Research on cas-Client client-singlesignoutfilter

<! -- This filter is optional for single-point logout. --> <Filter-Name> CAS Single Sign Out filter </filter-Name> <filter-class> Org. JASIG. CAS. client. session. singlesignoutfilter </filter-class> </filter> <filter-mapping> <filter-Name> CAS Single Sign Out filter </filter-Name> <URL-pattern>/* </url-pattern> </filter-mapping>

Singlesignoutfilter stores the session in sessionmappingstorage when the ticket parameter is available. If the parameter contains logoutrequest, the session will be canceled. You may have to ask when to cancel sessionmappingstorage? This is implemented by singlesignouthttpsessionlistener. When a session is destroyed, the data in sessionmappingstorage corresponding to sessionid is deleted. Therefore, you must configure this listener when logging out at a single point. Otherwise, the client may easily cause memory overflow. Let's take a look at singlesignoutfilter.
Overall logic.

So when will this be triggered? This is when any client you log on calls https: // XXX: 8443/logout to obtain TGT data in the cookie, find the address corresponding to all the associated ST in TGT, send an HTTP request to each address, and pass the logoutrequest parameter.

Configure web. xml

Let's see how the source code is implemented:

Public void dofilter (final servletrequest, final registration failed, final filterchain) throws ioexception, servletexception {// conversion parameter final httpservletrequest request = (httpservletrequest) servletrequest; // determine whether the parameter has the name specified by the artifactparametername attribute. The default value is ticket if (handler. istokenrequest (request) {// If yes, record the session in the local sessionmappingstorage. Handler. recordsession (request);} else if (handler. islogoutrequest (request) {// determines whether a parameter specified by the logoutparametername parameter exists. The default parameter name is logoutrequest // If yes, delete the record in sessionmappingstorage and cancel the session. Handler. destroysession (request); // After canceling the session, immediately stop executing the filter return;} else {log. trace ("ignoring Uri" + request. getrequesturi ();} // If none of the conditions are met, continue to execute the following filter filterchain. dofilter (servletrequest, servletresponse );}

public final class SingleSignOutHandler {...    /**     * Determines whether the given request contains an authentication token.     *     * @param request HTTP reqest.     *     * @return True if request contains authentication token, false otherwise.     */    public boolean isTokenRequest(final HttpServletRequest request) {        return CommonUtils.isNotBlank(CommonUtils.safeGetParameter(request, this.artifactParameterName));    }    /**     * Determines whether the given request is a CAS logout request.     *     * @param request HTTP request.     *     * @return True if request is logout request, false otherwise.     */    public boolean isLogoutRequest(final HttpServletRequest request) {        return "POST".equals(request.getMethod()) && !isMultipartRequest(request) &&            CommonUtils.isNotBlank(CommonUtils.safeGetParameter(request, this.logoutParameterName));    }    /**     * Associates a token request with the current HTTP session by recording the mapping     * in the the configured {@link SessionMappingStorage} container.     *      * @param request HTTP request containing an authentication token.     */ public void recordSession(final HttpServletRequest request) {        final HttpSession session = request.getSession(true);        final String token = CommonUtils.safeGetParameter(request, this.artifactParameterName);               try {            this.sessionMappingStorage.removeBySessionById(session.getId());        } catch (final Exception e) {            // ignore if the session is already marked as invalid.  Nothing we can do!        }        sessionMappingStorage.addSessionById(token, session);    }       /**     * Destroys the current HTTP session for the given CAS logout request.     *     * @param request HTTP request containing a CAS logout message.     */    public void destroySession(final HttpServletRequest request) {        final String logoutMessage = CommonUtils.safeGetParameter(request, this.logoutParameterName);                       final String token = XmlUtils.getTextForElement(logoutMessage, "SessionIndex");        if (CommonUtils.isNotBlank(token)) {            final HttpSession session = this.sessionMappingStorage.removeSessionByMappingId(token);            if (session != null) {                String sessionID = session.getId();                               try {                    session.invalidate();                } catch (final IllegalStateException e) {                    log.debug("Error invalidating session.", e);                }            }        }    }....}