1 錯誤場景
cas session 超時問題:XMLHttpRequest cannot loadhttps://www.hf.com:8443/cas/login?service=http%3A%2F%2Flocalhost%3A8080%2Fvms%2Fcheck%2FfindPendingCheck%2F. No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘http://localhost:8080’ is therefore not allowed access.
部署問題:用nginx封裝,service攜帶不過來。
2 cas 針對session超時設置
cas對於session超時設置,可以設置文件cas\WEB-INF\spring-configuration\ticketExpirationPolicies.xml 進行設置,如下所示:
- <bean id=“grantingTicketExpirationPolicy” class=“org.jasig.cas.ticket.support.RememberMeDelegatingExpirationPolicy”>
- <property name=“sessionExpirationPolicy”>
- <bean class=“org.jasig.cas.ticket.support.TimeoutExpirationPolicy”>
- <constructor-arg index=“0” value=“20000” />
- </bean>
- </property>
<bean id="grantingTicketExpirationPolicy" class="org.jasig.cas.ticket.support.RememberMeDelegatingExpirationPolicy">
<property name="sessionExpirationPolicy">
<bean class="org.jasig.cas.ticket.support.TimeoutExpirationPolicy">
<constructor-arg index="0" value="20000" />
</bean>
</property>
- <bean id=“serviceTicketExpirationPolicy” class=“org.jasig.cas.ticket.support.MultiTimeUseOrTimeoutExpirationPolicy”>
- <!– This argument is the number of times that a ticket can be used before its considered expired. –>
- <constructor-arg
- index=“0”
- value=“1” />
- <!– This argument is the time a ticket can exist before its considered expired. –>
- <constructor-arg
- index=“1”
- value=“20000” />
- </bean>
<bean id="serviceTicketExpirationPolicy" class="org.jasig.cas.ticket.support.MultiTimeUseOrTimeoutExpirationPolicy">
<!-- This argument is the number of times that a ticket can be used before its considered expired. -->
<constructor-arg
index="0"
value="1" />
<!-- This argument is the time a ticket can exist before its considered expired. -->
<constructor-arg
index="1"
value="20000" />
</bean>
上述兩個bean中,設置爲20000毫秒(設置超時單位爲毫秒),上述另個bean的機制就如同session機制一樣,當用戶沒有與服務器的交互超過20秒,點擊url,便會自動轉到登錄界面。單只是設置這一點是不夠的,會有問題的。
問題:當你的項目中也有對session的設置,以及對session時間的設置的時候,只設置cas的session超時是不管事的。
3 配置完畢,對於ajax請求出現的錯誤
問題的解決:所以我們需要把項目中session超時的時間和cas session超時的時間設置爲一致,因爲cas對session超時的處理,是在cas-client-core-3.2.1.jar 包中,而cas的客戶端是和項目放在一起的,所以對session處理機制是一樣的。
當然上述的處理一般情況下是沒有問題的,但當遇到ajax請求,就不可以了,會報如下錯誤:
XMLHttpRequest cannot load https://www.hf.com:8443/cas/login?service=http%3A%2F%2Flocalhost%3A8080%2Fvms%2Fcheck%2FfindPendingCheck%2F. No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘http://localhost:8080’ is therefore not allowed access.
千萬別被Origin矇蔽,開始定位錯誤定位在跨域問題,因爲網上查找說也是跨域問題,而實際上對於非ajax請求,cas攔截處理後是可以跳轉到登錄頁面的,這說明了是可以請求給cas的,只不過cas對ajax的請求無法做出session失效的處理,這怎麼辦呢?只能去改CAS源碼了。不知道是cas矮,還是自己太矮了。。。
4 修改CAS源碼,解決上述問題
經過查看錯誤日誌,找到cas打印日誌的地方,找到cas處理session的方法,修改的是/CAS_Client/src/org/jasig/cas/client/authentication/AuthenticationFilter.Java這個java類。修改的doFilter方法如下所示。
- public final void doFilter(final ServletRequest servletRequest, final ServletResponse servletResponse, final FilterChain filterChain) throws IOException, ServletException {
- final HttpServletRequest request = (HttpServletRequest) servletRequest;
- final HttpServletResponse response = (HttpServletResponse) servletResponse;
- final HttpSession session = request.getSession(false);
- final Assertion assertion = session != null ? (Assertion) session.getAttribute(CONST_CAS_ASSERTION) : null;
- if (assertion != null) {
- filterChain.doFilter(request, response);
- return;
- }
- final String serviceUrl = constructServiceUrl(request, response);
- final String ticket = CommonUtils.safeGetParameter(request,getArtifactParameterName());
- final boolean wasGatewayed = this.gatewayStorage.hasGatewayedAlready(request, serviceUrl);
- if (CommonUtils.isNotBlank(ticket) || wasGatewayed) {
- filterChain.doFilter(request, response);
- return;
- }
- final String modifiedServiceUrl;
- log.debug(”no ticket and no assertion found”);
- if (this.gateway) {
- log.debug(”setting gateway attribute in session”);
- modifiedServiceUrl = this.gatewayStorage.storeGatewayInformation(request, serviceUrl);
- } else {
- modifiedServiceUrl = serviceUrl;
- }
- if (log.isDebugEnabled()) {
- log.debug(”Constructed service url: ” + modifiedServiceUrl);
- }
- final String urlToRedirectTo = CommonUtils.constructRedirectUrl(this.casServerLoginUrl, getServiceParameterName(), modifiedServiceUrl, this.renew, this.gateway);
- if (log.isDebugEnabled()) {
- log.debug(”redirecting to \”“ + urlToRedirectTo + “\”“);
- }
- log.debug(”判斷拼接的過程,參數, 最終拼接好的地址爲: \”“ + urlToRedirectTo + “\”“);
- //response.sendRedirect(urlToRedirectTo);
- String url = request.getRequestURL().toString();
- log.debug(”url——request.getRequestURL().toString()=———:” + url);
- String contextPath = request.getContextPath();
- log.debug(”contextPath ———request.getContextPath()=——-:” + contextPath);
- url = url.substring(0, (url.indexOf(contextPath)+contextPath.length()));
- log.debug(”url = ——session消失,截取到項目的url—” + url);
- String urls = urlToRedirectTo;
- //判斷是否是第一次轉到.
