这里只给出核心代码 doFilter
[b]首先要明确一点 SingleSignOutFilter 会拦截所有请求,而不是仅仅拦截logout时的请求[/b]
在sso client应用中存在一个Map<Ticket,HttpSession>对象
在sso server认证用户名密码成功后,会redirect一个带有ticket的请求到sso client
这时就执行下面的逻辑,ticket和当前session会被缓存到Map
退出时,sso server发送带logoutRequest参数的http请求到每一个sso client
这时就会执行下面的逻辑 --- 删除ticket对应的session 然后销毁session
[b]首先要明确一点 SingleSignOutFilter 会拦截所有请求,而不是仅仅拦截logout时的请求[/b]
在sso client应用中存在一个Map<Ticket,HttpSession>对象
在sso server认证用户名密码成功后,会redirect一个带有ticket的请求到sso client
这时就执行下面的逻辑,ticket和当前session会被缓存到Map
退出时,sso server发送带logoutRequest参数的http请求到每一个sso client
这时就会执行下面的逻辑 --- 删除ticket对应的session 然后销毁session
public void doFilter(final ServletRequest servletRequest, final ServletResponse servletResponse, final FilterChain filterChain) throws IOException, ServletException {
final HttpServletRequest request = (HttpServletRequest) servletRequest;
//add for webdav sso
String reqURI = ((HttpServletRequest)request).getRequestURI();
boolean isCesso = false;
if(reqURI.endsWith("/webdav") || reqURI.contains("/webdav/")){
if(request.getHeader(WEBDAV_CESSO_FLAG)!=null
&& !request.getHeader(WEBDAV_CESSO_FLAG).equals(""))
isCesso = Boolean.valueOf(request.getHeader(WEBDAV_CESSO_FLAG).toString());
if(!isCesso){
filterChain.doFilter(servletRequest, servletResponse);
return;
}
}
//退出时,cas server向cas client发送post请求,其中包括了sessionId,此filter获取session并销毁之
if ("POST".equals(request.getMethod())) {
final String logoutRequest = request.getParameter("logoutRequest");
if (logoutRequest!=null && !"".equals(logoutRequest)) {
final String sessionIdentifier = XmlUtils.getTextForElement(logoutRequest, "SessionIndex");
if (!"".equals(sessionIdentifier)&& sessionIdentifier!=null) {
log.info(" client---Remove A Session Indentify : "+sessionIdentifier);
final HttpSession session = SESSIONSTORAGE.removeByMappingId(sessionIdentifier);
//首先注销本地session
request.getSession().invalidate();
log.info("client---invalidate request's Session");
if (session != null) {
session.invalidate();
}
return;
}
}
} else {
//非logout请求,判断是否包含ticket参数,如果包含缓存ticket session到map
String artifact = request.getParameter(this.artifactParameterName);
final HttpSession session = request.getSession();
if(null == artifact && null != session.getAttribute("ticket")){
artifact = (String)session.getAttribute("ticket");
}
if (!"".equals(artifact)&&!"null".equals(artifact) && artifact!=null
&& SESSIONSTORAGE.getSessionByMappingID(artifact)==null) {
log.info(" client---Add A New Session Indentify : "+artifact);
SESSIONSTORAGE.addSessionByMappingId(artifact, session);
}
}
filterChain.doFilter(servletRequest, servletResponse);
}