SSO Single Sign-On Series 6: CAS Single Sign-On prevents ticket from failing after Refresh after logout reports 500 Error

This problem has been discovered before. Recently, several buddies have been asking me how to do this. I am working on another project, and CAS has been stranded for a few weeks. Now let's change the Web. xml of your application (Client2/3) to solve this 2B problem. First, let's look at the error description:

Problem: I have logged on to Client2 and client3 again. Now I have exited Client2. In client3, I refreshed F5 and reported an error on the result page:

Unable to identify the destination 'st--41-2vcnvmgucdwjx5zhaaad-cas01.example.org 'ticket Root

Type exception reportmessage Org. JASIG. CAS. client. validation. ticketvalidationexception: description the server encountered an internal error that prevented it from fulfilling this request. exceptionjavax. servlet. servletexception: Org. JASIG. CAS. client. validation. ticketvalidationexception: zookeeper has completed zookeeper before deleting 'st -41-2vcnvmgucdwjx5zhaaad-cas01.example.org 'zookeeper Org. JASIG. CAS. client. validation. abstractticketvalidationfilter. dofilter (veriactticketvalidationfilter. java: 155) Org. JASIG. CAS. client. session. singlesignoutfilter. dofilter (singlesignoutfilter. java: 99) Org. springframework. web. filter. characterencodingfilter. dofilterinternal (characterencodingfilter. java: 96) Org. springframework. web. filter. onceperrequestfilter. dofilter (onceperrequestfilter. java: 76) Root causeorg. JASIG. CAS. client. validation. ticketvalidationexception: zookeeper has completed zookeeper before deleting 'st -41-2vcnvmgucdwjx5zhaaad-cas01.example.org 'zookeeper Org. JASIG. CAS. client. validation. cas20serviceticketvalidator. parseresponsefromserver (cas20serviceticketvalidator. java: 73) Org. JASIG. CAS. client. validation. abstracturlbasedticketvalidator. validate (abstracturlbasedticketvalidator. java: 188) Org. JASIG. CAS. client. validation. abstractticketvalidationfilter. dofilter (veriactticketvalidationfilter. java: 132) Org. JASIG. CAS. client. session. singlesignoutfilter. dofilter (singlesignoutfilter. java: 99) Org. springframework. web. filter. characterencodingfilter. dofilterinternal (characterencodingfilter. java: 96) Org. springframework. web. filter. onceperrequestfilter. dofilter (onceperrequestfilter. java: 76) Note the full stack trace of the root cause is available in the Apache Tomcat/7.0.37 logs.

I can guess it. I logged out and ticket was no longer valid. Now I sent it back to the server and it reported an error. (An error is reported when the client sends an error.) The following is a simple solution for CAS ticket failure handling. If it is complicated, you need to modify the client source code for exception handling.

1. in this case, I can only. you can modify some Java classes in the jar package of the client to handle the exception and receive all the errors that may occur during CAS usage, all go to the error page and have the offline user log on again. Here, we use web. XML to configure)

2. This is the official explanation: https://wiki.jasig.org/display//Configuring+the+Jasig+CAS+Client+for+Java+in+the+web.xml it interpretation:

The correct order of the filters in Web. XML is necessary:

1. Authenticationfilter
2. Ticketvalidationfilter (whichever one is chosen)
3. Httpservletrequestwrapperfilter
4. Assertionthreadlocalfilter

It means that the filter chain should not be wrong. In my previous tutorial, the CAS client configured web. xml without using these filters, and now we can use them again.

3. This is what a buddy explained before: I posted it.

Single-point logout, client configuration. I tried to use SAML for authentication and ticket verification. However, during debugging, I found that the single sign-out method can only identify CAS authentication and verification.
Authentication: org. JASIG. Cas. Client. Authentication. authenticationfilter
Verification: org. JASIG. Cas. Client. validation. cas20proxyconfiguringticketvalidationfilter
Filter order:
1. CAS single sign out Filter
2. CAS validation Filter
3. CAS authentication filter
4. CAS httpservletrequest wrapper Filter
5. CAS assertion Thread Local Filter
Pay special attention to validation before authentication, because I am using cas20proxypolicingticketvalidationfilter. According to the description of the CAS document: if you are using proxy validation, you should map the validation filter before the authentication filter.

4. OK. Put my web. xml file and discard the CAS filter ). Use another filter (CAS authentication filter) and add the other three filters (CAS validation filter, CAS httpservletrequest wrapper filter, CAS
Assertion Thread Local filter), pay attention to the filter order.

