CAS之SingleSignOutFilter

这里只给出核心代码 doFilter
首先要明确一点 SingleSignOutFilter 会拦截所有请求,而不是仅仅拦截logout时的请求

在sso client应用中存在一个Map<Ticket,HttpSession>对象
在sso server认证用户名密码成功后,会redirect一个带有ticket的请求到sso client
这时就执行下面的逻辑,ticket和当前session会被缓存到Map

退出时,sso server发送带logoutRequest参数的http请求到每一个sso client
这时就会执行下面的逻辑 --- 删除ticket对应的session 然后销毁session

    public void doFilter(final ServletRequest servletRequest, final ServletResponse servletResponse, final FilterChain filterChain) throws IOException, ServletException {
        final HttpServletRequest request = (HttpServletRequest) servletRequest;
        
        //add for webdav sso
		String reqURI = ((HttpServletRequest)request).getRequestURI();
		boolean isCesso = false;
		if(reqURI.endsWith("/webdav") || reqURI.contains("/webdav/")){
	        if(request.getHeader(WEBDAV_CESSO_FLAG)!=null 
	        		&& !request.getHeader(WEBDAV_CESSO_FLAG).equals(""))
	        	isCesso = Boolean.valueOf(request.getHeader(WEBDAV_CESSO_FLAG).toString());
	        if(!isCesso){
	        	filterChain.doFilter(servletRequest, servletResponse);
	        	return; 
	        }
		}

		//退出时,cas server向cas client发送post请求,其中包括了sessionId,此filter获取session并销毁之
        if ("POST".equals(request.getMethod())) {
            final String logoutRequest = request.getParameter("logoutRequest");
            
            if (logoutRequest!=null && !"".equals(logoutRequest)) {
            	    		
                final String sessionIdentifier = XmlUtils.getTextForElement(logoutRequest, "SessionIndex");

                if (!"".equals(sessionIdentifier)&& sessionIdentifier!=null) {
                	log.info(" client---Remove A Session Indentify : "+sessionIdentifier);
                	final HttpSession session = SESSIONSTORAGE.removeByMappingId(sessionIdentifier);
                	
                	//首先注销本地session
                    request.getSession().invalidate();
                    log.info("client---invalidate request's Session");
                    
                	if (session != null) {
                		session.invalidate();
                	}
                    return;
                }
              
            }
        } else {
//非logout请求,判断是否包含ticket参数,如果包含缓存ticket session到map
            String artifact = request.getParameter(this.artifactParameterName);
            final HttpSession session = request.getSession();
            if(null == artifact && null != session.getAttribute("ticket")){
            	artifact = (String)session.getAttribute("ticket");
            }
            if (!"".equals(artifact)&&!"null".equals(artifact) && artifact!=null 
            		&& SESSIONSTORAGE.getSessionByMappingID(artifact)==null) {
            	log.info(" client---Add A New Session Indentify : "+artifact);
            	SESSIONSTORAGE.addSessionByMappingId(artifact, session); 
            }
        }

        filterChain.doFilter(servletRequest, servletResponse);
    }

你可能感兴趣的:(CAS之SingleSignOutFilter)