memcached ticket存储器,需要利用memcached客户端jar连接memcached服务器,根据 memcached的服务器特点,服务端是不进行节点内容复制,这个是它的优点,也是它的缺点。比如,现在三台memcached服务器m1,m2,m3,cas 服务端只有一台,当用户认证时,产生tgt123,根据hash算法,tgt123应存在memcached节点m2上, 那么以tgt123产生的st123存在节点m1上。假设此时m2节点不能用了,那么 cas服务器将不会再向m2存储ticket,那么以tgt123票据,发出的请求,将需要重新认证,此时产生tgt456,根据hash算法,将有可能存在节点m3上。那么当节点m2再次上线,存储在它里面的tgt123依然有效,但是再也不会被任何请求使用,所以它只能通过ticket的过期策略去处理。另外,cas服务端向memecached服务器传送ticket的过程是没有加密的,这个过程是否安全,只有我们自已去衡量了。当然我们也可以通过ssh加密通道进行ticket的传送(参见 http://m.udpwork.com/item/1125.html)。
memcached ticket存储的修改步骤:
(对于cas spring配置文件,可参看 cas入门之二spring配置文件 );
将
<bean id="ticketRegistry" class="org.jasig.cas.ticket.registry.DefaultTicketRegistry" />
改为
<bean id="ticketRegistry" class="org.jasig.cas.ticket.registry.MemCacheTicketRegistry"> <constructor-arg index="0" ref="memcachedClient" /> <!-- TGT timeout in seconds --> <constructor-arg index="1" value="28800" /> <!-- ST timeout in seconds --> <constructor-arg index="2" value="10" /> </bean>
<!-- 更多的参数见 http://code.google.com/p/spymemcached/wiki/SpringIntegration --> <bean id="memcachedClient" class="net.spy.memcached.spring.MemcachedClientFactoryBean" p:servers="host1:11211,host2:11211,host3:11211" p:protocol="BINARY" p:locatorType="CONSISTENT" p:failureMode="Redistribute" p:transcoder-ref="kryoTranscoder"> <property name="hashAlg"> <util:constant static-field="net.spy.memcached.DefaultHashAlgorithm.${memcached.hashAlgorithm}" /> </property> </bean> <bean id="kryoTranscoder" class="org.jasig.cas.ticket.registry.support.kryo.KryoTranscoder" init-method="initialize"> <!-- initialBufferSize --> <constructor-arg index="0" value="8192" /> </bean>
<!--Quartz --> <!-- TICKET REGISTRY CLEANER --> <bean id="ticketRegistryCleaner" class="org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner" p:ticketRegistry-ref="ticketRegistry" /> <bean id="jobDetailTicketRegistryCleaner" class="org.springframework.scheduling.quartz.MethodInvokingJobDetailFactoryBean" p:targetObject-ref="ticketRegistryCleaner" p:targetMethod="clean" /> <bean id="triggerJobDetailTicketRegistryCleaner" class="org.springframework.scheduling.quartz.SimpleTriggerBean" p:jobDetail-ref="jobDetailTicketRegistryCleaner" p:startDelay="20000" p:repeatInterval="5000000" />
虽然memcached节点的ticket会过期,但是过期的ticket的处理由memcached服务器节点自己完成的,所以不需要配置ticket cleaner。
cas-server-integration-memcached-3.5.2.jar spymemcached-xxx.jar kryo-xxx.jar mockito-core-xxx.jar
发表评论(对文章涉及的知识点还有疑问,可以在这里留言,老高看到后会及时回复的。)