cas 入门之十六:ticket 存储方案之ehcache ticket存储
来源:互联网 发布:xrd分析软件下载 编辑:程序博客网 时间:2024/04/30 04:34
我们利用ehcache缓存ticket,就是缓存tgt(ticket granting ticket),st(service ticket)。那么这两类ticket有什么不同呢?
根据cas的基本原理,我们知道tgt就是cas发放给用户的,并写入cookie中,用于访问下一个应用进行验证的,它的生合周期相比是非常长的;st是在认证过程中cas服务器发放给应用端的认证凭证,而后应用通过URLConnection与cas服务端进行再交互认证其合法性,认证之后,cas服务端会将其消毁,生命周期非常的短。
当我们在集群环境中,用这种方式进行ticket存储的时候,必须注意两种ticket的异同。
1.tgt须长保留时间;
2.st生命周期很短;
3.在集群环境下,st的复制要及时;
4.当数据超过一定量,tgt可能需要进行硬盘持久化。
ehcache进行ticket缓存,配置内容修改,(这里不考虑集群的情况,只是针对单机的cas应用服务器)步骤如下:
1.找到cas/webapp/WEB-INF/spring-configuration/ticketRegistry.xml文件
(对于cas spring配置文件,可参看cas入门之二spring配置文件);
2.删除里面所有bean;
<property name="configLocation" value="classpath:ehcache-replicated.xml" />
<property name="shared" value="false" />
<property name="cacheManagerName" value="ticketRegistryCacheManager" />
</bean>
<bean id="ticketRegistry" class="org.jasig.cas.ticket.registry.EhCacheTicketRegistry"
p:serviceTicketsCache-ref="serviceTicketsCache"
p:ticketGrantingTicketsCache-ref="ticketGrantingTicketsCache" />
<bean id="abstractTicketCache" class="org.springframework.cache.ehcache.EhCacheFactoryBean" abstract="true">
<property name="cacheManager" ref="cacheManager" />
<property name="diskExpiryThreadIntervalSeconds" value="0" />
<property name="diskPersistent" value="false" />
<property name="eternal" value="false" />
<property name="maxElementsInMemory" value="10000" />
<property name="maxElementsOnDisk" value="0" />
<property name="memoryStoreEvictionPolicy" value="LRU" />
<property name="overflowToDisk" value="false" />
<property name="bootstrapCacheLoader">
<ref local="ticketCacheBootstrapCacheLoader"/>
</property>
</bean>
<bean id="serviceTicketsCache" class="org.springframework.cache.ehcache.EhCacheFactoryBean" parent="abstractTicketCache">
<description>
Service Tickets (ST) and Proxy Tickets are only valid for short amount of time (default is 10 seconds), and
most often are removed from the cache when the ST is validated. The ST cache must be replicated quickly
since validation is expected within a few second after its creation. The CAS instance validating the ST may
not be one that created the ST, since validation is a back-channel service-to-CAS call that is not aware of
user session affinity. Synchronous mode is used to ensure all CAS nodes can validate the ST.
</description>
<property name="cacheName" value="org.jasig.cas.ticket.ServiceTicket" />
<property name="cacheEventListeners">
<ref local="ticketRMISynchronousCacheReplicator"/>
</property>
<!--
The maximum number of seconds an element can exist in the cache without being accessed.
The element expires at this limit and will no longer be returned from the cache.
The default value is 0, which means no TTI eviction takes place (infinite lifetime).
-->
<property name="timeToIdle" value="0" />
<!--
The maximum number of seconds an element can exist in the cache regardless of use.
The element expires at this limit and will no longer be returned from the cache.
The default value is 0, which means no TTL eviction takes place (infinite lifetime).
-->
<property name="timeToLive" value="300" />
</bean>
<bean id="ticketGrantingTicketsCache" class="org.springframework.cache.ehcache.EhCacheFactoryBean" >
<description>
Ticket Granting Tickets (TGT) are valid for the lifetime of the SSO Session. They become invalid either
by expiration policy (default 2 hours idle, 8 hours max) or by explicit user sign off via /cas/login.
