解决jasig CAS server端 ticketGrantingTicket超时后的一个bug
2013-10-25 19:44
776 查看
原文:http://castte.iteye.com/blog/1255308
最近研究cas,发现在设置ticketGrantingTicket超时后,打开https://tski.com:8443/cas 仍然显示成功
ticketExpirationPolicies.xml
Xml代码
<!-- This argument is the time a ticket can exist before its considered expired. 设置为5秒超时-->
<bean id="grantingTicketExpirationPolicy" class="org.jasig.cas.ticket.support.TimeoutExpirationPolicy">
<constructor-arg
index="0"
value="5000" />
</bean>
ticketRegistry.xml
Xml代码
<!-- 10秒检查一次是否有ticket需要clean -->
<bean id="triggerJobDetailTicketRegistryCleaner" class="org.springframework.scheduling.quartz.SimpleTriggerBean"
p:jobDetail-ref="jobDetailTicketRegistryCleaner"
p:startDelay="2000"
p:repeatInterval="10000" />
仍然显示成功
所以猜测,TGT超时与使用https://tski.com:8443/cas/logout 不同地方在于,后者清除了cookie中的TGT
于是找到logout的处理代码
org.jasig.cas.web.LogoutController
Java代码
protected ModelAndView handleRequestInternal(
final HttpServletRequest request, final HttpServletResponse response)
throws Exception {
final String ticketGrantingTicketId = this.ticketGrantingTicketCookieGenerator.retrieveCookieValue(request);
final String service = request.getParameter("service");
if (ticketGrantingTicketId != null) {
this.centralAuthenticationService
.destroyTicketGrantingTicket(ticketGrantingTicketId);
//清除cookie
this.ticketGrantingTicketCookieGenerator.removeCookie(response);
this.warnCookieGenerator.removeCookie(response);
}
if (this.followServiceRedirects && service != null) {
return new ModelAndView(new RedirectView(service));
}
return new ModelAndView(this.logoutView);
}
而TGT超时时,cas server 不能获取cookie
继续猜测,打开https://tski.com:8443/cas时,cas server只判断了cookie中是否有TGT,但是没判断org.jasig.cas.ticket.registry.TicketRegistry中是否还存在TGT。
找到login-webflow.xml
Xml代码
<!-- 在flowScope.ticketGrantingTicketId && flowScope.service 为null的情况下,页面会跳转到viewGenericLoginSuccess -->
<on-start>
<evaluate expression="initialFlowSetupAction" />
</on-start>
<decision-state id="ticketGrantingTicketExistsCheck">
<if test="flowScope.ticketGrantingTicketId neq null" then="hasServiceCheck" else="gatewayRequestCheck" />
</decision-state>
...
<decision-state id="hasServiceCheck">
<if test="flowScope.service != null" then="renewRequestCheck" else="viewGenericLoginSuccess" />
</decision-state>
所以现在要确认flowScope.ticketGrantingTicketId , flowScope.service 是什么东西
找到org.jasig.cas.web.flow.InitialFlowSetupAction
Java代码
protected Event doExecute(final RequestContext context) throws Exception {
final HttpServletRequest request = WebUtils.getHttpServletRequest(context);
if (!this.pathPopulated) {
... }
//ticketGrantingTicketId是从cookie里取的,问题很清楚了
context.getFlowScope().put(
"ticketGrantingTicketId", this.ticketGrantingTicketCookieGenerator.retrieveCookieValue(request));
context.getFlowScope().put(
"warnCookieValue",
Boolean.valueOf(this.warnCookieGenerator.retrieveCookieValue(request)));
//service 只有在从其他系统跳转到cas server时才可能不是null
final Service service = WebUtils.getService(this.argumentExtractors,
context);
if (service != null && logger.isDebugEnabled()) {
logger.debug("Placing service in FlowScope: " + service.getId());
}
context.getFlowScope().put("service", service);
return result("success");
}
最后,修改代码
org.jasig.cas.web.flow.InitialFlowSetupAction
Java代码
//注入 ticketRegistry
@NotNull
private TicketRegistry ticketRegistry;
public TicketRegistry getTicketRegistry() {
