CAS单LogOut(SLO)无法工作- CAS 4.2.3

Question

我在中科院有单一LogOut的问题。我正在使用CAS服务器4.2.3和Spring3.2。我的客户端认证应用程序是在spring安全性上配置的。遵循以下文档，http://docs.spring.io/spring-security/site/docs/3.2.9.RELEASE/reference/htmlsingle/#cas-singlelogout

我有两个cas客户端web应用程序。当我从一个cas客户端web应用程序中注销，并在我已经登录的第二个cas客户端应用程序中刷新页面时(在同一个浏览器中的另一个选项卡中)，我会认为登录页面会显示出来，就像我已经从第一个cas客户机应用程序中显示了一个logout一样。但不起作用。

我不知道我错过了什么。我已经发布了web.xml、Springsecurity.xml、logout.jsp和cas.log的代码片段。

任何帮助或指示都是非常感谢的。

web.xml

<filter>
    <filter-name>characterEncodingFilter</filter-name>
    <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
    <init-param>
        <param-name>encoding</param-name>
        <param-value>UTF-8</param-value>
    </init-param>
</filter>

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>characterEncodingFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<listener>
    <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>

<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

spring-security.xml

<bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">
    <property name="service" value="https://<hostname>:8444/WebApp3/j_spring_cas_security_check" />
    <property name="sendRenew" value="false" />
</bean>

<sec:http use-expressions="true" entry-point-ref="casEntryPoint">
    <sec:intercept-url pattern="/login/*" access="permitAll()" />
    <sec:intercept-url pattern="/lib/**" access="permitAll()" />
    <sec:intercept-url pattern="/**" access="isAuthenticated()" />
    <sec:form-login login-page="/ingress.do" default-target-url="/ingress.do" always-use-default-target="false"
        authentication-failure-url="/login.jsp" />

    <sec:logout logout-success-url="/logout.jsp" />
    <sec:custom-filter ref="requestSingleLogoutFilter" before="LOGOUT_FILTER" />
    <sec:custom-filter ref="singleLogoutFilter" before="CAS_FILTER" />
    <sec:custom-filter position="CAS_FILTER" ref="casFilter" />

</sec:http>

<bean id="singleLogoutFilter" class="org.jasig.cas.client.session.SingleSignOutFilter" />

<bean id="requestSingleLogoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
    <constructor-arg value="https://<hostname>/cas/logout" />
    <constructor-arg>
        <bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
    </constructor-arg>
    <property name="filterProcessesUrl" value="/logout/cas" />
</bean>

<bean id="casFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter">
    <property name="authenticationManager" ref="authenticationManager" />
</bean>

<bean id="casEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
    <property name="loginUrl" value="https://<hostname>/cas/login" />
    <property name="serviceProperties" ref="serviceProperties" />
</bean>

<sec:authentication-manager alias="authenticationManager">
    <sec:authentication-provider ref="casAuthenticationProvider" />
</sec:authentication-manager>

<bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
    <property name="authenticationUserDetailsService">
        <bean class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
            <constructor-arg ref="userService" />
        </bean>
    </property>
    <property name="serviceProperties" ref="serviceProperties" />
    <property name="ticketValidator">
        <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
            <constructor-arg index="0" value="https://<hostname>/cas" />
        </bean>
    </property>
    <property name="key" value="an_id_for_this_auth_provider_only" />
</bean>

<bean id="userService" class="org.hpi.iris.services.CustomUserDetailsService" />

<bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
    <constructor-arg value="/" />
    <constructor-arg>
        <list>
            <bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
        </list>
    </constructor-arg>
</bean>

<bean id="servletContext" class="org.springframework.web.context.support.ServletContextFactoryBean" />

<bean id="etf" class="org.springframework.security.web.access.ExceptionTranslationFilter">
    <property name="authenticationEntryPoint" ref="casEntryPoint" />
</bean>

<bean id="wrappingFilter" class="org.jasig.cas.client.util.HttpServletRequestWrapperFilter" />

