username = principal.getName(); //获取用户名

用户名：<%=username%>

< util:constant id= "SECONDS" static-field= "java.util.concurrent.TimeUnit.SECONDS" />

< bean id= "serviceTicketExpirationPolicy" class= "org.jasig.cas.ticket.support.MultiTimeUseOrTimeoutExpirationPolicy"

c:numberOfUses= "1" c:timeToKill= "${st.timeToKillInSeconds:10}" c:timeUnit-ref= "SECONDS" />

c:numberOfUses="1" //使用ticket多少次

c:timeToKill="${st.timeToKillInSeconds:10}" //多少秒过期，默认10秒，你把这个改成10分钟玩玩。

这个方法我没有尝试，所以希望想尝试想折腾和想玩的兄弟狠狠的点击这个链接： http://bbs.csdn.net/topics/390111112