shiro pac4j cas单点退出不工作

Question

弹簧靴2.2.5

shiro-spring-boot-web-starter 1.5.1

buji-pac4j 4.1.1

pac4j-cas 3.8.3

cas覆盖模板5.3。

我用https在tomcat中启动cas服务器，并在eclipse中启动两个客户机(pac4j1和pac4j2)。

单点登录工作，但single sign out失败。

以下是我的心声：

我只在cas服务器下添加了一个 service文件，该文件如下所示：

{
  "@class": "org.apereo.cas.services.RegexRegisteredService",
  "serviceId": "^(http)://localhost.*",
  "name": "local",
  "id": 10000003, 
  "evaluationOrder": 1
}

application.yml of pac4j1

server:
  port: 8444
  servlet:
    context-path: /pac4j1

cas:
  client-name: pac4j1Client
  server:
    url: https://localhost:8443/cas
  project:
    url: http://localhost:8444/pac4j1

Pac4jConfig：

@Configuration
public class Pac4jConfig {

    @Value("${cas.server.url}")
    private String casServerUrl;

    @Value("${cas.project.url}")
    private String projectUrl;

    @Value("${cas.client-name}")
    private String clientName;

    @Bean("authcConfig")
    public Config config(CasClient casClient, ShiroSessionStore shiroSessionStore) {

        Config config = new Config(casClient);
        config.setSessionStore(shiroSessionStore);
        return config;
    }


    @Bean
    public ShiroSessionStore shiroSessionStore(){
        return new ShiroSessionStore();
    }


    @Bean
    public CasClient casClient(CasConfiguration casConfig){

        CasClient casClient = new CasClient(casConfig);

        casClient.setCallbackUrl(projectUrl + "/callback?client_name=" + clientName);
        casClient.setName(clientName);
        return casClient;
    }

    @Bean
    public CasConfiguration casConfig(){
        final CasConfiguration configuration = new CasConfiguration();

        configuration.setLoginUrl(casServerUrl + "/login");

        configuration.setProtocol(CasProtocol.CAS20);
        configuration.setAcceptAnyProxy(true);
        configuration.setPrefixUrl(casServerUrl + "/");        

        return configuration;
    }

}

shiro配置：

@Configuration
public class ShiroConfig {  

    @Value("${cas.project.url}")
    private String projectUrl;

    @Value("${cas.server.url}")
    private String casServerUrl;

    @Value("${cas.client-name}")
    private String clientName;

    @Bean("securityManager")
    public DefaultWebSecurityManager securityManager(Pac4jSubjectFactory subjectFactory, CasRealm casRealm){

        DefaultWebSecurityManager manager = new DefaultWebSecurityManager();
        manager.setRealm(casRealm);
        manager.setSubjectFactory(subjectFactory);

        return manager;
    }    

    @Bean
    public CasRealm casRealm(){

        CasRealm realm = new CasRealm();

        realm.setClientName(clientName);
        realm.setCachingEnabled(false);

        realm.setAuthenticationCachingEnabled(false);
        realm.setAuthorizationCachingEnabled(false);

        return realm;
    }

    @Bean
    public Pac4jSubjectFactory subjectFactory(){
        return new Pac4jSubjectFactory();
    }

    @Bean
    public FilterRegistrationBean<SingleSignOutFilter> singleSignOutFilter() {

        FilterRegistrationBean<SingleSignOutFilter> bean = new FilterRegistrationBean<SingleSignOutFilter>();
        bean.setName("singleSignOutFilter");

        SingleSignOutFilter singleSignOutFilter = new SingleSignOutFilter();
        singleSignOutFilter.setCasServerUrlPrefix(casServerUrl);
        singleSignOutFilter.setIgnoreInitConfiguration(true);

        bean.setFilter(singleSignOutFilter);
        bean.addUrlPatterns("/*");
        bean.setEnabled(true);
        bean.setOrder(Ordered.HIGHEST_PRECEDENCE);
        return bean;
    }

