CAS服务端redis集群搭建

最新推荐文章于 2020-11-28 14:41:58 发布
最新推荐文章于 2020-11-28 14:41:58 发布
阅读量840 收藏
点赞数
文章标签: 数据库 java
原文链接:https://my.oschina.net/leewb/blog/758940
版权

:cas4.0.x+Tomcat7+Jdk7+redis3.0

CAS中的票据默认是存储在TicketRegistry中的,若是想要实现CAS服务端的集群,首先要做的是将票据共享到缓存中。

1.实现AbstractDistributedTicketRegistry抽象类

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.util.Collection;
import javax.validation.constraints.Min;
import org.jasig.cas.ticket.ServiceTicket;
import org.jasig.cas.ticket.Ticket;
import org.jasig.cas.ticket.TicketGrantingTicket;
import org.jasig.cas.ticket.registry.AbstractDistributedTicketRegistry;
import org.springframework.beans.factory.DisposableBean;
import redis.clients.jedis.Jedis;
import com.sdzn.cas.util.RedisClient;
public class RedisTicketRegistry extends AbstractDistributedTicketRegistry
implements DisposableBean {
/**
* TGT cache entry timeout in seconds.
*/
@Min(0)
private final int tgtTimeout;
/**
* ST cache entry timeout in seconds.
*/
@Min(0)
private final int stTimeout;
/**
* Creates a new instance that stores tickets
*
* @param ticketGrantingTicketTimeOut
* TGT timeout in seconds.
* @param serviceTicketTimeOut
* ST timeout in seconds.
*/
public RedisTicketRegistry(final int ticketGrantingTicketTimeOut,
final int serviceTicketTimeOut) {
this.tgtTimeout = ticketGrantingTicketTimeOut;
this.stTimeout = serviceTicketTimeOut;
}
protected void updateTicket(final Ticket ticket) {
logger.debug("Updating ticket {}", ticket);
try {
addTicket(ticket);
} catch (final Exception e) {
logger.error("Failed updating {}", ticket, e);
}
}
public void addTicket(final Ticket ticket) {
logger.debug("Adding ticket {}", ticket);
try {
Jedis jedis = RedisClient.getJedis();
int seconds = 0;
String key = ticket.getId();
if (ticket instanceof TicketGrantingTicket) {
// key = ((TicketGrantingTicket) ticket).getAuthentication()
// .getPrincipal().getId();
seconds = tgtTimeout;
} else {
seconds = stTimeout;
}
ByteArrayOutputStream bos = new ByteArrayOutputStream();
ObjectOutputStream oos = null;
try {
oos = new ObjectOutputStream(bos);
oos.writeObject(ticket);
} catch (Exception e) {
logger.error("adding ticket to redis error.");
} finally {
try {
if (null != oos) oos.close();
} catch (Exception e) {
logger.error("oos closing error when adding ticket to redis.");
}
}
jedis.set(key.getBytes(), bos.toByteArray());
jedis.expire(key.getBytes(), seconds);
RedisClient.closeJedis(jedis);
} catch (final Exception e) {
logger.error("Failed adding {}", ticket, e);
}
}
public boolean deleteTicket(final String ticketId) {
logger.debug("Deleting ticket {}", ticketId);
try {
if (ticketId == null) {
return false;
}
Jedis jedis = RedisClient.getJedis();
jedis.del(ticketId.getBytes());
RedisClient.closeJedis(jedis);
return true;
} catch (final Exception e) {
logger.error("Failed deleting {}", ticketId, e);
}
return false;
}
public Ticket getTicket(final String ticketId) {
try {
final Ticket t = getRawTicket(ticketId);
if (t != null) {
return getProxiedTicketInstance(t);
}
} catch (final Exception e) {
logger.error("Failed fetching {} ", ticketId, e);
}
return null;
}
private Ticket getRawTicket(final String ticketId) {
if (null == ticketId) return null;
Jedis jedis = RedisClient.getJedis();
Ticket ticket = null;
if (jedis.exists(ticketId.getBytes())) {
ByteArrayInputStream bais = new ByteArrayInputStream(
jedis.get(ticketId.getBytes()));
ObjectInputStream ois = null;
try {
ois = new ObjectInputStream(bais);
ticket = (Ticket) ois.readObject();
} catch (Exception e) {
logger.error("getting ticket to redis error.");
} finally {
try {
if (null != ois) ois.close();
} catch (Exception e) {
logger.error("ois closing error when getting ticket to redis.");
}
}
}
RedisClient.closeJedis(jedis);
return ticket;
}
/**
* {@inheritDoc} This operation is not supported.
*
* @throws UnsupportedOperationException
* if you try and call this operation.
*/
@Override
public Collection<Ticket> getTickets() {
throw new UnsupportedOperationException("GetTickets not supported.");
}
public void destroy() throws Exception {
/**
* TODO
*/
}
/**
* @param sync
* set to true, if updates to registry are to be synchronized
* @deprecated As of version 3.5, this operation has no effect since async
* writes can cause registry consistency issues.
*/
@Deprecated
public void setSynchronizeUpdatesToRegistry(final boolean sync) {
}
@Override
protected boolean needsCallback() {
return true;
}
private int getTimeout(final Ticket t) {
if (t instanceof TicketGrantingTicket) {
return this.tgtTimeout;
} else if (t instanceof ServiceTicket) {
return this.stTimeout;
}
throw new IllegalArgumentException("Invalid ticket type");
}
}