The TGT cache can be replicated slowly because TGT are only manipulated via web user started operations
(mostly grant service ticket) and thus benefit of web session affinity.
</description>
<property name="cacheName" value="org.jasig.cas.ticket.TicketGrantingTicket" />
<property name="cacheEventListeners">
<ref local="ticketRMIAsynchronousCacheReplicator"/>
</property>
<!--
The maximum number of seconds an element can exist in the cache regardless of use.
The element expires at this limit and will no longer be returned from the cache.
The default value is 0, which means no TTL eviction takes place (infinite lifetime).
For this sample configuration, 2 hours of inactivity before ticket granting tickets
are expired automatically
-->
<property name="timeToIdle" value="7201" />
<!--
The maximum number of seconds an element can exist in the cache without being accessed.
The element expires at this limit and will no longer be returned from the cache.
The default value is 0, which means no TTI eviction takes place (infinite lifetime).
-->
<property name="timeToLive" value="0" />
</bean>
<bean id="ticketRMISynchronousCacheReplicator" class="net.sf.ehcache.distribution.RMISynchronousCacheReplicator">
<constructor-arg name="replicatePuts" value="true"/>
<constructor-arg name="replicatePutsViaCopy" value="true"/>
<constructor-arg name="replicateUpdates" value="true"/>
<constructor-arg name="replicateUpdatesViaCopy" value="true"/>
<constructor-arg name="replicateRemovals" value="true"/>
</bean>
<bean id="ticketRMIAsynchronousCacheReplicator" class="net.sf.ehcache.distribution.RMIAsynchronousCacheReplicator"
parent="ticketRMISynchronousCacheReplicator">
<constructor-arg name="replicationInterval" value="10000"/>
<constructor-arg name="maximumBatchSize" value="100"/>
<constructor-arg name="maximumChunkSize" value="5000000"/>
</bean>
4.ehcache-replicated.xml文件内容:
<ehcache name="ehCacheTicketRegistryCache"
updateCheck="false"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="http://ehcache.org/ehcache.xsd">
<diskStore path="java.io.tmpdir/cas"/>
<cacheManagerPeerProviderFactory
class="net.sf.ehcache.distribution.RMICacheManagerPeerProviderFactory"
properties="peerDiscovery=manual,
rmiUrls=//localhost:40001/org.jasig.cas.ticket.ServiceTicket|//localhost:40001/org.jasig.cas.ticket.TicketGrantingTicket" />
<cacheManagerPeerListenerFactory
class="net.sf.ehcache.distribution.RMICacheManagerPeerListenerFactory"
properties="port=40001" />
</ehcache>
5.加入cas-server-integration-ehcache-3.5.2.jar
ehcache-core.jar
6.至此配置完毕。
根据cas的基本原理,我们知道tgt就是cas发放给用户的,并写入cookie中,用于访问下一个应用进行验证的,它的生合周期相比是非常长的;st是在认证过程中cas服务器发放给应用端的认证凭证,而后应用通过URLConnection与cas服务端进行再交互认证其合法性,认证之后,cas服务端会将其消毁,生命周期非常的短。
当我们在集群环境中,用这种方式进行ticket存储的时候,必须注意两种ticket的异同。
1.tgt须长保留时间;
2.st生命周期很短;
3.在集群环境下,st的复制要及时;
4.当数据超过一定量,tgt可能需要进行硬盘持久化。
ehcache进行ticket缓存,配置内容修改,(这里不考虑集群的情况,只是针对单机的cas应用服务器)步骤如下:
1.找到cas/webapp/WEB-INF/spring-configuration/ticketRegistry.xml文件
(对于cas spring配置文件,可参看cas入门之二spring配置文件);
2.删除里面所有bean;
3.增加如下bean:
<bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"><property name="configLocation" value="classpath:ehcache-replicated.xml" />
<property name="shared" value="false" />
<property name="cacheManagerName" value="ticketRegistryCacheManager" />
</bean>
<bean id="ticketRegistry" class="org.jasig.cas.ticket.registry.EhCacheTicketRegistry"
p:serviceTicketsCache-ref="serviceTicketsCache"
p:ticketGrantingTicketsCache-ref="ticketGrantingTicketsCache" />