​

logout.jsp

<a href="logout/cas">Logout of in all applications</a>

cas.log

2016-09-19 15:47:09,995 DEBUG [org.jasig.cas.logout.SamlCompliantLogoutMessageCreator] - Generated logout message: [<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-1-qFurZ54zaXVbviIalCkZ93lDbYuBAT6m5qE" Version="2.0" IssueInstant="2016-09-19T15:47:09Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex>ST-2-Ag6SgNIyvMUGT9mKNkEo-<hostname></samlp:SessionIndex></samlp:LogoutRequest>]
2016-09-19 15:47:09,995 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - Sending logout request for: [https://<hostname>:8444/WebApp3/j_spring_cas_security_check]
2016-09-19 15:47:10,000 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - Prepared logout message to send is [org.jasig.cas.logout.LogoutManagerImpl$LogoutHttpMessage@1771cadc[url=https://<hostname>:8444/WebApp3/j_spring_cas_security_check,message=<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-1-qFurZ54zaXVbviIalCkZ93lDbYuBAT6m5qE" Version="2.0" IssueInstant="2016-09-19T15:47:09Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex>ST-2-Ag6SgNIyvMUGT9mKNkEo-<hostname></samlp:SessionIndex></samlp:LogoutRequest>,asynchronous=true,contentType=application/x-www-form-urlencoded]]
2016-09-19 15:47:10,068 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - Captured logout request [org.jasig.cas.logout.DefaultLogoutRequest@655231e3[ticketId=ST-2-Ag6SgNIyvMUGT9mKNkEo-<hostname>,service=https://<hostname>:8444/WebApp3/j_spring_cas_security_check,status=SUCCESS]]
2016-09-19 15:47:10,069 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to retrieve ticket [TGT-**********************************************lfaFE4hhow-<hostname>]
2016-09-19 15:47:10,071 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Ticket [TGT-**********************************************lfaFE4hhow-<hostname>] found in registry.
2016-09-19 15:47:10,072 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Removing children of ticket [TGT-**********************************************lfaFE4hhow-<hostname>] from the registry.
2016-09-19 15:47:10,084 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Removing ticket [TGT-**********************************************lfaFE4hhow-<hostname>] from the registry.
2016-09-19 15:47:10,099 DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] - Publishing org.jasig.cas.support.events.CasTicketGrantingTicketDestroyedEvent@b348523[ticketGrantingTicket=TGT-**********************************************lfaFE4hhow-<hostname>]
2016-09-19 15:47:10,100 DEBUG [org.jasig.cas.audit.spi.AssertionAsReturnValuePrincipalResolver] - Trying to see if target's return value is instance of [Assertion]...
2016-09-19 15:47:10,100 DEBUG [org.jasig.cas.audit.spi.AssertionAsReturnValuePrincipalResolver] - Resolving principal from the delegate principal resolver: [org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver@3d5cf9c4]...
2016-09-19 15:47:10,100 DEBUG [org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver] - Resolving argument [String] for audit
2016-09-19 15:47:10,100 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to retrieve ticket [TGT-**********************************************lfaFE4hhow-<hostname>]
2016-09-19 15:47:10,101 DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] - Ticket [TGT-**********************************************lfaFE4hhow-<hostname>] by type [Ticket] cannot be found in the ticket registry.
2016-09-19 15:47:10,109 DEBUG [org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver] - Could not locate ticket [TGT-**********************************************lfaFE4hhow-<hostname>] in the registry
2016-09-19 15:47:10,110 DEBUG [org.jasig.cas.audit.spi.AssertionAsReturnValuePrincipalResolver] - Meaningful principal id could not be resolved by [org.jasig.cas.audit.spi.AssertionAsReturnValuePrincipalResolver@4dafaeaa]. Returning [audit:unknown]...
2016-09-19 15:47:10,110 DEBUG [org.jasig.cas.web.support.TGCCookieRetrievingCookieGenerator] - Removed cookie with name [TGC]
2016-09-19 15:47:10,110 DEBUG [org.jasig.cas.web.WarningCookieRetrievingCookieGenerator] - Removed cookie with name [CASPRIVACY]
2016-09-19 15:47:10,118 DEBUG [org.jasig.cas.services.web.RegisteredServiceThemeBasedViewResolver] - View resolved: /WEB-INF/view/jsp/default/ui/casLogoutView.jsp
2016-09-19 15:47:10,179 DEBUG [org.jasig.cas.authentication.FileTrustStoreSslSocketFactory] - Connecting socket to <hostname>/<hostip>:8444 with timeout 5000
2016-09-19 15:47:10,181 DEBUG [org.jasig.cas.authentication.FileTrustStoreSslSocketFactory] - Enabled protocols: [TLSv1, TLSv1.1, TLSv1.2]
2016-09-19 15:47:10,181 DEBUG [org.jasig.cas.authentication.FileTrustStoreSslSocketFactory] - Enabled cipher suites:[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
2016-09-19 15:47:10,181 DEBUG [org.jasig.cas.authentication.FileTrustStoreSslSocketFactory] - Starting handshake
2016-09-19 15:47:10,205 DEBUG [org.jasig.cas.authentication.FileTrustStoreSslSocketFactory] - Secure session established
2016-09-19 15:47:10,206 DEBUG [org.jasig.cas.authentication.FileTrustStoreSslSocketFactory] -  negotiated protocol: TLSv1.2
2016-09-19 15:47:10,206 DEBUG [org.jasig.cas.authentication.FileTrustStoreSslSocketFactory] -  negotiated cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
2016-09-19 15:47:10,206 DEBUG [org.jasig.cas.authentication.FileTrustStoreSslSocketFactory] -  peer principal: CN=<hostname>, OU=HPI, O=HP, L=Bloomington, ST=MN, C=US
2016-09-19 15:47:10,206 DEBUG [org.jasig.cas.authentication.FileTrustStoreSslSocketFactory] -  issuer principal: CN=<hostname>, OU=HPI, O=HP, L=Bloomington, ST=MN, C=US
2016-09-19 15:47:31,024 DEBUG [org.jasig.cas.util.CasSpringBeanJobFactory] - Created job org.jasig.cas.services.DefaultServicesManagerImpl$ServiceRegistryReloaderJob@4340fcf7 for bundle org.quartz.spi.TriggerFiredBundle@8f5988b