2.修改ticketRegistry.xml

<?xml version="1.0" encoding="UTF-8"?>

<!--

 

Licensed to Jasig under one or more contributor license

agreements. See the NOTICE file distributed with this work

for additional information regarding copyright ownership.

Jasig licenses this file to you under the Apache License,

Version 2.0 (the "License"); you may not use this file

except in compliance with the License. You may obtain a

copy of the License at the following location:

 

http://www.apache.org/licenses/LICENSE-2.0

 

Unless required by applicable law or agreed to in writing,

software distributed under the License is distributed on an

"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY

KIND, either express or implied. See the License for the

specific language governing permissions and limitations

under the License.

 

-->

<beans xmlns="http://www.springframework.org/schema/beans"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xmlns:p="http://www.springframework.org/schema/p"

xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">

<description>

Configuration for the default TicketRegistry which stores the tickets in-memory and cleans them out as specified intervals.

</description>

<!-- Ticket Registry

<bean id="ticketRegistry" class="org.jasig.cas.ticket.registry.DefaultTicketRegistry" />-->

<bean id="ticketRegistry" class="com.sdzn.cas.support.RedisTicketRegistry">

<constructor-arg index="0" value="36000" />

<constructor-arg index="1" value="2" />

</bean>

<!--Quartz -->

<!-- TICKET REGISTRY CLEANER

<bean id="ticketRegistryCleaner" class="org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner"

p:ticketRegistry-ref="ticketRegistry"

p:logoutManager-ref="logoutManager" />

<bean id="jobDetailTicketRegistryCleaner" class="org.springframework.scheduling.quartz.MethodInvokingJobDetailFactoryBean"

p:targetObject-ref="ticketRegistryCleaner"

p:targetMethod="clean" />

<bean id="triggerJobDetailTicketRegistryCleaner" class="org.springframework.scheduling.quartz.SimpleTriggerBean"

p:jobDetail-ref="jobDetailTicketRegistryCleaner"

p:startDelay="20000"

p:repeatInterval="5000000" />-->

</beans>

3.共享tomcat中的session。

拷贝编译打包之后的tomcat-redis-session-manager-VERSION.jar,jedis-2.5.2.jar,commons-pool2-2.2.jar到tomcat/lib目录下;修改Tomcat context.xml:

<Valve className="com.orangefunction.tomcat.redissessions.RedisSessionHandlerValve"/>

<Manager className="com.orangefunction.tomcat.redissessions.RedisSessionManager"

host="redis_server_name"

port="6379"

database="0"

maxInactiveInterval="1800"/>

CAS使用redis集群后的问题:

1.1问题描述

第一次登陆成功,退出后无法再次登陆

日志信息

DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor did not generate service.>

DEBUG [org.jasig.cas.web.flow.GenerateLoginTicketAction] - <Generated login ticket LT-16-0WUz0ySwzIrQ1QhfMbFm6Lyl0wK6uP-sso1.***.com>

1.2问题排查

跟踪访问流程发现是由于第一次登出后,会在浏览器残留上一次所使用CASTGC以及SESSIONID,因此导致在登出后访问时发生重定向不能正确登陆。

1.3解决办法

修改退出流程,增加对于cookie的清除

import java.util.List;

 

import javax.servlet.http.Cookie;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse;

import javax.validation.constraints.NotNull;

