对cas TGC、TGT与应⽤用客户端session的⼀一些实践分享
目的:探究TGC与应⽤用客户端的session,哪个对应⽤用客户端登录态起控制作⽤用 本地域名配置:
|
编号 |
本地域名 |
ip |
服务端⼝口 端⼝口 |
服务 |
|
1 |
uac.com |
127.0.0.1 |
8080 |
cas server 5.3.X |
|
2 |
upc1.com |
127.0.0.1 |
8015 |
cas client 1 (spring boot),⾮非前后分离 |
|
3 |
upc2.com |
127.0.0.1 |
8025 |
cas client 2 (spring boot),⾮非前后分离 |
所有服务http,且单体
⽤用例1
|
时间点 |
upc1.com:8015 session默认30分钟 |
cookie |
upc2.com:8025 session默认30分钟 |
|
1 |
打开upc1.com,⽤用cas⽤用 户名密码登录 |
||
|
2 |
upc1.com,upc2.com, uac.com三个域名分别种下 cookie |
直接进⼊入登录态 |
|
|
3 |
删除uac.com域名cookie, 即删除tgc |
||
|
4 |
仍然保持登录态,且⽆无重
定向
|
仍然保持登录态,且⽆无重定
向
|
⽤用例2
|
时间点 |
upc1.com:8015 session默认30分钟 |
cookie |
upc2.com:8025 session默认30分钟 |
|
1 |
打开upc1.com,⽤用cas⽤用 户名密码登录 |
||
|
2 |
upc1.com与uc.com两个域 名分别种下cookie |
直接进⼊入登录态 |
|
|
3 |
删除upc1.com的cookie |
||
|
4 |
浏览器进⾏行⼀一次302重定 向到uac.com,凭借tgc 进⾏行⼀一次单点登录后继 续保持登录态 |
upc1.com下重新种下cookie |
仍然保持登录态,且⽆无重定 向,此时登录态session起控 制作⽤用 |
⽤用例3
|
累计时 间/s |
增量时 间/s |
upc1.com:8015 session 60s |
cookie |
upc2.com:8025 session 600s(10s) |
tgt 120s(2m) |
|
0 |
0 |
打开upc1.com, ⽤用cas⽤用户名密 码登录 |
|||
|
0 |
0 |
upc1.com与 uc.com两个域名分 别种下cookie |
重定向,凭借tgc进 ⾏行⼀一次单点登录后 直接进⼊入登录态 |
||
|
2 |
+2s |
仍然保持登录 态,且⽆无重定 向,此时登录态 session起控制作 ⽤用 |
|||
|
64 |
+62s |
浏览器进⾏行⼀一次 302重定向到 uac.com,凭借 tgc进⾏行⼀一次单点 登录后继续保持 登录态 同时将tgt延⻓长 120s* |
upc1.com下重新种 下cookie |
||
|
184 |
+120s |
过期 |
|||
|
186 |
+2s |
刷新,重定向到 登录界⾯面 |
仍然保持登录态, 且⽆无重定向,此时 登录态session起控 制作⽤用 |
*证明session过期,tgt未过期时,应⽤用发现⽆无session,重定向到uac进⾏行⼀一次认证重新获取
结论:
|
session未过期 |
session过期 |
|
|
tgt未过期 |
⽆无重定向,session对登录态起控 制作⽤用 |
重定向完成⼀一次tgc认证,刷新tgt 过期时间,并重写session |
|
tgt过期 |
重定向,并让⽤用户重新登录 |
⽤用例4
|
累计时间 /s |
增量时间 /s |
upc1.com:8015 session 60s |
ip |
tgt 120s(2m) |
|
0 |
0 |
打开upc1.com,⽤用 cas⽤用户名密码登录 |
192.168.55.186 |
显⽰示client ip为 192.168.55.187 |
|
1 |
+1s |
变更为192.168.55.187 |
||
|
2 |
+1s |
仍然保持登录态,且 ⽆无重定向,此时登录 态session起控制作⽤用 |
||
|
64 |
+62s |
浏览器进⾏行⼀一次302重 定向到uac.com,凭 借tgc进⾏行⼀一次单点登 录后弹出 |
||
|
120 |
/ |
过期 |
结论:浏览器端ip改变时
|
session未过期 |
session过期 |
|
|
tgt未过期 |
⽆无重定向,session对登录态起控 制作⽤用,且session不验证ip |
重定向完成⼀一次tgc认证,失败弹 出,tgc、tgt对ip有验证 |
日志:
>
2019-07-03 20:42:15,220 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: admin
WHAT: Supplied credentials: [UsernamePasswordCredential(username=admin)]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Wed Jul 03 20:42:15 CST 2019
CLIENT IP ADDRESS: 192.168.55.186
SERVER IP ADDRESS: 192.168.201.133
=============================================================
>
2019-07-03 20:42:15,222 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: admin
WHAT: [result=Service Access Granted,service=http://upc1.com:8015/,principal=SimplePrincipal(id=admin, attributes={}),requiredAttributes={}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Wed Jul 03 20:42:15 CST 2019
