|
使用shiro集成CAS实现单点登录的文章有很多,配置大同小异。与之对应的单点登出可能大家关注的不够。
单点登出,表示浏览器同时访问了多个接入单点登录系统,在某个系统点击退出的同时,其他系统也应该同时登出。进一步提升了系统的安全性。
CAS,提供了很好的单点登出实现,用户只需要简单配置对应的监听器和过滤即可。原理也很简单,网上有很多说明。
<!-- 单点登出监听器 -->
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<!-- 单点登出 -->
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
线上会遇到一个问题:用户登录后权限信息发生变化。shiro默认会将用户权限信息、系统权限信息进行缓存,一定程度上提升系统的响应。使用默认单点退出,并不会将用户缓存信息进行情况。
基于这个问题,对SingleSignOutFilter进行一定改造:
public void doFilter(final ServletRequest servletRequest, final ServletResponse servletResponse, final FilterChain filterChain) throws IOException, ServletException {
final HttpServletRequest request = (HttpServletRequest) servletRequest;
if (handler.isTokenRequest(request)) {
handler.recordSession(request);
} else if (handler.isLogoutRequest(request)) {
handler.destroySession(request);
// Do not continue up filter chain
return;
} else {
log.trace("Ignoring URI " + request.getRequestURI());
}
filterChain.doFilter(servletRequest, servletResponse);
}
解读源码,handler.destroySession(request),
public void destroySession(final HttpServletRequest request) {
final String logoutMessage = CommonUtils.safeGetParameter(request, this.logoutParameterName);
if (log.isTraceEnabled()) {
log.trace ("Logout request:\n" + logoutMessage);
}
final String token = XmlUtils.getTextForElement(logoutMessage, "SessionIndex");
if (CommonUtils.isNotBlank(token)) {
final HttpSession session = this.sessionMappingStorage.removeSessionByMappingId(token);
if (session != null) {
String sessionID = session.getId();
if (log.isDebugEnabled()) {
log.debug ("Invalidating session [" + sessionID + "] for token [" + token + "]");
}
try {
session.invalidate();
} catch (final IllegalStateException e) {
log.debug("Error invalidating session.", e);
}
}
}
}
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
代码会解析,获取当前登录用户的session,有了session,我们就可以得到shiro中的Subject对象了,就能调用subject.logout()方法,清除缓存了。当用户退出重新登录系统,新的权限信息立马生
if (handler.isTokenRequest(request)) {
handler.recordSession(request);
} else if (handler.isLogoutRequest(request)) {
HttpSession session = handler.getSession(request);
log.info("single sign out request,SesionID[" +session.getId()+"]");
if(session != null){
new WebSubject.Builder(getSecurityManager(), request, response).session(new HttpServletSession(session,"")).buildSubject().logout();
log.info("single sign out request,SesionID[" +session.getId()+"]"+",shiro subject logout success!");
}
handler.destroySession(session);
log.info("single sign out request,SesionID[" +session.getId()+"]"+",destroy session success!");
// Do not continue up filter chain
return;
} else {
log.trace("Ignoring URI " + request.getRequestURI());
}
filterChain.doFilter(servletRequest, servletResponse);
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
重写了SingleSignOutHandler类,首先获取session,然后通过new WebSubject。亲测有效。
|
