reasons for single-point logout
We have already talked about how to set up single sign-on and his service registration, we also know that the purpose of single sign-on is to do not have to log in frequently, there is basically a single point of access to a single point of logout, because the two feelings are bound together. We know that after the successful CAS single sign-on, CAS will generate a session for each of our clients, and then access the client's interface again, our client introduced the CAS jar package will be to determine whether this interface has a session, if not, continue to judge the following, If you have any words, skip directly. But let's imagine that when we clicked on Caslogout, we found that the other subsystems were able to log in, but we could not re-login to other systems. This may be a bit strange, single sign-on is not a login, access to the subsystem to be free of login. The fact is that, but the principle of CAS is actually relying on the TGT to record the login information, that is, when we log in, our browser will record a TGT, the next time the subsystem login, will take the browser TGT if there, then grant the ticket, then a series of operations will not say. This will result in a login-free effect. But there is a scenario: we access the CAS subsystem has 3, this time we through the CAS single sign-on to open two subsystems, when I execute a caslogout, we found that the two subsystems have been logged on has not been affected, But when we clicked on the last subsystem, we found that he needed to log in. At first I thought I had made a mistake, but it was the same question for a long time. We said the TGT thing (you can get to know the principle of CAs single sign-on), we execute caslougout is actually the CAS login TGT to only invalid, so when we third subsystem to log in, CAs found that he did not session, At the same time, there is no St, this time will be transferred to the CAS login page, but if the CAs are already logged in then can directly get to St, but because our previous exit has been the CAS TGT to only invalid, so CAS found no login, it is necessary to re-login. But this customer will not be satisfied, because they want the effect is that a quit other to quit, a login to the other to log in, this time need to exit a single point, which is what I want to talk about next. the principle of single point logout
Single-point logout principle is not difficult, CAS he has actually helped us to achieve this exit function, I drew a flowchart for everyone to understand
His exit process is actually the above flowchart, as to how he quit, you can refer to the source of singleout, in fact, it is not difficult, if you understand the principle of CAs, may know St, in fact, when the CAs write the session actually has also been to save St. , delete the time will also be removed through the St. This source has, if necessary, I have time to read the source code. where to set the exit URL.
It said the CAS exit process, we found that there is a logouturl, where this is set.
In fact, the withdrawal of CAS has been written in the official documentation,
CAS exit has three modes: none: Single Sign-on Back_channel: implicit exit (default) Front_channel: Explicit exit
The first kind we don't say:
Implicit exit: CAs sends notifications, business system backend actively logs off users
Explicit exit: CAs sends data to the client, the client receives and logs off the user, then forwards to the CAS to process the logoff process down
And we CAs by default is the second, I also use the second kind to explain.
There are several ways we can set the exit URL, but the principle is the same. Let's start with a JSON format file,
"@class": "Org.apereo.cas.services.RegexRegisteredService", "
serviceId": "^ (https|imaps|http)://localhost : 8080.* ",
" name ":" Name ",
" id ": 10000010,
" description ":" desc ",
" EvaluationOrder ": 1,
" Logouturl ":" http://localhost:8080 "
We see a logouturl setting above, in fact, he set up is not much difficult, only need to set it OK, the above description of the various fields of the file will not need me to say, if we want to choose the mode, we have to add a pattern on this, You can also refer to the CAS documentation to fill in, the CAS documentation has been very detailed about which are required to fill in which is optional.
The way I use the JSON file above is always a bit of a hassle for me, and the way I use the JPA database stored here is consistent in principle and in the fields: we use restful interfaces to register such services
@RequestMapping (value = "/addclient/{protocol}/{serviceid}/{id}", method = requestmethod.get) public String Addclien T (@PathVariable ("ServiceId") string serviceId, @PathVariable ("protocol") string protocol, @PathVariable ("id")
int id) throws IOException {String url=protocol+ "://" +SERVICEID;
Registeredservice svc = Servicesmanager.findserviceby (URL); if (svc!=null) {return "0";//0 represents a service that already exists, and the service is matched by a regular match, so it is recommended to use IP or domain + port number} String a= "^" +ur
L + ". *";//Match URL starting with this URL regexregisteredservice service=new regexregisteredservice ();
Returnallattributereleasepolicy re=new Returnallattributereleasepolicy ();
Service.setserviceid (a);
Service.setid (ID);
Service.setattributereleasepolicy (re);
Set name unification to ServiceSID Service.setname (serviceId);
Service.setlogouttype (Logouttype.back_channel); Service.setlogouturl (URL);//This is for single-point logoutAnd the function of the Servicesmanager.save (service);
Servicesmanager.load (); return "1";//Add Service Success}
Here we CAS exit has been finished, can also achieve a single point of Exit function, but for the distributed, there will be problems, because the distributed system is to load balance, so the exit may be executed by another system, may lead to the session is unsuccessful, This way, I'm going to see how to solve this problem.