<bean id="abstractTicketCache" class="org.springframework.cache.ehcache.EhCacheFactoryBean" abstract="true">
<property name="cacheManager" ref="cacheManager" />
<property name="diskExpiryThreadIntervalSeconds" value="0" />
<property name="diskPersistent" value="false" />
<property name="eternal" value="false" />
<property name="maxElementsInMemory" value="10000" />
<property name="maxElementsOnDisk" value="0" />
<property name="memoryStoreEvictionPolicy" value="LRU" />
<property name="overflowToDisk" value="false" />
<property name="bootstrapCacheLoader">
<ref local="ticketCacheBootstrapCacheLoader"/>
</property>
</bean>
<bean id="serviceTicketsCache" class="org.springframework.cache.ehcache.EhCacheFactoryBean" parent="abstractTicketCache">
<description>
Service Tickets (ST) and Proxy Tickets are only valid for short amount of time (default is 10 seconds), and
most often are removed from the cache when the ST is validated. The ST cache must be replicated quickly
since validation is expected within a few second after its creation. The CAS instance validating the ST may
not be one that created the ST, since validation is a back-channel service-to-CAS call that is not aware of
user session affinity. Synchronous mode is used to ensure all CAS nodes can validate the ST.
</description>
<property name="cacheName" value="org.jasig.cas.ticket.ServiceTicket" />
<property name="cacheEventListeners">
<ref local="ticketRMISynchronousCacheReplicator"/>
</property>
<!--
The maximum number of seconds an element can exist in the cache without being accessed.
The element expires at this limit and will no longer be returned from the cache.
The default value is 0, which means no TTI eviction takes place (infinite lifetime).
-->
<property name="timeToIdle" value="0" />
<!--
The maximum number of seconds an element can exist in the cache regardless of use.
The element expires at this limit and will no longer be returned from the cache.
The default value is 0, which means no TTL eviction takes place (infinite lifetime).
-->
<property name="timeToLive" value="300" />
</bean>
<bean id="ticketGrantingTicketsCache" class="org.springframework.cache.ehcache.EhCacheFactoryBean" >
<description>
Ticket Granting Tickets (TGT) are valid for the lifetime of the SSO Session. They become invalid either
by expiration policy (default 2 hours idle, 8 hours max) or by explicit user sign off via /cas/login.
The TGT cache can be replicated slowly because TGT are only manipulated via web user started operations
(mostly grant service ticket) and thus benefit of web session affinity.
</description>
<property name="cacheName" value="org.jasig.cas.ticket.TicketGrantingTicket" />
<property name="cacheEventListeners">
<ref local="ticketRMIAsynchronousCacheReplicator"/>
</property>
<!--
The maximum number of seconds an element can exist in the cache regardless of use.
The element expires at this limit and will no longer be returned from the cache.
The default value is 0, which means no TTL eviction takes place (infinite lifetime).
For this sample configuration, 2 hours of inactivity before ticket granting tickets
are expired automatically
-->
<property name="timeToIdle" value="7201" />
<!--
The maximum number of seconds an element can exist in the cache without being accessed.
The element expires at this limit and will no longer be returned from the cache.
The default value is 0, which means no TTI eviction takes place (infinite lifetime).