 

import org.jasig.cas.authentication.principal.SimpleWebApplicationServiceImpl;

import org.jasig.cas.logout.LogoutRequest;

import org.jasig.cas.logout.LogoutRequestStatus;

import org.jasig.cas.services.RegisteredService;

import org.jasig.cas.services.ServicesManager;

import org.jasig.cas.web.flow.AbstractLogoutAction;

import org.jasig.cas.web.support.WebUtils;

import org.springframework.webflow.execution.Event;

import org.springframework.webflow.execution.RequestContext;

 

public class MyLogoutAction extends AbstractLogoutAction {

 

@NotNull

private ServicesManager servicesManager;

private boolean followServiceRedirects;

 

protected Event doInternalExecute(HttpServletRequest request,

HttpServletResponse response, RequestContext context)

throws Exception {

boolean needFrontSlo = false;

putLogoutIndex(context, 0);

List<LogoutRequest> logoutRequests = WebUtils

.getLogoutRequests(context);

if (logoutRequests != null) {

for (LogoutRequest logoutRequest : logoutRequests) {

if (logoutRequest.getStatus() == LogoutRequestStatus.NOT_ATTEMPTED) {

needFrontSlo = true;

break;

}

}

}

 

String service = request.getParameter("service");

if ((this.followServiceRedirects) && (service != null)) {

RegisteredService rService = this.servicesManager

.findServiceBy(new SimpleWebApplicationServiceImpl(service));

 

if ((rService != null) && (rService.isEnabled())) {

context.getFlowScope().put("logoutRedirectUrl", service);

}

 

}

 

/**

* delete cookie

*/

Cookie[] cookies = request.getCookies();

for (Cookie cookie : cookies) {

cookie.setMaxAge(0);

response.addCookie(cookie);

}

if (needFrontSlo) {

return new Event(this, "front");

}

 

return new Event(this, "finish");

}

 

public void setFollowServiceRedirects(boolean followServiceRedirects) {

this.followServiceRedirects = followServiceRedirects;

}

 

public void setServicesManager(ServicesManager servicesManager) {

this.servicesManager = servicesManager;

}

}

2.1问题描述

第一次输入密码失败后无法再次登陆的问题。

2.2问题原因

webflow中的信息是保存在session中的,但是tomcat-redis-session-manager中对于对象中属性发生改变或集合增删内容的情况是不会同步。github上关于该特性的描述如下:


As noted in the "Overview" section above, in order to prevent colliding writes, the Redis Session Manager only serializes the session object into Redis if the session object has changed (it always updates the expiration separately however.) This dirty tracking marks the session as needing serialization according to the following rules:

Calling session.removeAttribute(key) always marks the session as dirty (needing serialization.)

Calling session.setAttribute(key, newAttributeValue) marks the session as dirty if any of the following are true:

previousAttributeValue == null && newAttributeValue != null

previousAttributeValue != null && newAttributeValue == null

!newAttributeValue.getClass().isInstance(previousAttributeValue)

!newAttributeValue.equals(previousAttributeValue)

This feature can have the unintended consequence of hiding writes if you implicitly change a key in the session or if the object's equality does not change even though the key is updated. For example, assuming the session already contains the key "myArray" with an Array instance as its corresponding value, and has been previously serialized, the following code would not cause the session to be serialized again:

List myArray = session.getAttribute("myArray");

myArray.add(additionalArrayValue);

If your code makes these kind of changes, then the RedisSession provides a mechanism by which you can mark the session as dirty in order to guarantee serialization at the end of the request. For example:

List myArray = session.getAttribute("myArray");

myArray.add(additionalArrayValue);

session.setAttribute("__changed__");

In order to not cause issues with an application that may already use the key "__changed__", this feature is disabled by default. To enable this feature, simple call the following code in your application's initialization:

RedisSession.setManualDirtyTrackingSupportEnabled(true);

大意是如果要实现对象内容的更改,需要同时在session中出发给定的条件。所以这里修改了Spring webflow源代码:

package org.springframework.webflow.context.servlet;

 

import java.util.Iterator;

 

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpSession;

 

import org.springframework.binding.collection.SharedMap;

import org.springframework.binding.collection.StringKeyedMapAdapter;

import org.springframework.web.util.WebUtils;

import org.springframework.webflow.context.web.HttpSessionMapBindingListener;

import org.springframework.webflow.core.collection.AttributeMapBindingListener;

import org.springframework.webflow.core.collection.CollectionUtils;

 

public class HttpSessionMap extends StringKeyedMapAdapter implements SharedMap {

 

private static final String REDIS_CHANGE_KEY = "__changed__";

private HttpServletRequest request;

 

public HttpSessionMap(HttpServletRequest request) {

this.request = request;

