0

弹簧靴 2.2.5

shiro-spring-boot-web-starter 1.5.1

布吉-pac4j 4.1.1

pac4j-cas 3.8.3

cas 覆盖模板 5.3。

我使用 https 在 tomcat 中启动 cas 服务器,并在 eclipse 中启动两个客户端(pac4j1和)。pac4j2

单点登录工作,但single sign out失败。

以下是我的配置:

我只在 cas 服务器下添加了一个 service文件,如下所示:

{
  "@class": "org.apereo.cas.services.RegexRegisteredService",
  "serviceId": "^(http)://localhost.*",
  "name": "local",
  "id": 10000003, 
  "evaluationOrder": 1
}

application.yml 的pac4j1

server:
  port: 8444
  servlet:
    context-path: /pac4j1

cas:
  client-name: pac4j1Client
  server:
    url: https://localhost:8443/cas
  project:
    url: http://localhost:8444/pac4j1

pac4j 配置:

@Configuration
public class Pac4jConfig {

    @Value("${cas.server.url}")
    private String casServerUrl;

    @Value("${cas.project.url}")
    private String projectUrl;

    @Value("${cas.client-name}")
    private String clientName;

    @Bean("authcConfig")
    public Config config(CasClient casClient, ShiroSessionStore shiroSessionStore) {

        Config config = new Config(casClient);
        config.setSessionStore(shiroSessionStore);
        return config;
    }


    @Bean
    public ShiroSessionStore shiroSessionStore(){
        return new ShiroSessionStore();
    }


    @Bean
    public CasClient casClient(CasConfiguration casConfig){

        CasClient casClient = new CasClient(casConfig);

        casClient.setCallbackUrl(projectUrl + "/callback?client_name=" + clientName);
        casClient.setName(clientName);
        return casClient;
    }

    @Bean
    public CasConfiguration casConfig(){
        final CasConfiguration configuration = new CasConfiguration();

        configuration.setLoginUrl(casServerUrl + "/login");

        configuration.setProtocol(CasProtocol.CAS20);
        configuration.setAcceptAnyProxy(true);
        configuration.setPrefixUrl(casServerUrl + "/");        

        return configuration;
    }

}

希罗配置:

@Configuration
public class ShiroConfig {  

    @Value("${cas.project.url}")
    private String projectUrl;

    @Value("${cas.server.url}")
    private String casServerUrl;

    @Value("${cas.client-name}")
    private String clientName;

    @Bean("securityManager")
    public DefaultWebSecurityManager securityManager(Pac4jSubjectFactory subjectFactory, CasRealm casRealm){

        DefaultWebSecurityManager manager = new DefaultWebSecurityManager();
        manager.setRealm(casRealm);
        manager.setSubjectFactory(subjectFactory);

        return manager;
    }    

    @Bean
    public CasRealm casRealm(){

        CasRealm realm = new CasRealm();

        realm.setClientName(clientName);
        realm.setCachingEnabled(false);

        realm.setAuthenticationCachingEnabled(false);
        realm.setAuthorizationCachingEnabled(false);

        return realm;
    }

    @Bean
    public Pac4jSubjectFactory subjectFactory(){
        return new Pac4jSubjectFactory();
    }

    @Bean
    public FilterRegistrationBean<SingleSignOutFilter> singleSignOutFilter() {

        FilterRegistrationBean<SingleSignOutFilter> bean = new FilterRegistrationBean<SingleSignOutFilter>();
        bean.setName("singleSignOutFilter");

        SingleSignOutFilter singleSignOutFilter = new SingleSignOutFilter();
        singleSignOutFilter.setCasServerUrlPrefix(casServerUrl);
        singleSignOutFilter.setIgnoreInitConfiguration(true);

        bean.setFilter(singleSignOutFilter);
        bean.addUrlPatterns("/*");
        bean.setEnabled(true);
        bean.setOrder(Ordered.HIGHEST_PRECEDENCE);
        return bean;
    }