CLIENT IP ADDRESS: 192.168.55.186
SERVER IP ADDRESS: 192.168.201.133
=============================================================
>
2019-07-03 20:42:15,229 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: admin
WHAT: [result=Service Access Granted,service=http://upc1.com:8015/,principal=SimplePrincipal(id=admin, attributes={}),requiredAttributes={}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Wed Jul 03 20:42:15 CST 2019
CLIENT IP ADDRESS: 192.168.55.186
SERVER IP ADDRESS: 192.168.201.133
=============================================================
>
2019-07-03 20:42:15,328 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: admin
WHAT: TGT-3-********************************************************JsDPyBHjB6EMacBook-Air
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Wed Jul 03 20:42:15 CST 2019
CLIENT IP ADDRESS: 192.168.55.186
SERVER IP ADDRESS: 192.168.201.133
=============================================================
>
2019-07-03 20:42:15,489 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: admin
WHAT: [result=Service Access Granted,service=http://upc1.com:8015/,requiredAttributes={}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Wed Jul 03 20:42:15 CST 2019
CLIENT IP ADDRESS: 192.168.55.186
SERVER IP ADDRESS: 192.168.201.133
=============================================================
>
2019-07-03 20:42:15,597 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: admin
WHAT: ST-4-ON4d9a6idHILT594YW0NVe5aKJQMacBook-Air for http://upc1.com:8015/
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Wed Jul 03 20:42:15 CST 2019
CLIENT IP ADDRESS: 192.168.55.186
SERVER IP ADDRESS: 192.168.201.133
=============================================================
>
2019-07-03 20:42:15,682 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: [result=Service Access Granted,service=http://upc1.com:8015/,principal=SimplePrincipal(id=admin, attributes={}),requiredAttributes={}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Wed Jul 03 20:42:15 CST 2019
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=============================================================
>
2019-07-03 20:42:15,797 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: admin
WHAT: ST-4-ON4d9a6idHILT594YW0NVe5aKJQMacBook-Air
ACTION: SERVICE_TICKET_VALIDATED
APPLICATION: CAS
WHEN: Wed Jul 03 20:42:15 CST 2019
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=============================================================
>