}

 

private HttpSession getSession() {

return this.request.getSession(false);

}

 

protected Object getAttribute(String key) {

HttpSession session = getSession();

if (session == null) {

return null;

}

Object value = session.getAttribute(key);

if ((value instanceof HttpSessionMapBindingListener)) {

return ((HttpSessionMapBindingListener) value).getListener();

}

return value;

}

 

protected void setAttribute(String key, Object value) {

HttpSession session = this.request.getSession(true);

if ((value instanceof AttributeMapBindingListener)) {

session.setAttribute(key, new HttpSessionMapBindingListener(

(AttributeMapBindingListener) value, this));

} else

session.setAttribute(key, value);


 

session.setAttribute(REDIS_CHANGE_KEY, "");

}

 

protected void removeAttribute(String key) {

HttpSession session = getSession();

if (session != null) session.removeAttribute(key);

}

 

protected Iterator getAttributeNames() {

HttpSession session = getSession();

return session == null ? CollectionUtils.EMPTY_ITERATOR

: CollectionUtils.toIterator(session.getAttributeNames());

}

 

public Object getMutex() {

HttpSession session = this.request.getSession(true);

Object mutex = session.getAttribute(WebUtils.SESSION_MUTEX_ATTRIBUTE);

return mutex != null ? mutex : session;