-->
<property name="timeToLive" value="0" />
</bean>
<bean id="ticketRMISynchronousCacheReplicator" class="net.sf.ehcache.distribution.RMISynchronousCacheReplicator">
<constructor-arg name="replicatePuts" value="true"/>
<constructor-arg name="replicatePutsViaCopy" value="true"/>
<constructor-arg name="replicateUpdates" value="true"/>
<constructor-arg name="replicateUpdatesViaCopy" value="true"/>
<constructor-arg name="replicateRemovals" value="true"/>
</bean>
<bean id="ticketRMIAsynchronousCacheReplicator" class="net.sf.ehcache.distribution.RMIAsynchronousCacheReplicator"
parent="ticketRMISynchronousCacheReplicator">
<constructor-arg name="replicationInterval" value="10000"/>
<constructor-arg name="maximumBatchSize" value="100"/>
</bean>
<bean id="ticketCacheBootstrapCacheLoader" class="net.sf.ehcache.distribution.RMIBootstrapCacheLoader">
<constructor-arg name="asynchronous" value="true"/><constructor-arg name="maximumChunkSize" value="5000000"/>
</bean>
4.ehcache-replicated.xml文件内容:
<ehcache name="ehCacheTicketRegistryCache"
updateCheck="false"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="http://ehcache.org/ehcache.xsd">
<diskStore path="java.io.tmpdir/cas"/>
<cacheManagerPeerProviderFactory
class="net.sf.ehcache.distribution.RMICacheManagerPeerProviderFactory"
properties="peerDiscovery=manual,
rmiUrls=//localhost:40001/org.jasig.cas.ticket.ServiceTicket|//localhost:40001/org.jasig.cas.ticket.TicketGrantingTicket" />
<cacheManagerPeerListenerFactory
class="net.sf.ehcache.distribution.RMICacheManagerPeerListenerFactory"
properties="port=40001" />
</ehcache>
5.加入cas-server-integration-ehcache-3.5.2.jar
ehcache-core.jar
6.至此配置完毕。
上面的一些bean我是直接从cas 的项目中直接拿过来了,并且已经经过本地测试。在这个配置中我们会发现tgt与st的缓存策略是不同的,并且没有了ticket cleaner,因为用ehcache,我们已经不再需要它了。
0 0
- cas 入门之十六:ticket 存储方案之ehcache ticket存储
- cas 入门之十五:ticket 存储方案-jpa ticket存储
- cas 入门之十七:ticket 存储方案-memcached ticket 存储
- cas 入门之十四:ticket 存储方案之ConcurrentHashMap ticket存储
- cas 入门之十三:ticket 存储方案之简介
- cas 入门之十三:ticket 存储方案之简介
- cas的ticket jpa ticket存储事务提交失败
- CAS总结之Ticket篇
- CAS总结之Ticket篇
- CAS总结之Ticket篇
- cas入门之二十四:ticket的过期策略
- cas入门之二十五:ticket清理器
- 单点登录cas常见问题(四) - ticket有哪些存储方式?
- CAS Ticket
- 基于CAS的单点登录SSO[3]: 改造cas-overlays-template支持Redis存储Ticket
- Trac使用之 — Ticket
- CAS总结之Ticket篇(转,非常详细,后文还提到一个ppt,非常易懂)
- CAS 3.5.0 ticket 持久化
- AMF协议概念简述
- USACO/maze1
- cas 入门之十五:ticket 存储方案-jpa ticket存储
- PhotoCamera引出的一个问题
- Tiny6410 移植RT5370 USB无线网卡的方法
- cas 入门之十六:ticket 存储方案之ehcache ticket存储
- 黑马程序员_字符串理解
- 反序一个无符号整数x 不占用额外的空间 采用异或操作
- 2.读取TXT文本内容,显示至图形界面中
- linux/ubuntu下free查看内存占用大的解释
- linux kernel initiate steps
- cas 入门之十七:ticket 存储方案-memcached ticket 存储
- How To Be an Effective Team Leader
- C语言 while(feof(fp)){}多循环一次解决方案