shiro集成CAS实现单点登出

使用shiro集成CAS实现单点登录的文章有很多，配置大同小异。与之对应的单点登出可能大家关注的不够。
单点登出，表示浏览器同时访问了多个接入单点登录系统，在某个系统点击退出的同时，其他系统也应该同时登出。进一步提升了系统的安全性。
CAS，提供了很好的单点登出实现，用户只需要简单配置对应的监听器和过滤即可。原理也很简单，网上有很多说明。

    <listener>
        <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListenerlistener-class>
    listener>
    
    <filter>
        <filter-name>CAS Single Sign Out Filterfilter-name>
        <filter-class>org.jasig.cas.client.session.SingleSignOutFilterfilter-class>
    filter>
    <filter-mapping>
        <filter-name>CAS Single Sign Out Filterfilter-name>
        <url-pattern>/*url-pattern>
    filter-mapping>

线上会遇到一个问题：用户登录后权限信息发生变化。shiro默认会将用户权限信息、系统权限信息进行缓存，一定程度上提升系统的响应。使用默认单点退出，并不会将用户缓存信息进行情况。
基于这个问题，对SingleSignOutFilter进行一定改造：

public void doFilter(final ServletRequest servletRequest, final ServletResponse servletResponse, final FilterChain filterChain) throws IOException, ServletException {
        final HttpServletRequest request = (HttpServletRequest) servletRequest;
        if (handler.isTokenRequest(request)) {
            handler.recordSession(request);
        } else if (handler.isLogoutRequest(request)) {
            handler.destroySession(request);
            // Do not continue up filter chain
            return;
        } else {
            log.trace("Ignoring URI " + request.getRequestURI());
        }
        filterChain.doFilter(servletRequest, servletResponse);
    }

解读源码，handler.destroySession(request)，

public void destroySession(final HttpServletRequest request) {
        final String logoutMessage = CommonUtils.safeGetParameter(request, this.logoutParameterName);
        if (log.isTraceEnabled()) {
            log.trace ("Logout request:\n" + logoutMessage);
        }
        final String token = XmlUtils.getTextForElement(logoutMessage, "SessionIndex");
        if (CommonUtils.isNotBlank(token)) {
            final HttpSession session = this.sessionMappingStorage.removeSessionByMappingId(token);

            if (session != null) {
                String sessionID = session.getId();

                if (log.isDebugEnabled()) {
                    log.debug ("Invalidating session [" + sessionID + "] for token [" + token + "]");
                }
                try {
                    session.invalidate();
                } catch (final IllegalStateException e) {
                    log.debug("Error invalidating session.", e);
                }
            }
        }
    }

代码会解析，获取当前登录用户的session，有了session，我们就可以得到shiro中的Subject对象了，就能调用subject.logout()方法，清除缓存了。当用户退出重新登录系统，新的权限信息立马生

if (handler.isTokenRequest(request)) {
            handler.recordSession(request);
        } else if (handler.isLogoutRequest(request)) {
            HttpSession session = handler.getSession(request);
            log.info("single sign out request,SesionID[" +session.getId()+"]");
            if(session != null){
                new WebSubject.Builder(getSecurityManager(), request, response).session(new HttpServletSession(session,"")).buildSubject().logout();
                log.info("single sign out request,SesionID[" +session.getId()+"]"+",shiro subject logout success!");
            }
            handler.destroySession(session);
            log.info("single sign out request,SesionID[" +session.getId()+"]"+",destroy session success!");
            // Do not continue up filter chain
            return;
        } else {
            log.trace("Ignoring URI " + request.getRequestURI());
        }
        filterChain.doFilter(servletRequest, servletResponse);

重写了SingleSignOutHandler类，首先获取session，然后通过new WebSubject。亲测有效。