    @Bean
    public FilterRegistrationBean<DelegatingFilterProxy> filterRegistrationBean() {

        FilterRegistrationBean<DelegatingFilterProxy> filterRegistration = new FilterRegistrationBean<DelegatingFilterProxy>();
        filterRegistration.setFilter(new DelegatingFilterProxy("shiroFilter"));

        filterRegistration.addInitParameter("targetFilterLifecycle", "true");
        filterRegistration.setEnabled(true);
        filterRegistration.addUrlPatterns("/*");
        filterRegistration.setDispatcherTypes(DispatcherType.REQUEST, DispatcherType.FORWARD);
        return filterRegistration;
    }

    private void loadShiroFilterChain(ShiroFilterFactoryBean shiroFilterFactoryBean){

        Map<String, String> filterChainDefinitionMap = new LinkedHashMap<>();
        filterChainDefinitionMap.put("/", "securityFilter");       
        filterChainDefinitionMap.put("/index", "securityFilter");
        filterChainDefinitionMap.put("/callback", "callbackFilter");
        filterChainDefinitionMap.put("/logout", "logout");
        filterChainDefinitionMap.put("/**","anon");     
        shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
    }

    @Bean("shiroFilter")
    public ShiroFilterFactoryBean factory(DefaultWebSecurityManager securityManager, Config config) {

        ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();

        shiroFilterFactoryBean.setSecurityManager(securityManager);

        loadShiroFilterChain(shiroFilterFactoryBean);
        Map<String, Filter> filters = new HashMap<>(3);

        SecurityFilter securityFilter = new SecurityFilter();
        securityFilter.setConfig(config);
        securityFilter.setClients(clientName);
        filters.put("securityFilter", securityFilter);

        MyCallbackFilter callbackFilter = new MyCallbackFilter();
        callbackFilter.setConfig(config);
        callbackFilter.setDefaultUrl(projectUrl);
        filters.put("callbackFilter", callbackFilter);

        LogoutFilter logoutFilter = new LogoutFilter();
        logoutFilter.setConfig(config);
        logoutFilter.setCentralLogout(true);
        logoutFilter.setLocalLogout(true);
        logoutFilter.setDefaultUrl(projectUrl + "/callback?client_name=" + clientName);
        filters.put("logout",logoutFilter);

        shiroFilterFactoryBean.setFilters(filters);
        return shiroFilterFactoryBean;
    }   

}

application.propertiesofcas server为默认值,cas server使用 https( https://localhost:8443/cas) 而cas clients为 http( http://localhost:8444/pac4j1)。

我哪里错了?

4

1 回答 1

0

在提供的链接SLOleopal的帮助下,我知道 cas 服务器需要将注销请求发送回客户端。

因此,我检查了 cas 服务器的日志,发现INFO [org.apereo.cas.logout.DefaultLogoutManager] - <Performing logout operations for.

所以我添加了log for org.apereo.cas.logout,发现有一些关于logout的类:DefaultLogoutManager、、DefaultSingleLogoutServiceLogoutUrlBuilder和。DefaultSingleLogoutServiceMessageHandlerSimpleUrlValidator

执行注销时,DefaultSingleLogoutServiceLogoutUrlBuilder.determineLogoutUrl将从注册服务获取注销 url,如果原始 url 是有效 url,则从 cas 客户端获取原始 url。

所以我的问题是:我没有在服务 json 文件中定义注销 url,而来自 cas 客户端的原始 urllocalhost:8444是无效的 ipv4。因此,cas 服务器不会将注销请求发送回客户端。

解决方案是ip在项目 url 中使用而不是localhostapplication.ymlcas 客户端中使用:

cas:
  client-name: pac4j1Client
  server:
    url: https://localhost:8443/cas
  project:
    url: http://192.168.2.119:8444/pac4j1

为每个 cas 客户端服务 json 文件设置了另一种解决方案logoutUrl(尚未尝试)。

于 2020-03-29T02:33:52.740 回答