return ticketRegistry;
}
public void setTicketRegistry(TicketRegistry ticketRegistry) {
this.ticketRegistry = ticketRegistry;
}
protected Event doExecute(final RequestContext context) throws Exception {
final HttpServletRequest request = WebUtils.getHttpServletRequest(context);
if (!this.pathPopulated) {
... }
//从ticketRegistry中获取TGT
context.getFlowScope().put(
"ticketGrantingTicketId", ticketRegistry.getTicket(this.ticketGrantingTicketCookieGenerator.retrieveCookieValue(request)));
context.getFlowScope().put(
"warnCookieValue",
Boolean.valueOf(this.warnCookieGenerator.retrieveCookieValue(request)));
final Service service = WebUtils.getService(this.argumentExtractors,
context);
if (service != null && logger.isDebugEnabled()) {
logger.debug("Placing service in FlowScope: " + service.getId());
}
context.getFlowScope().put("service", service);
return result("success");
}
修改cas-servlet.xml
Xml代码
<!-- 最后一行 p:ticketRegistry-ref="ticketRegistry" ,注入ticketRegistry -->
<bean id="initialFlowSetupAction" class="org.jasig.cas.web.flow.InitialFlowSetupAction"
p:argumentExtractors-ref="argumentExtractors"
p:warnCookieGenerator-ref="warnCookieGenerator"
p:ticketGrantingTicketCookieGenerator-ref="ticketGrantingTicketCookieGenerator"
p:ticketRegistry-ref="ticketRegistry"/>
最近研究cas,发现在设置ticketGrantingTicket超时后,打开https://tski.com:8443/cas 仍然显示成功
ticketExpirationPolicies.xml
Xml代码
<!-- This argument is the time a ticket can exist before its considered expired. 设置为5秒超时-->
<bean id="grantingTicketExpirationPolicy" class="org.jasig.cas.ticket.support.TimeoutExpirationPolicy">
<constructor-arg
index="0"
value="5000" />
</bean>
<!-- This argument is the time a ticket can exist before its considered expired. 设置为5秒超时--> <bean id="grantingTicketExpirationPolicy" class="org.jasig.cas.ticket.support.TimeoutExpirationPolicy"> <constructor-arg index="0" value="5000" /> </bean>
ticketRegistry.xml
Xml代码
<!-- 10秒检查一次是否有ticket需要clean -->
<bean id="triggerJobDetailTicketRegistryCleaner" class="org.springframework.scheduling.quartz.SimpleTriggerBean"
p:jobDetail-ref="jobDetailTicketRegistryCleaner"
p:startDelay="2000"
p:repeatInterval="10000" />
<!-- 10秒检查一次是否有ticket需要clean --> <bean id="triggerJobDetailTicketRegistryCleaner" class="org.springframework.scheduling.quartz.SimpleTriggerBean" p:jobDetail-ref="jobDetailTicketRegistryCleaner" p:startDelay="2000" p:repeatInterval="10000" />
仍然显示成功
所以猜测,TGT超时与使用https://tski.com:8443/cas/logout 不同地方在于,后者清除了cookie中的TGT
于是找到logout的处理代码
org.jasig.cas.web.LogoutController
Java代码
protected ModelAndView handleRequestInternal(
final HttpServletRequest request, final HttpServletResponse response)
throws Exception {
final String ticketGrantingTicketId = this.ticketGrantingTicketCookieGenerator.retrieveCookieValue(request);
final String service = request.getParameter("service");
if (ticketGrantingTicketId != null) {
this.centralAuthenticationService
.destroyTicketGrantingTicket(ticketGrantingTicketId);
//清除cookie
this.ticketGrantingTicketCookieGenerator.removeCookie(response);
this.warnCookieGenerator.removeCookie(response);
}
if (this.followServiceRedirects && service != null) {
return new ModelAndView(new RedirectView(service));
}
return new ModelAndView(this.logoutView);
}
