ST CAS Notes and TGT expiration policy details

Reprinted from: http://blog.yoodb.com/yoodb/article/detail/1225

        Ticket Chinese core is called CAS bills, and a series of logic operations on the Ticket. CAS mainly includes bills have TGT, ST, PGT, PGTIOU, PT, which TGT, ST is the bill CAS1.0 agreement, there's, PGT, PGTIOU, PT is CAS2.0 agreement in the new bill, the current CAS the latest version has come to CAS4.0. cas divided into server and client of two parts, a simple talk about the CAS authentication process:

1) users to access cas-client, intercepted jump to cas-server login, enter the correct user information

2) After a successful login, cas-server TGC issued a ticket, write Browser also generates a TGT object into its own cache, ID is the value of the cookie TGT object, and jump again to cas-client, while carrying the ST bills

cas-client notes found ST ST is holding a ticket to cas-server authentication, if validated, the user name information is returned

3) cas-client login is successful, when the user visits another cas-client2, will be blocked again jump to the cas-server ID value found TGC TGT ticket generated object directly verified, issuing a ticket to the ST cas -client2.


TGT and ST on Terminology

•  TGT(Ticket Grangting Ticket)

        TGT is issued by the CAS as user login bills, with a TGT, the user can prove that they successfully logged in CAS. TGT encapsulates user information Cookie Cookie value and the value corresponding to this. After user authentication is successful CAS, CAS generated cookie (called TGC), written in the browser, while generating a TGT object into its own cache, cookie ID is the value of TGT object. When the HTTP request comes again, if there are pass over the CAS cookie generated, the CAS cookie is key in order to query whether the cache TGT, logged before and if so, then the user, if not, then the user needs re-register.

•  ST(Service Ticket)

        ST is the access to a service ticket issued by the CAS users. When a user accesses service, service users do not find ST, the user is required to acquire CAS ST. ST user makes a request to acquire CAS, if the request contains the user's cookie, the CAS will take this cookie is key whether the query cache TGT, if TGT is present, use this TGT issued a ST, returned to the user. ST user with access to the service, service to take ST CAS verification, after the verification, allows users to access resources.


Here, we will talk about TGT ST bills and notes expiration policy, meaning the above has been a brief introduction TGT ST bills and notes here do not explain, and open the project to find ticketExpirationPolicies.xml cas-server configuration files, configuration details are as follows :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
<?xml version= "1.0"  encoding= "UTF-8" ?>
<!--
     Licensed to Jasig under one or  more  contributor license
     agreements. See the NOTICE  file  distributed with this work
     for  additional information regarding copyright ownership.
     Jasig licenses this  file  to you under the Apache License,
     Version 2.0 (the  "License" ); you may not use this  file
     except  in  compliance with the License.  You may obtain a
     copy of the License at the following location:
       http: //www .apache.org /licenses/LICENSE-2 .0
     Unless required by applicable law or agreed to  in  writing,
     software distributed under the License is distributed on an
     "AS IS"  BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
     KIND, either express or implied.  See the License  for  the
     specific language governing permissions and limitations
     under the License.
-->
<beans xmlns= "http://www.springframework.org/schema/beans"
        xmlns:xsi= "http://www.w3.org/2001/XMLSchema-instance"
        xmlns:p= "http://www.springframework.org/schema/p"
        xmlns:c= "http://www.springframework.org/schema/c"  xmlns:util= "http://www.springframework.org/schema/util"
        xsi:schemaLocation="http: //www .springframework.org /schema/beans
                            http: //www .springframework.org /schema/beans/spring-beans .xsd
                            http: //www .springframework.org /schema/util
                            http: //www .springframework.org /schema/util/spring-util .xsd">
     <description>
         Assignment of expiration policies  for  the different tickets generated by CAS including ticket granting ticket
         (TGT), service ticket (ST), proxy granting ticket (PGT), and proxy ticket (PT).
         These expiration policies determine how long the ticket they are assigned to can be used and even how often they
         can be used before becoming expired / invalid.
     < /description >
     <!-- Expiration policies -->
     <util:constant  id = "SECONDS"  static-field= "java.util.concurrent.TimeUnit.SECONDS" />
     <bean  id = "serviceTicketExpirationPolicy"  class= "org.jasig.cas.ticket.support.MultiTimeUseOrTimeoutExpirationPolicy"
           c:numberOfUses= "1"  c:timeToKill= "${st.timeToKillInSeconds:10}"  c:timeUnit-ref= "SECONDS" />
     <!-- TicketGrantingTicketExpirationPolicy: Default as of 3.5 -->
     <!-- Provides both idle and hard timeouts,  for  instance 2 hour sliding window with an 8 hour max lifetime -->
     <bean  id = "grantingTicketExpirationPolicy"  class= "org.jasig.cas.ticket.support.TicketGrantingTicketExpirationPolicy"
           p:maxTimeToLiveInSeconds= "${tgt.maxTimeToLiveInSeconds:28800}"
           p:timeToKillInSeconds= "${tgt.timeToKillInSeconds:7200}" />
< /beans >


TGT ticket expires configuration, the default time is two hours, when the user is within two hours (7200 seconds) of fixed or moving the mouse system over 8 hours (28,800 seconds), the tgt expired, the specific configuration is as follows:

1
2
3
4
<bean  id = "grantingTicketExpirationPolicy"  class= "org.jasig.cas.ticket.support.TicketGrantingTicketExpirationPolicy"
           p:maxTimeToLiveInSeconds= "${tgt.maxTimeToLiveInSeconds:28800}"
           p:timeToKillInSeconds= "${tgt.timeToKillInSeconds:7200}" />
< /beans >


ST configuration ticket expires, the default time is 10 seconds, using the number of times an application or no more than 10 seconds will cause st expire, specific configuration is as follows:

1
2
<bean  id = "serviceTicketExpirationPolicy"  class= "org.jasig.cas.ticket.support.MultiTimeUseOrTimeoutExpirationPolicy"
           c:numberOfUses= "1"  c:timeToKill= "${st.timeToKillInSeconds:10}"  c:timeUnit-ref= "SECONDS" />





Recommended ↓↓↓↓↓↓ 
这里写图片描述

更多推荐:微信公众号《优哉游哉》 
关注微信公众号“优哉游哉”(w_z90110),回复关键字领取资料:如Hadoop,Dubbo,CAS源码等等,免费领取资料视频和项目等。 
微信公众号涵盖:程序人生、搞笑视频、算法与数据结构、黑客技术与网络安全、前端开发JavaPythonRedis缓存、spring源码、各大主流框架、Web开发、大数据技术、Storm、Hadoop、MapReduce、Spark、elasticsearch、单点登录统一认证、分布式框架、集群、安卓开发、iOS开发、C/C++、.NET、LinuxMySQLOracle、NoSQL非关系型数据库、运维等。


发布了35 篇原创文章 · 获赞 48 · 访问量 15万+

Guess you like

Origin blog.csdn.net/afreon/article/details/53183157