    @Bean
    public FilterRegistrationBean<DelegatingFilterProxy> filterRegistrationBean() {

        FilterRegistrationBean<DelegatingFilterProxy> filterRegistration = new FilterRegistrationBean<DelegatingFilterProxy>();
        filterRegistration.setFilter(new DelegatingFilterProxy("shiroFilter"));

        filterRegistration.addInitParameter("targetFilterLifecycle", "true");
        filterRegistration.setEnabled(true);
        filterRegistration.addUrlPatterns("/*");
        filterRegistration.setDispatcherTypes(DispatcherType.REQUEST, DispatcherType.FORWARD);
        return filterRegistration;
    }

    private void loadShiroFilterChain(ShiroFilterFactoryBean shiroFilterFactoryBean){

        Map<String, String> filterChainDefinitionMap = new LinkedHashMap<>();
        filterChainDefinitionMap.put("/", "securityFilter");       
        filterChainDefinitionMap.put("/index", "securityFilter");
        filterChainDefinitionMap.put("/callback", "callbackFilter");
        filterChainDefinitionMap.put("/logout", "logout");
        filterChainDefinitionMap.put("/**","anon");     
        shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
    }

    @Bean("shiroFilter")
    public ShiroFilterFactoryBean factory(DefaultWebSecurityManager securityManager, Config config) {

        ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();

        shiroFilterFactoryBean.setSecurityManager(securityManager);

        loadShiroFilterChain(shiroFilterFactoryBean);
        Map<String, Filter> filters = new HashMap<>(3);

        SecurityFilter securityFilter = new SecurityFilter();
        securityFilter.setConfig(config);
        securityFilter.setClients(clientName);
        filters.put("securityFilter", securityFilter);

        MyCallbackFilter callbackFilter = new MyCallbackFilter();
        callbackFilter.setConfig(config);
        callbackFilter.setDefaultUrl(projectUrl);
        filters.put("callbackFilter", callbackFilter);

        LogoutFilter logoutFilter = new LogoutFilter();
        logoutFilter.setConfig(config);
        logoutFilter.setCentralLogout(true);
        logoutFilter.setLocalLogout(true);
        logoutFilter.setDefaultUrl(projectUrl + "/callback?client_name=" + clientName);
        filters.put("logout",logoutFilter);

        shiroFilterFactoryBean.setFilters(filters);
        return shiroFilterFactoryBean;
    }   

}

application.properties of cas server是默认的，cas server使用https(https://localhost:8443/cas)，而cas clients使用http(http://localhost:8444/pac4j1)。

，我哪里错了？

Answer 1

在leopal提供的链接leopal的帮助下，我知道cas服务器需要将注销请求发送回客户端。

因此，我检查了cas服务器的日志并找到了INFO [org.apereo.cas.logout.DefaultLogoutManager] - <Performing logout operations for。

所以我为org.apereo.cas.logout添加了日志，发现有一些关于注销的类：DefaultLogoutManager、DefaultSingleLogoutServiceLogoutUrlBuilder、DefaultSingleLogoutServiceMessageHandler和SimpleUrlValidator。

在执行注销时，如果原始url是有效的url，DefaultSingleLogoutServiceLogoutUrlBuilder.determineLogoutUrl将从注册服务获取注销url或从cas客户端获取原始url。

所以，，我的问题是：我没有在服务json文件中定义注销url，而来自cas客户端的原始url是localhost:8444，这是一个无效的ipv4。因此，cas服务器将不会将注销请求发送回客户端。

解决方案是：在项目url中使用ip，而在cas客户端的application.yml中使用localhost：

cas:
  client-name: pac4j1Client
  server:
    url: https://localhost:8443/cas
  project:
    url: http://192.168.2.119:8444/pac4j1

另一种解决方案是为每个cas客户端服务json文件设置logoutUrl (尚未尝试)。