protected ModelAndView handleRequestInternal( final HttpServletRequest request, final HttpServletResponse response) throws Exception { final String ticketGrantingTicketId = this.ticketGrantingTicketCookieGenerator.retrieveCookieValue(request); final String service = request.getParameter("service"); if (ticketGrantingTicketId != null) { this.centralAuthenticationService .destroyTicketGrantingTicket(ticketGrantingTicketId); //清除cookie this.ticketGrantingTicketCookieGenerator.removeCookie(response); this.warnCookieGenerator.removeCookie(response); } if (this.followServiceRedirects && service != null) { return new ModelAndView(new RedirectView(service)); } return new ModelAndView(this.logoutView); }
而TGT超时时,cas server 不能获取cookie
继续猜测,打开https://tski.com:8443/cas时,cas server只判断了cookie中是否有TGT,但是没判断org.jasig.cas.ticket.registry.TicketRegistry中是否还存在TGT。
找到login-webflow.xml
Xml代码
<!-- 在flowScope.ticketGrantingTicketId && flowScope.service 为null的情况下,页面会跳转到viewGenericLoginSuccess -->
<on-start>
<evaluate expression="initialFlowSetupAction" />
</on-start>
<decision-state id="ticketGrantingTicketExistsCheck">
<if test="flowScope.ticketGrantingTicketId neq null" then="hasServiceCheck" else="gatewayRequestCheck" />
</decision-state>
...
<decision-state id="hasServiceCheck">
<if test="flowScope.service != null" then="renewRequestCheck" else="viewGenericLoginSuccess" />
</decision-state>
<!-- 在flowScope.ticketGrantingTicketId && flowScope.service 为null的情况下,页面会跳转到viewGenericLoginSuccess --> <on-start> <evaluate expression="initialFlowSetupAction" /> </on-start> <decision-state id="ticketGrantingTicketExistsCheck"> <if test="flowScope.ticketGrantingTicketId neq null" then="hasServiceCheck" else="gatewayRequestCheck" /> </decision-state> ... <decision-state id="hasServiceCheck"> <if test="flowScope.service != null" then="renewRequestCheck" else="viewGenericLoginSuccess" /> </decision-state>
所以现在要确认flowScope.ticketGrantingTicketId , flowScope.service 是什么东西
找到org.jasig.cas.web.flow.InitialFlowSetupAction
Java代码
protected Event doExecute(final RequestContext context) throws Exception {
final HttpServletRequest request = WebUtils.getHttpServletRequest(context);
if (!this.pathPopulated) {
... }
//ticketGrantingTicketId是从cookie里取的,问题很清楚了
context.getFlowScope().put(
"ticketGrantingTicketId", this.ticketGrantingTicketCookieGenerator.retrieveCookieValue(request));
context.getFlowScope().put(
"warnCookieValue",
Boolean.valueOf(this.warnCookieGenerator.retrieveCookieValue(request)));
//service 只有在从其他系统跳转到cas server时才可能不是null
final Service service = WebUtils.getService(this.argumentExtractors,
context);
if (service != null && logger.isDebugEnabled()) {
logger.debug("Placing service in FlowScope: " + service.getId());
}
context.getFlowScope().put("service", service);
return result("success");
}
protected Event doExecute(final RequestContext context) throws Exception { final HttpServletRequest request = WebUtils.getHttpServletRequest(context); if (!this.pathPopulated) { ... } //ticketGrantingTicketId是从cookie里取的,问题很清楚了 context.getFlowScope().put( "ticketGrantingTicketId", this.ticketGrantingTicketCookieGenerator.retrieveCookieValue(request)); context.getFlowScope().put( "warnCookieValue", Boolean.valueOf(this.warnCookieGenerator.retrieveCookieValue(request))); //service 只有在从其他系统跳转到cas server时才可能不是null final Service service = WebUtils.getService(this.argumentExtractors, context); if (service != null && logger.isDebugEnabled()) { logger.debug("Placing service in FlowScope: " + service.getId()); } context.getFlowScope().put("service", service); return result("success"); }
