CAS single-sign-out

Source: Internet
Author: User

When CAS logs out, it will remember which system you logged out from last time. When you log in with a different account, it will still enter that system. We want to manage the server every time, and decide where to jump based on the region of the user account. The test showed that it was the first time that nanjingview was used to log on to the Collection Server. Of course, it was the first time that the collection server was logged on to the management server and then jumped to the Collection Server. Therefore, the management server and the Collection Server both had session information logged on to the user, after exiting from the Collection Server, the login information on the collection server is deleted, but the information on the Management Server is also saved. When you log on again with the root account (after destination is removed), you will first go to the Management Server and find that a user's session exists. It will not re-write the session with new user information, we still use the previous information, so our session [: cas_user] still obtains the nanjingview, and then the account is Municipal. Of course, we will jump to the Collection Server, however, the user information obtained after the server is collected will be the root information, because the information is sent from the CAS server, not from the management server. This explains why destination is always redirected to the collection server without it. The Management Server keeps nanjingview user information. To solve this problem, you must delete the logon information on the Management Server only when you exit the collection server. So we will talk about the sigle-sign-out below.

Configure single-sign-out:

  • Server configuration file config. yml
##### SINGLE SIGN-OUT ########################################################## # When a user logs in to a CAS-enabled client application, that application# generally opens its own local user session. When the user then logs out# through the CAS server, each of the CAS-enabled client applications need# to be notified so that they can close their own local sessions for that user.## Up until recently this was not possible within CAS. However, a method for# performing this notification was recently added to the protocol (in CAS 3.1). # This works exactly as described above -- when the user logs out, the CAS # server individually contacts each client service and notifies it of the # logout. Currently not all client applications support this, so this# behaviour is disabled by default. To enable it, uncomment the following# configuration line. Note that currently it is not possible to enable# or disable single-sign-out on a per-service basis, but this functionality# is planned for a future release. #enable_single_sign_out: true

Set enabel_single_sign_out to true (comment out)

  • Client Side (see http://github.com/gunark/rubycas-client)

1. Add the following configuration to the project environment. RB file:

CasClient: frameworks: rails: Filter. Configure (

: Cas_base_url => "https://cas.example.foo /",

: Enable_single_sign_out => true

)

2. Modify the session_store.rb file in/config/initializers as follows:

# Use the database for sessions instead of the cookie-based default,

# Which shouldn't be used to store highly confidential information

# (Create the session table with "rake DB: Sessions: Create ")

Actioncontroller: Base. session_store =: active_record_store

(Remove the comment from the last line. Single-sign-out requires the activerecord Method for sesison storage. The cookie_session method is used by default)

Previously, we can see the modification method on the Internet as follows: config. action_controller.session_store =: active_record_store. Then, we can modify it in the environment. RB file. An error will be reported after the modification. It should be because the rails version has been upgraded and needs to be modified in the session_store.rb file.

3. Create a session data table

Run in the root directory of the projectRake DB: Sessions: Create

The migrate folder is generated under the project dB folder, and the file 20100507031926_create_sessions.rb is generated. The file content is as follows:

class CreateSessions def self.up    create_table :session do |t|      t.string :session_id, :null => false      t.text :data      t.timestamps    end     add_index :session, :session_id    add_index :session, :updated_at  end   def self.down    drop_table :session  endend

Run the commandRake DB: migrate

The data table named session is generated in the database configured in the project. The table structure and content are as follows:

An error may occur when running rake.

Rake aborted!

No rakefile found (looking for: rakefile, rakefile, rakefile. RB, rakefile. RB)

This is because there should be a rakefile file in the project root directory. If one copy is missing, just copy it.

4. Remove foreign key protection

If foreign key protection is set, an error occurs.Actioncontroller: invalidauthenticitytoken

Solution: The application_controller.rb file cannot have a foreign key protection method.

  protect_from_forgery(:except =>[:login,:logoutcas,:logout,:filter,:single_sign_out])
  skip_before_filter :verify_authenticity_token 

Or modify the configuration file config/environments/development. RB.

# Disable Request Forgery protection in Development Environment

Config. action_controller.allow_forgery_protection = false

However, this will make all the foreign key protection unavailable. We recommend that you use the first method.

The solution here is reference article http://www.javaeye.com/topic/350718

Remove destination after logging out of the system:

After logging out of a system, the URL will contain? The destination parameter points to the logged-out system. The system will be accessed the next time you log on to the system. This function is implemented through the filter in the client vendor/plugins/rubycas-Client/lib/CasClient/frameworks/rails. implementation in the RB file:

          # Clears the given controller's local Rails session, does some local           # CAS cleanup, and redirects to the CAS logout page. Additionally, the          # request.referer value from the controller instance           # is passed to the CAS server as a 'destination' parameter. This           # allows RubyCAS server to provide a follow-up login page allowing          # the user to log back in to the service they just logged out from           # using a different username and password. Other CAS server           # implemenations may use this 'destination' parameter in different           # ways.           # If given, the optional service URL overrides           # request.referer.          def logout(controller, service = nil)            referer = service || controller.request.referer            st = controller.session[:cas_last_valid_ticket]            delete_service_session_lookup(st) if st            controller.send(:reset_session)            controller.send(:redirect_to, client.logout_url(referer))          end

Here, the Referer value is nil, or it can be processed in the logout method of the client. The method is as follows:

For example, we have written the logout_controller.rb file:

class LogoutController def logoutcas    self.request.env['HTTP_REFERER']=nil    CASClient::Frameworks::Rails::Filter.logout(self)  endend

You can use self. Request. env ['HTTP _ referer'] = nil to clear the HTTP referer information.

Of course, after you remove the destination parameter, you need to go to the Controller. RB file in the/lib/Ruby/gems/1.8/gems/rubycas-server-0.7.999999.20100202/lib/casserver of the CAS server.

In the get method of the logout class, @ service is assigned a value: @ service = http: // 192.168.1.84: 4000/redirect. Otherwise, casserver does not know where to jump after login, will be left on the logon page (only telling you that the logon is successful ~)

Log on to the Management Server Based on your account:

Another modification we made to the controllers. RB file is to modify @ service in the get method of the login class,

If @ service. nil? Or @ service = ""

@ Service = "http: // 192.168.1.84: 4000/redirect"

End

Force redirect to redirect method only when @ service has no value.

 

Summary

The above is the configuration and modification to make CAS fit our system requirements.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.