2019-07-03 20:43:43,180 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: [event=success,timestamp=Wed Jul 03 20:43:43 CST 2019,source=RankedAuthenticationProviderWebflowEventResolver]
ACTION: AUTHENTICATION_EVENT_TRIGGERED
APPLICATION: CAS
WHEN: Wed Jul 03 20:43:43 CST 2019
CLIENT IP ADDRESS: 192.168.55.187
SERVER IP ADDRESS: 192.168.201.133
=============================================================
参考:
<DT><H3 FOLDED>casnew</H3>
<DL><p>
<DT><H3 FOLDED>注销</H3>
<DL><p>
<DT><A HREF="https://www.cnblogs.com/wynjauu/articles/9016520.html">单点登录CAS使用记(六):单点登出、单点注销 - 舞羊 - 博客园</A>
<DT><A HREF="https://www.cnblogs.com/chengmuyu/p/10051305.html">cas系列-cas登出(四) - 橙木鱼 - 博客园</A>
<DT><A HREF="https://blog.csdn.net/u013825231/article/details/80037641">CAS5.2x单点登录(七)-------------单点退出 - java线程池 - CSDN博客</A>
<DT><A HREF="https://apereo.github.io/cas/5.3.x/installation/Logout-Single-Signout.html">CAS - Logout & Single Logout</A>
<DT><A HREF="https://github.com/apereo/cas">GitHub - apereo/cas: Apereo CAS - Enterprise Single Sign On for all earthlings and beyond.</A>
<DT><A HREF="http://www.bubuko.com/infodetail-2827608.html">Cas 服务器 Service(Cas客户端)注册信息维护-布布扣-bubuko.com</A>
</DL><p>
<DT><H3 FOLDED>rest</H3>
<DL><p>
<DT><A HREF="https://www.cnblogs.com/nihaorz/p/10445514.html">cas-5.3.x接入REST登录认证,移动端登录解决方案 - Nihaorz - 博客园</A>
</DL><p>
<DT><H3 FOLDED>server 部署</H3>
<DL><p>
<DT><A HREF="https://blog.csdn.net/makyan/article/details/88878473">(9+条消息)史上最详细的 Apereo CAS 5.3开发教程:一、Apereo CAS 5.3服务端Server环境搭建 - 二总的猫 - CSDN博客</A>
<DT><A HREF="https://blog.csdn.net/u011872945/article/details/81047025">(9+条消息)CAS实现SSO单点登录-CAS Server 5.3搭建 - 手机开发、iphone、C# - CSDN博客</A>
<DT><A HREF="https://www.jianshu.com/p/7e27175c9db1">CAS 5.3.x SSO单点登录项目源码Gradle导入IDEA - 简书</A>
</DL><p>
<DT><H3 FOLDED>github</H3>
<DL><p>
<DT><A HREF="https://github.com/apereo/cas-overlay-template/tree/5.3">GitHub - apereo/cas-overlay-template at 5.3</A>
<DT><A HREF="https://apereo.github.io/cas/5.3.x/installation/Configuration-Properties.html#tgt-expiration-policy?nsukey=GL6P5xKa5Y%2F9nT9IZndHgNSS36rK79jTYIMT%2FrBPwvdwPQntt96WlsUBHI7%2BLd%2BpK97zr8QgQsPZcRiIGk35EqmTaqVSbIwxh%2FyvxZM20UL%2BWIpOfIxXRyzIj%2BEq4AsNgMPK%2FRBxQl3H4nfVOHFHjNTXo8nI6HkvisMp0SPIkEqUOYQp8zg8iVuKi%2BobaSS92ZXAcbbUwqWfTClgzGKVmA%3D%3D">CAS Properties</A>
<DT><A HREF="https://apereo.github.io/cas/5.3.x/?nsukey=uWAXD6R5ZV1muimuZXyXd8IrGW1C00VkmQKmGO%2FVMZsVFudmsSTljZ74DElkcAX9t6fVHkzlPx8wqqHYMgDGWtSxFexcN9Z9fTRw0WaByH5UkpplgkRsqAPCc0zNyMLHVlowi%2FfpPZbZ1V5p2Kp4YhchnyYYP8TkfpsS4Ozlc15SFfcm85dOnR5FptRrHGeFcPQLJidosYOTyrCfIZ3zgQ%3D%3D">CAS - Home</A>
</DL><p>
<DT><A HREF="http://www.manongjc.com/article/56880.html">前后端分离的项目集成CAS - 码农教程</A>
</DL><p>
浙公网安备 33010602011771号