<? XML version = "1.0" encoding = "UTF-8"?> <Web-app xmlns = "http://java.sun.com/xml/ns/javaee" xmlns: xsi = "http://www.w3.org/2001/XMLSchema-instance" version = "2.5" xsi: schemalocation = "http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"> <! -- Solve Chinese garbled characters --> <filter-Name> spring filter </filter-Name> <filter-class> Org. springframework. web. filter. characterencodingfilter </filter-class> <init-param> <param-Name> encoding </param-Name> <param-value> UTF-8 </param-value> </init- param> </filter> <filter-mapping> <filter-Name> spring filter </filter-Name> <URL-pattern>/* </url-pattern> </Filter -Mapping> <! -- Solve Chinese garbled characters --> <! -- 1. used for single-point exit --> <listener-class> Org. JASIG. CAS. client. session. singlesignouthttpsessionlistener </listener-class> </listener> <filter-Name> CAS Single Sign Out filter </filter-Name> <filter-class> Org. JASIG. CAS. client. session. singlesignoutfilter </filter-class> </filter> <filter-mapping> <filter-Name> CAS Single Sign Out filter </filter-Name> <URL-pattern>/* </url-pattern> </filter-mappi NG> <! -- 2. ticket verification --> <filter-Name> CAS validation filter </filter-Name> <filter-class> Org. JASIG. CAS. client. validation. cas20proxypolicingticketvalidationfilter </filter-class> <init-param> <param-Name> casserverurlprefix </param-Name> <param-value> http: // 192.168.168.141: 8080/casserver </param-value> </init-param> <param-Name> servername </param-Name> <param-value> 192.168.168.141: 8080 </ Param-value> </init-param> <param-Name> usesession </param-Name> <param-value> true </param-value> </init-param> <param-Name> predictiononvalidationfailure </param-Name> <param-value> false </param-value> </init-param> <init-param> <param-Name> redirectaftervalidation </param-Name> <param-value> true </param-value> </init-param> </filter> <filter-mapping> <filter-Name> CAS validation F Ilter </filter-Name> <URL-pattern>/* </url-pattern> </filter-mapping> <! -- 3. single Sign-On verification --> <filter-Name> CAS authentication filter </filter-Name> <filter-class> Org. JASIG. CAS. client. authentication. authenticationfilter </filter-class> <init-param> <param-Name> casserverloginurl </param-Name> <param-value> http: // 192.168.168.141: 8080/casserver/login </param-value> </init-param> <param-Name> servername </param-Name> <param-value> HTTP: // 192.168.168.141: 8080 </PA Ram-value> </init-param> </filter> <filter-mapping> <filter-Name> CAS authentication filter </filter-Name> <URL-pattern> /* </url-pattern> </filter-mapping> <! -- 3. used for single-point logon to server-side authentication (previously used) <filter> <filter-Name> CAS filter </filter-Name> <filter-class> Edu. yale. its. TP. CAS. client. filter. casfilter </filter-class> <init-param> <param-Name> Edu. yale. its. TP. CAS. client. filter. loginurl </param-Name> <param-value> http: // 192.168.168.141: 8080/casserver/login </param-value> </init-param> <param-Name> Edu. yale. its. TP. CAS. client. filter. validateurl </param-n Ame> <param-value> http: // 192.168.168.141: 8080/casserver/servicevalidate </param-value> </init-param> <param-Name> Edu. yale. its. TP. CAS. client. filter. servername </param-Name> <param-value> 192.168.168.141: 8080 </param-value> </init-param> </filter> --> <! -- 4. CAS httpservletrequest wrapper filter: This is the package class of httpservletrequet. It supports getuserprincipal, getremoteuser method to obtain user information --> <filter-Name> CAS httpservletrequest wrapper filter </filter-Name> <filter-class> Org. JASIG. CAS. client. util. httpservletrequestwrapperfilter </filter-class> </filter> <filter-mapping> <filter-Name> CAS httpservletrequest wrapper filter </filter-Name> <URL-pattern>/* </ URL-pattern> </ Filter-mapping> <! -- 5. CAS assertion Thread Local filter stores assertion information in the threadlocal variable, in this way, the application can obtain the current logon information without the web layer --> <filter-Name> CAS assertion Thread Local filter </filter-Name> <filter-class> org. JASIG. CAS. client. util. assertionthreadlocalfilter </filter-class> </filter> <filter-mapping> <filter-Name> CAS assertion Thread Local filter </filter-Name> <URL-pattern>/* </url-pattern> </filter-mapping> <servlet-Name> query </servlet-Name> <servlet-class> servlet. query </servlet-class> </servlet> <servlet-mapping> <servlet-Name> query </servlet-Name> <URL-pattern>/query </url-Pattern> </servlet-mapping> <welcome-file-List> <welcome-File> index. JSP </welcome-File> </welcome-file-List> </Web-app>

5. If you do this, you still need to change the way the front-end obtains user information, and my index. jsp is changed to this:

<% @ Page Language = "Java" Import = "Java. util. * "pageencoding =" UTF-8 "%> <% @ page import =" edu. yale. its. TP. CAS. client. filter. casfilter "%> <% @ page import =" org. JASIG. CAS. client. util. assertionthreadlocalfilter "%> <% @ page import =" org. JASIG. CAS. client. util. httpservletrequestwrapperfilter "%> <% @ page import =" org. JASIG. CAS. client. authentication. attributeprincipal "%> <% @ page import =" org. JASIG. CAS. client. util. abstractc Asfilter "%> <% @ page import =" org. JASIG. CAS. client. validation. assertion "%> <body> 

	





	OK. If one application exits, and the other does not return any error even if the ticket parameter is included, even if the test group's brother obtains the ticket and copies it to another browser for access, no error is reported.



	





	PS:



	You can also modify the file c: \ tomcat7 \ webapps \ casserver \ WEB-INF \ spring-Configuration \ ticketexpirationpolicies. xml



	





	




  <!-- Expiration policies -->    <util:constant id="SECONDS" static-field="java.util.concurrent.TimeUnit.SECONDS"/>    <bean id="serviceTicketExpirationPolicy" class="org.jasig.cas.ticket.support.MultiTimeUseOrTimeoutExpirationPolicy"          c:numberOfUses="1" c:timeToKill="${st.timeToKillInSeconds:10}" c:timeUnit-ref="SECONDS"/>

	The


	C: numberofuses = "1" // how many times do I use ticket?


	C: timetokill = "$ {st. timetokillinseconds: 10}" // the number of seconds that have expired. The default value is 10 seconds. Change this value to 10 minutes.


	This method I did not try, so I want to try to toss and want to play the brothers click this link: http://bbs.csdn.net/topics/390111112


	



	



	Rain


	July 26, 2013 13:37:05