shiro集成CAS实现单点登出

使用shiro集成CAS实现单点登录的文章有很多,配置大同小异。与之对应的单点登出可能大家关注的不够。
单点登出,表示浏览器同时访问了多个接入单点登录系统,在某个系统点击退出的同时,其他系统也应该同时登出。进一步提升了系统的安全性。
CAS,提供了很好的单点登出实现,用户只需要简单配置对应的监听器和过滤即可。原理也很简单,网上有很多说明。


    <listener>
        <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListenerlistener-class>
    listener>
    
    <filter>
        <filter-name>CAS Single Sign Out Filterfilter-name>
        <filter-class>org.jasig.cas.client.session.SingleSignOutFilterfilter-class>
    filter>
    <filter-mapping>
        <filter-name>CAS Single Sign Out Filterfilter-name>
        <url-pattern>/*url-pattern>
    filter-mapping>

线上会遇到一个问题:用户登录后权限信息发生变化。shiro默认会将用户权限信息、系统权限信息进行缓存,一定程度上提升系统的响应。使用默认单点退出,并不会将用户缓存信息进行情况。
基于这个问题,对SingleSignOutFilter进行一定改造:

public void doFilter(final ServletRequest servletRequest, final ServletResponse servletResponse, final FilterChain filterChain) throws IOException, ServletException {
        final HttpServletRequest request = (HttpServletRequest) servletRequest;
        if (handler.isTokenRequest(request)) {
            handler.recordSession(request);
        } else if (handler.isLogoutRequest(request)) {
            handler.destroySession(request);
            // Do not continue up filter chain
            return;
        } else {
            log.trace("Ignoring URI " + request.getRequestURI());
        }
        filterChain.doFilter(servletRequest, servletResponse);
    }

解读源码,handler.destroySession(request),

public void destroySession(final HttpServletRequest request) {
        final String logoutMessage = CommonUtils.safeGetParameter(request, this.logoutParameterName);
        if (log.isTraceEnabled()) {
            log.trace ("Logout request:\n" + logoutMessage);
        }
        final String token = XmlUtils.getTextForElement(logoutMessage, "SessionIndex");
        if (CommonUtils.isNotBlank(token)) {
            final HttpSession session = this.sessionMappingStorage.removeSessionByMappingId(token);

            if (session != null) {
                String sessionID = session.getId();

                if (log.isDebugEnabled()) {
                    log.debug ("Invalidating session [" + sessionID + "] for token [" + token + "]");
                }
                try {
                    session.invalidate();
                } catch (final IllegalStateException e) {
                    log.debug("Error invalidating session.", e);
                }
            }
        }
    }

代码会解析,获取当前登录用户的session,有了session,我们就可以得到shiro中的Subject对象了,就能调用subject.logout()方法,清除缓存了。当用户退出重新登录系统,新的权限信息立马生

if (handler.isTokenRequest(request)) {
            handler.recordSession(request);
        } else if (handler.isLogoutRequest(request)) {
            HttpSession session = handler.getSession(request);
            log.info("single sign out request,SesionID[" +session.getId()+"]");
            if(session != null){
                new WebSubject.Builder(getSecurityManager(), request, response).session(new HttpServletSession(session,"")).buildSubject().logout();
                log.info("single sign out request,SesionID[" +session.getId()+"]"+",shiro subject logout success!");
            }
            handler.destroySession(session);
            log.info("single sign out request,SesionID[" +session.getId()+"]"+",destroy session success!");
            // Do not continue up filter chain
            return;
        } else {
            log.trace("Ignoring URI " + request.getRequestURI());
        }
        filterChain.doFilter(servletRequest, servletResponse);

重写了SingleSignOutHandler类,首先获取session,然后通过new WebSubject。亲测有效。

你可能感兴趣的:(j2EE)