}

}

增加了REDIS_CHANGE_KEY ,在每次setAttribute时将其作为key放入session中。问题得以解决。

转载于:https://my.oschina.net/leewb/blog/758940

chengsha3931
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
基于RedisCAS集群
03-18 5620
单点登录(SSO)是复杂应用系统的基本需求,Yale CAS是目前常用的开源解决方案。CAS认证中心,基于其特殊作用,自然会成为整个应用系统的核心,所有应用系统的认证工作,都将请求到CAS来完成。因此CAS服务器是整个应用的关键节点,CAS发生故障,所有系统都将陷入瘫痪。同时,CAS的负载能力要足够强,能够承担所有的认证请求响应。利用负载均衡和集群技术,不仅能克服CAS单点故障,同时将认证请求分布
CAS使用 配置Redis
GuanHao的博客
06-09 4831
首先配置依赖 &lt;!-- casredis依赖 --&gt; &lt;dependency&gt; &lt;groupId&gt;org.apereo.cas&lt;/groupId&gt; &lt;artifactId&gt;cas-server-support-redis-ticket-registry&lt;/artifactId&gt; &lt;versi...
cas服务器,客户端的集群配置,分布式部署redis
qq_29467891的博客
06-24 1319
前言:由于项目需要配置负载均衡集群等,而cas的登录session及票据ticket等是保存在内存的,集群后分别在两个tomcat服务器上,所以会出现登录一个客户端之后,访问另一个客户端,此时可能请求的是另一个cas服务器的tomcat,这一个尚未登录,因此获取不到登录的信息,仍然会跳转登录页,单点登录失效。 通过查阅资料,发现处理这种情况,需要两个步骤,分别是: (1)session共享 :session的存取都从中央缓存redis中存取 (2)票证共享 :采用统一的ticket存取策略,所有tic
基于rediscas集群配置(转)
weixin_34396103的博客
06-05 151
1、cas ticket统一存储   做cas集群首先需要将ticket拿出来,做统一存储,以便每个节点访问到的数据一致。官方提供基于memcached的方案,由于项目需要,需要做计入redis,根据官方例子改了一个基于redis版本的。 public class RedisTicketRegistry extends AbstractDistributedTicketRegistry...
cas-server-webapp-session-redis-5.2.3.jar
12-26
cas-server-webapp-session-redis-3.2.4.jar
cas单点登录_使用Redis实现CAS单点登录技术方案
weixin_39867212的博客
11-28 458
什么是单点登录单点登录(Single Sign On),简称为 SSO,是目前比较流行的企业业务整合的解决方案之一。SSO的定义是在多个应用系统中,用户只需要登录一次就可以访问所有相互信任的应用系统。我们目前的系统存在诸多子系统,而这些子系统是分别部署在不同的服务器中,那么使用传统方式的session是无法解决的,我们需要使用相关的单点登录技术来解决。我们为何要单点登录系统现在随着微服务的概念拆分...
redis集群搭建手册.docx
02-18
redis集群搭建手册
Redis分布式集群搭建
02-24
上图蓝色为redis集群的节点。节点之间通过ping命令来测试连接是否正常,节点之间没有主区分,连接到任何一个节点进行操作时,都可能会转发到其他节点。节点之间会定时的互相发送ping命令,测试节点的健康状态,当...
redis集群搭建md文档
03-04
redis集群搭建md文档
Redis集群搭建
01-20
Redis集群搭建 在Centos7.5上多台宿主机使用docker部署redis集群的过程,redis集群一般需要6台redis服务器,使用docker可以节省服务器资源,除开放主从6379和6380端口外还得开放集群总线端口,集群总线端口为redis...
cas4.1.2+redis实践
03-28
jdk1.8,其中用到redis存储tickets,使用了代理模式、restful、自定义用户验证等,由于文件大小的限制,client1和casproxy只有应用,把其解压后下面的目录拷贝到tomcat下的webapp即能使用,如果没有redis需要修改server\webapps\casser\WEB-INF\spring-configuration下的ticketRegistry.xml,使用默认的<bean id="ticketRegistry" class="org.jasig.cas.ticket.registry.DefaultTicketRegistry"/>
cas4.1.x集成mysql,ldap,redis(session和票据),写了简单的两个客户端demo
12-05
cas4.1.x集成mysql(同时也集成了ldap,目前被注释了),集成了session放在redis共享,集成了登录票据tgt放在redis共享,同时写了两个简单demo客户端做测试
redis 集群搭建
09-30
redis 集群搭建 ,单节点,集群搭建,工具包
redis的集群部署
wyl9527的博客
11-01 371
1、工具 / 环境 机器环境:linux虚拟机 操作系统:CentOS Linux release 7.4.1708 (Core) 3台虚拟机IP:172.18.1.23,172.18.1.24,172.18.1.25(注:Redis集群要求至少要有三个节点) 2、安装Redis yum -y install gcc #如果没有gcc编译容器则需要安装 wget http://down...
CAS 4.0 Cluster / Tomcat redis Session manager / Token(TGT)存入Redis集群 / Nginx 负载
竹子.GE的专栏
07-20 3509
Nginx conf:如何Tomcat 不做SESSION共享可以开启IP_HASH.upstream tomcat { ##ip_hash; server 200.10.10.67:8110; server 200.10.10.67:8120; }Tomcat Session 参照【1】–注意jar版本号CAS 相应开发配置Pom.xml 配置:相应的POM文件引入depe
cas5.x实现将ticket维护到redis集群(不使用官方提供的哨兵模式)
架构师的成长之路的博客
08-30 2538
转载至:http://zhfeat.cc/article/45 2020博客地址汇总 2019年博客汇总 前段时间基于CAS 5.2.6为公司二次开发了一套SSO单点登陆系统,整体来说比较顺利,不过最后卡在了将CAS服务端登陆所产生的ticket放到redis集群中这一环节。现在网上相关资料最多的是基于CAS 4.x版本的文章,对于CAS 5.x版本相关的资料还是比较少的,因此没有找到具体的解决同学,纠结了许久最后通过覆盖官方提供的jar包中的类解决了这个问题,希望能帮助到同样遇到这个问题的..
cas入门之二十九:cas 集群简介
snoopy
09-16 9412
cas 的运行环境是tomcat,cas的集群主要分为两部分,一是登录过程中session的集群,二是登录之后产生的ticket的集群。 对于登录之后产生的ticket的集群,则相对容易,根据我前几篇文章可以找到答案,这两部分可以通过组合完成,达成相应的目的。 对于cas ticket集群,目前测试通过的有三种方式 1.jpa ticket repositry 参看 2.echcache
redis实现CAS
qq_40369829的博客
12-13 1889
文章目录CASmultiwatchJedis实现 CAS mysql的UPDATE,hbase的checkAndPut提供CAS操作。 redis基于watch和multi也可以实现CAS乐观锁。 multi multi:multi开启事务(非原子性),包含多个命令。 exec触发。 可以理解为打包的批量执行脚本,某条命令执行失败不会导致之前的命令回滚,后续命令也会继续执行。 watch ...
CAS 5.3.x 单点登录实现集群搭建,快速入手(一)!!!!
Qensq的博客
08-23 6522
前言: 该篇教程描述如何搭建CAS5.3.x集群操作,由于官方文档并没有贴出集群搭建方案,所以本博主根据源码剖析解决该问题。 文档并没有深入浅出说明原理,直接贴代码用于快速上手学习。 gainward555指出官网有提供配置,本人确实没注意到该配置内容,以为只是其他与redis有关并没有详细看配置内容,仔细看后发现确实是集群配置(吐槽下:官网的文档说明写的跟猫屎一样),地址如下: 官方配置...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值