Answer 1

显然，我找到了一个问题的答案:我退出了一个CAS客户机，而另一个CAS客户机没有被注销。要做到这一点，CAS服务器需要了解所有注册的服务。

我认为CAS服务管理工具负责这一工作。但是，这对我没有用。看起来CAS管理服务不会这么做。尽管安装了服务管理工具并将其链接到我的CAS服务器，但仍然无法工作。

我不得不更进一步，添加几个与RegexRegisteredService相关的配置文件。虽然这种配置存在于服务管理工具中，但CAS服务器似乎并不像我前面提到的那样认识到这一点。因此，我不得不将这些文件从服务管理工具复制到CAS服务器。在CAS服务器中，我将其放置在以下位置../WEB/CAS/services。文件名通常类似于AppName-UniqueID.json

json文件看起来会像这样，

{
"@class" : "org.jasig.cas.services.RegexRegisteredService",
"serviceId" : "https://<hostname>/AppName/j_spring_cas_security_check",
"name" : "App Name",
"id" : 7042148554761,
"logoutType" : "BACK_CHANNEL",
"logoutUrl" : "https://<hostname>/AppName/<Logout URL>"
}

请记住，您需要为每个cas客户端应用程序拥有单独的文件。

完成此步骤后，当我从一个CAS客户端登录到其他CAS客户端控制台时，我能够看到来自CAS服务器的响应。现在，其余的工作需要在CAS客户端完成，以识别来自CAS的注销操作并注销本地会话，这正是我现在正在做的工作。

我是中科院的新手。根据我的经验，我发现CAS文档有点模糊。它可能需要更多的清晰。