最后,修改代码
org.jasig.cas.web.flow.InitialFlowSetupAction
Java代码
//注入 ticketRegistry
@NotNull
private TicketRegistry ticketRegistry;
public TicketRegistry getTicketRegistry() {
return ticketRegistry;
}
public void setTicketRegistry(TicketRegistry ticketRegistry) {
this.ticketRegistry = ticketRegistry;
}
protected Event doExecute(final RequestContext context) throws Exception {
final HttpServletRequest request = WebUtils.getHttpServletRequest(context);
if (!this.pathPopulated) {
... }
//从ticketRegistry中获取TGT
context.getFlowScope().put(
"ticketGrantingTicketId", ticketRegistry.getTicket(this.ticketGrantingTicketCookieGenerator.retrieveCookieValue(request)));
context.getFlowScope().put(
"warnCookieValue",
Boolean.valueOf(this.warnCookieGenerator.retrieveCookieValue(request)));
final Service service = WebUtils.getService(this.argumentExtractors,
context);
if (service != null && logger.isDebugEnabled()) {
logger.debug("Placing service in FlowScope: " + service.getId());
}
context.getFlowScope().put("service", service);
return result("success");
}
//注入 ticketRegistry @NotNull private TicketRegistry ticketRegistry; public TicketRegistry getTicketRegistry() { return ticketRegistry; } public void setTicketRegistry(TicketRegistry ticketRegistry) { this.ticketRegistry = ticketRegistry; } protected Event doExecute(final RequestContext context) throws Exception { final HttpServletRequest request = WebUtils.getHttpServletRequest(context); if (!this.pathPopulated) { ... } //从ticketRegistry中获取TGT context.getFlowScope().put( "ticketGrantingTicketId", ticketRegistry.getTicket(this.ticketGrantingTicketCookieGenerator.retrieveCookieValue(request))); context.getFlowScope().put( "warnCookieValue", Boolean.valueOf(this.warnCookieGenerator.retrieveCookieValue(request))); final Service service = WebUtils.getService(this.argumentExtractors, context); if (service != null && logger.isDebugEnabled()) { logger.debug("Placing service in FlowScope: " + service.getId()); } context.getFlowScope().put("service", service); return result("success"); }
修改cas-servlet.xml
Xml代码
<!-- 最后一行 p:ticketRegistry-ref="ticketRegistry" ,注入ticketRegistry -->
<bean id="initialFlowSetupAction" class="org.jasig.cas.web.flow.InitialFlowSetupAction"
p:argumentExtractors-ref="argumentExtractors"
p:warnCookieGenerator-ref="warnCookieGenerator"
p:ticketGrantingTicketCookieGenerator-ref="ticketGrantingTicketCookieGenerator"
p:ticketRegistry-ref="ticketRegistry"/>
相关文章推荐
- 解决cocos2d-x pvr.ccz格式的图片有时无法读取的一个bug
- android一个下拉放大库bug的解决过程及思考
- Androd学习笔记——解决facebook sdk里的一个bug
- <android>一个老控件Spnner解决一个bug的经历(三级联动)
- phpexcel移植到sae上的一个致命bug的解决的办法
- GIT : 记录IntelliJ IDEA 合并冲突时的一个bug(冲突解决后代码和本地仓库一样时导致merge失败)
- Catalyst 10.2解决了一个小BUG
- 关于神一样存在的csdn-一个bug的修复时间是以年记?而且目前还没解决!!!
- [转]解决 visualmark.vim 碰到的一个BUG
- 通过event对象的fromElement属性解决热区设置主实体的一个bug
- oracle-rdbms-server-11gR2-preinstall 的一个BUG解决
- 用递归算法解决VC中CEdit的一个Bug
- 解决 visualmark.vim 碰到的一个BUG
- 解决了日志摘要的一个小bug,并增加了新功能
- Visual C++6.0一个小BUG的解决方法
- 解决了日志摘要的一个小bug,并增加了新功能
- 解决customvalidator中的错误信息不能再ValidationSummary中以对话框的形式弹出的一个Bug
- 解决Live Writer语法高亮插件的一个Bug
- nc的一个bug,nc ip port -e cmd.exe 命令后ctrl+c后不会关闭连接[已解决]
- hibernate3+jpa进行sql查询的一个框架bug解决