今天一直在找原因,为什么登出后,客户端还可以继续访问。
这个单点退出功能好像并没有注销客户端的session。
http://10.100.1.240:9090/cas-client-1/
客户端还是可以直接访问,不会跳转到cas-server的登录页面
protected Event doInternalExecute(final HttpServletRequest request, final HttpServletResponse response,
final RequestContext context) throws Exception {
boolean needFrontSlo = false;
putLogoutIndex(context, 0);
final List<LogoutRequest> logoutRequests = WebUtils.getLogoutRequests(context);
if (logoutRequests != null) {
for (final LogoutRequest logoutRequest : logoutRequests) {
// if some logout request must still be attempted
if (logoutRequest.getStatus() == LogoutRequestStatus.NOT_ATTEMPTED) {
needFrontSlo = true;
break;
}
}
}
final String service = request.getParameter(CasProtocolConstants.PARAMETER_SERVICE);
if (this.followServiceRedirects && service != null) {
final Service webAppService = new WebApplicationServiceFactory().createService(service);
final RegisteredService rService = this.servicesManager.findServiceBy(webAppService);
if (rService != null && rService.getAccessStrategy().isServiceAccessAllowed()) {
context.getFlowScope().put("logoutRedirectUrl", service);
}
}
// there are some front services to logout, perform front SLO
if (needFrontSlo) {
return new Event(this, FRONT_EVENT);
} else {
// otherwise, finish the logout process
return new Event(this, FINISH_EVENT);
}
}
根本不会进入网上找资料说的logout注销时会调用org.jasig.cas.CentralAuthenticationServiceImpl类的destroyTicketGrantingTicket注销方法。
最后实在没办法了,就下载了个和网上例子一样的版本的cas-server,即cas-server-3.5.2-release.zip。部署后测试成功。
下面是网上找的相关资料。我主要参考的是第一个博客写的。
http://blog.csdn.net/lifetragedy/article/details/43817903
单点登录之CAS SSO从入门到精通(第一天)
https://www.cnblogs.com/chenrd/p/5164706.html
cas+shiro统一注销原理解析
http://blog.csdn.net/timesongjie/article/details/51945718
单点登出
http://blog.csdn.net/i__rookie/article/details/77893776
单点登出
http://blog.csdn.net/zhurhyme/article/details/38341113
cas入门之二十二:自动单点登出之后的问题
http://blog.csdn.net/bitree1/article/details/55212283
单点登录CAS系列8-客户端配置单点登出
http://jcbay.iteye.com/blog/860018
CAS 3.4 单点退出详细配置(Configuring Single Sign Out )