- if(“”.equals(url)||url==null||url.length()==0){
- log.debug(”url–第一次爲空,不截取—–” + url);
- urls = urlToRedirectTo;
- //response.sendRedirect(urlToRedirectTo);
- }else{
- urls = urls.substring(0, (urls.indexOf(“service=”)+8)) + URLEncoder.encode(url,“UTF-8”);
- }
- log.debug(”urls –最終輸入到瀏覽器的地址是———–” + urls);
- response.setContentType(”text/html;charset=UTF-8”);
- response.getWriter().write(”<script languge=’javascript’>window.location.href=’”+urls+“/’</script>”);
- }
public final void doFilter(final ServletRequest servletRequest, final ServletResponse servletResponse, final FilterChain filterChain) throws IOException, ServletException {
final HttpServletRequest request = (HttpServletRequest) servletRequest;
final HttpServletResponse response = (HttpServletResponse) servletResponse;
final HttpSession session = request.getSession(false);
final Assertion assertion = session != null ? (Assertion) session.getAttribute(CONST_CAS_ASSERTION) : null;
if (assertion != null) {
filterChain.doFilter(request, response);
return;
}
final String serviceUrl = constructServiceUrl(request, response);
final String ticket = CommonUtils.safeGetParameter(request,getArtifactParameterName());
final boolean wasGatewayed = this.gatewayStorage.hasGatewayedAlready(request, serviceUrl);
if (CommonUtils.isNotBlank(ticket) || wasGatewayed) {
filterChain.doFilter(request, response);
return;
}
final String modifiedServiceUrl;
log.debug("no ticket and no assertion found");
if (this.gateway) {
log.debug("setting gateway attribute in session");
modifiedServiceUrl = this.gatewayStorage.storeGatewayInformation(request, serviceUrl);
} else {
modifiedServiceUrl = serviceUrl;
}
if (log.isDebugEnabled()) {
log.debug("Constructed service url: " + modifiedServiceUrl);
}
final String urlToRedirectTo = CommonUtils.constructRedirectUrl(this.casServerLoginUrl, getServiceParameterName(), modifiedServiceUrl, this.renew, this.gateway);
if (log.isDebugEnabled()) {
log.debug("redirecting to \"" + urlToRedirectTo + "\"");
}
log.debug("判斷拼接的過程,參數, 最終拼接好的地址爲: \"" + urlToRedirectTo + "\"");
//response.sendRedirect(urlToRedirectTo);
String url = request.getRequestURL().toString();
log.debug("url------request.getRequestURL().toString()=---------:" + url);
String contextPath = request.getContextPath();
log.debug("contextPath ---------request.getContextPath()=-------:" + contextPath);
url = url.substring(0, (url.indexOf(contextPath)+contextPath.length()));
log.debug("url = ------session消失,截取到項目的url---" + url);
String urls = urlToRedirectTo;
//判斷是否是第一次轉到.
if("".equals(url)||url==null||url.length()==0){
log.debug("url--第一次爲空,不截取-----" + url);
urls = urlToRedirectTo;
//response.sendRedirect(urlToRedirectTo);
}else{
urls = urls.substring(0, (urls.indexOf("service=")+8)) + URLEncoder.encode(url,"UTF-8");
}
log.debug("urls --最終輸入到瀏覽器的地址是-----------" + urls);
response.setContentType("text/html;charset=UTF-8");
response.getWriter().write("<script languge='javascript'>window.location.href='"+urls+"/'</script>");
}
這樣不但解決了cas對ajax地址處理,並且解決了另一個問題,因爲最初的改動不是上述的代碼,中間出現了一個小插曲,部署的時候出現的bug,登錄時service參數攜帶不過來。當我們把項目部署到Linux上時,用nginx代理,並配置tomcat的sever.xml文件封裝項目名稱, 則樣,域名“封裝”了ip+端口號+項目名稱,用戶不需要再輸入項目名稱了。所以代碼中對用戶第一次登錄做判斷,判斷是否是第一次登錄還是session失效調用的這個方法,這樣就解決了nginx代理出現的問題了。
5 總結
錯誤未出現時:黑暗前的黎明
錯誤出現時:電閃雷鳴
錯誤解決中:時間就像過火車
錯誤解決完畢:原來神馬都是浮雲啊
方法上:這個過程就像是你回到家發現鑰匙丟在路上了,找到開門的鑰匙,要一步一個腳印的去找,對了一步再進行下一步,到底是哪一步找到了鑰匙?到底是哪一步,找到了錯誤?要相信,你永遠被錯誤幹不掉,只是你又幹掉了錯誤。是一次又一次的錯誤在改變你,而錯誤永遠變不了,就像倉央嘉措的那首情詩,《見或不見》.
bug對我的感情上:你見,或者不見我;我就在那裏;不悲不喜;你念,或者不念我;情就在那裏;不來不去;你愛,或者不愛我;愛就在那裏;不增不減;你跟,或者不跟我;我的手就在你的手裏;不捨不棄;來我的懷裏;或者讓我住進你的心裏;默然,相愛;寂靜,歡喜;