轉載自:http://blog.yoodb.com/yoodb/article/detail/1225
CAS的核心就是Ticket中文稱之爲票據,以及在Ticket之上的一系列邏輯處理操作。CAS的主要包含票據有TGT、ST、PGT、PGTIOU、PT,其中TGT、ST是CAS1.0協議中就有的票據,PGT、PGTIOU、PT是CAS2.0協議中新增的的票據,目前CAS最新版本已經到了CAS4.0。cas分爲服務端和客戶端兩部分組成,下簡單說一說CAS認證過程:
1)用戶訪問cas-client,被攔截跳轉到cas-server進行登錄,輸入正確的用戶信息
2)登錄成功後,cas-server簽發一個TGC票據,寫入瀏覽器同時生成一個TGT對象,放入自己的緩存,TGT對象的ID就是cookie的值,並再次跳轉到cas-client,同時攜帶着ST票據
cas-client發現有ST票據則拿着ST票據去cas-server驗證,如果驗證通過,則返回用戶名信息
3)cas-client登錄成功,用戶訪問另一個cas-client2時,也會被攔截再次跳轉到cas-server發現TGC票據生成的TGT對象的ID值存在則直接驗證通過,簽發一個ST票據給cas-client2。
關於TGT和ST術語解釋
• TGT(Ticket Grangting Ticket)
TGT是CAS爲用戶簽發的登錄票據,擁有了TGT,用戶就可以證明自己在CAS成功登錄過。TGT封裝了Cookie值以及此Cookie值對應的用戶信息。用戶在CAS認證成功後,CAS生成cookie(叫TGC),寫入瀏覽器,同時生成一個TGT對象,放入自己的緩存,TGT對象的ID就是cookie的值。當HTTP再次請求到來時,如果傳過來的有CAS生成的cookie,則CAS以此cookie值爲key查詢緩存中有無TGT ,如果有的話,則說明用戶之前登錄過,如果沒有,則用戶需要重新登錄。
• ST(Service Ticket)
ST是CAS爲用戶簽發的訪問某一service的票據。用戶訪問service時,service發現用戶沒有ST,則要求用戶去CAS獲取ST。用戶向CAS發出獲取ST的請求,如果用戶的請求中包含cookie,則CAS會以此cookie值爲key查詢緩存中有無TGT,如果存在TGT,則用此TGT簽發一個ST,返回給用戶。用戶憑藉ST去訪問service,service拿ST去CAS驗證,驗證通過後,允許用戶訪問資源。
下面爲大家說一說ST票據和TGT票據的過期策略,上述已經簡單介紹ST票據和TGT票據的含義,這裏就不做說明了,打開cas-server工程查找ticketExpirationPolicies.xml配置文件,配置具體內容如下:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
<?xml version="1.0" encoding="UTF-8"?><!-- Licensed to Jasig under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. Jasig licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at the following location: http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.--><beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p" xmlns:c="http://www.springframework.org/schema/c" xmlns:util="http://www.springframework.org/schema/util" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"> <description> Assignment of expiration policies for the different tickets generated by CAS including ticket granting ticket (TGT), service ticket (ST), proxy granting ticket (PGT), and proxy ticket (PT). These expiration policies determine how long the ticket they are assigned to can be used and even how often they can be used before becoming expired / invalid. </description> <!-- Expiration policies --> <util:constant id="SECONDS" static-field="java.util.concurrent.TimeUnit.SECONDS"/> <bean id="serviceTicketExpirationPolicy" class="org.jasig.cas.ticket.support.MultiTimeUseOrTimeoutExpirationPolicy" c:numberOfUses="1" c:timeToKill="${st.timeToKillInSeconds:10}" c:timeUnit-ref="SECONDS"/> <!-- TicketGrantingTicketExpirationPolicy: Default as of 3.5 --> <!-- Provides both idle and hard timeouts, for instance 2 hour sliding window with an 8 hour max lifetime --> <bean id="grantingTicketExpirationPolicy" class="org.jasig.cas.ticket.support.TicketGrantingTicketExpirationPolicy" p:maxTimeToLiveInSeconds="${tgt.maxTimeToLiveInSeconds:28800}" p:timeToKillInSeconds="${tgt.timeToKillInSeconds:7200}"/></beans> |
TGT票據過期配置,默認時間是兩小時,當用戶在2個小時(7200秒)之內不動移動鼠標或者進行系統超過8個小時(28800秒),則tgt過期,具體配置如下:
|
1
2
3
4
|
<bean id="grantingTicketExpirationPolicy" class="org.jasig.cas.ticket.support.TicketGrantingTicketExpirationPolicy" p:maxTimeToLiveInSeconds="${tgt.maxTimeToLiveInSeconds:28800}" p:timeToKillInSeconds="${tgt.timeToKillInSeconds:7200}"/></beans> |
ST票據過期配置,默認時間是10秒鐘,使用次數爲1 次或者超過10秒沒有應用均會引起st過期,具體配置如下:
|
1
2
|
<bean id="serviceTicketExpirationPolicy" class="org.jasig.cas.ticket.support.MultiTimeUseOrTimeoutExpirationPolicy" c:numberOfUses="1" c:timeToKill="${st.timeToKillInSeconds:10}" c:timeUnit-ref="SECONDS"/> |
推薦↓↓↓↓↓↓
更多推薦:微信公衆號《優哉遊哉》
關注微信公衆號“優哉遊哉”(w_z90110),回覆關鍵字領取資料:如Hadoop,Dubbo,CAS源碼等等,免費領取資料視頻和項目等。
微信公衆號涵蓋:程序人生、搞笑視頻、算法與數據結構、黑客技術與網絡安全、前端開發、Java、Python、Redis緩存、spring源碼、各大主流框架、Web開發、大數據技術、Storm、Hadoop、MapReduce、Spark、elasticsearch、單點登錄統一認證、分佈式框架、集羣、安卓開發、iOS開發、C/C++、.NET、Linux、MySQL、Oracle、NoSQL非關係型數據庫、運維等。
