摘要: 我们利用ehcache缓存ticket,就是缓存tgt(ticket granting ticket),st(service ticket)。那么这两类ticket有什么不同呢?
我们利用ehcache缓存ticket,就是缓存tgt(ticket granting ticket),st(service ticket)。那么这两类ticket有什么不同呢?
根据cas的基本原理,我们知道tgt就是cas发放给用户的,并写入cookie中,用于访问下一个应用进行验证的,它的生命周期相比是非常长的;st是在认证过程中cas服务器发放给应用端的认证凭证,而后应用通过URLConnection与cas服务端进行再交互认证其合法性,认证之后,cas服务端会将其消毁,生命周期非常的短。
当我们在集群环境中,用这种方式进行ticket存储的时候,必须注意两种ticket的异同。
1.tgt须长保留时间; 2.st生命周期很短; 3.在集群环境下,st的复制要及时; 4.当数据超过一定量,tgt可能需要进行硬盘持久化。
ehcache进行ticket缓存,配置内容修改,(这里不考虑集群的情况,只是针对单机的cas应用服务器)步骤如下:
1.找到cas/webapp/WEB-INF/spring-configuration/ticketRegistry.xml文件
(对于cas spring配置文件,可参看cas入门之二spring配置文件);
2.删除里面所有bean;
3.增加如下bean:
<bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"> <property name="configLocation" value="classpath:ehcache-replicated.xml" /> <property name="shared" value="false" /> <property name="cacheManagerName" value="ticketRegistryCacheManager" /> </bean> <bean id="ticketRegistry" class="org.jasig.cas.ticket.registry.EhCacheTicketRegistry" p:serviceTicketsCache-ref="serviceTicketsCache" p:ticketGrantingTicketsCache-ref="ticketGrantingTicketsCache" /> <bean id="abstractTicketCache" class="org.springframework.cache.ehcache.EhCacheFactoryBean" abstract="true"> <property name="cacheManager" ref="cacheManager" /> <property name="diskExpiryThreadIntervalSeconds" value="0" /> <property name="diskPersistent" value="false" /> <property name="eternal" value="false" /> <property name="maxElementsInMemory" value="10000" /> <property name="maxElementsOnDisk" value="0" /> <property name="memoryStoreEvictionPolicy" value="LRU" /> <property name="overflowToDisk" value="false" /> <property name="bootstrapCacheLoader"> <ref local="ticketCacheBootstrapCacheLoader"/> </property> </bean> <bean id="serviceTicketsCache" class="org.springframework.cache.ehcache.EhCacheFactoryBean" parent="abstractTicketCache"> <description> Service Tickets (ST) and Proxy Tickets are only valid for short amount of time (default is 10 seconds), and most often are removed from the cache when the ST is validated. The ST cache must be replicated quickly since validation is expected within a few second after its creation. The CAS instance validating the ST may not be one that created the ST, since validation is a back-channel service-to-CAS call that is not aware of user session affinity. Synchronous mode is used to ensure all CAS nodes can validate the ST. </description> <property name="cacheName" value="org.jasig.cas.ticket.ServiceTicket" /> <property name="cacheEventListeners"> <ref local="ticketRMISynchronousCacheReplicator"/> </property> <!-- The maximum number of seconds an element can exist in the cache without being accessed. The element expires at this limit and will no longer be returned from the cache. The default value is 0, which means no TTI eviction takes place (infinite lifetime). --> <property name="timeToIdle" value="0" /> <!-- The maximum number of seconds an element can exist in the cache regardless of use. The element expires at this limit and will no longer be returned from the cache. The default value is 0, which means no TTL eviction takes place (infinite lifetime). --> <property name="timeToLive" value="300" /> </bean> <bean id="ticketGrantingTicketsCache" class="org.springframework.cache.ehcache.EhCacheFactoryBean" > <description> Ticket Granting Tickets (TGT) are valid for the lifetime of the SSO Session. They become invalid either by expiration policy (default 2 hours idle, 8 hours max) or by explicit user sign off via /cas/login. The TGT cache can be replicated slowly because TGT are only manipulated via web user started operations (mostly grant service ticket) and thus benefit of web session affinity. </description> <property name="cacheName" value="org.jasig.cas.ticket.TicketGrantingTicket" /> <property name="cacheEventListeners"> <ref local="ticketRMIAsynchronousCacheReplicator"/> </property> <!-- The maximum number of seconds an element can exist in the cache regardless of use. The element expires at this limit and will no longer be returned from the cache. The default value is 0, which means no TTL eviction takes place (infinite lifetime). For this sample configuration, 2 hours of inactivity before ticket granting tickets are expired automatically --> <property name="timeToIdle" value="7201" /> <!-- The maximum number of seconds an element can exist in the cache without being accessed. The element expires at this limit and will no longer be returned from the cache. The default value is 0, which means no TTI eviction takes place (infinite lifetime). --> <property name="timeToLive" value="0" /> </bean> <bean id="ticketRMISynchronousCacheReplicator" class="net.sf.ehcache.distribution.RMISynchronousCacheReplicator"> <constructor-arg name="replicatePuts" value="true"/> <constructor-arg name="replicatePutsViaCopy" value="true"/> <constructor-arg name="replicateUpdates" value="true"/> <constructor-arg name="replicateUpdatesViaCopy" value="true"/> <constructor-arg name="replicateRemovals" value="true"/> </bean> <bean id="ticketRMIAsynchronousCacheReplicator" class="net.sf.ehcache.distribution.RMIAsynchronousCacheReplicator" parent="ticketRMISynchronousCacheReplicator"> <constructor-arg name="replicationInterval" value="10000"/> <constructor-arg name="maximumBatchSize" value="100"/> </bean> <bean id="ticketCacheBootstrapCacheLoader" class="net.sf.ehcache.distribution.RMIBootstrapCacheLoader"> <constructor-arg name="asynchronous" value="true"/> <constructor-arg name="maximumChunkSize" value="5000000"/> </bean>
4.ehcache-replicated.xml文件内容:
<ehcache name="ehCacheTicketRegistryCache" updateCheck="false" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://ehcache.org/ehcache.xsd"> <diskStore path="java.io.tmpdir/cas"/> <cacheManagerPeerProviderFactory class="net.sf.ehcache.distribution.RMICacheManagerPeerProviderFactory" properties="peerDiscovery=manual, rmiUrls=//localhost:40001/org.jasig.cas.ticket.ServiceTicket|//localhost:40001/org.jasig.cas.ticket.TicketGrantingTicket" /> <cacheManagerPeerListenerFactory class="net.sf.ehcache.distribution.RMICacheManagerPeerListenerFactory" properties="port=40001" /> </ehcache>
5.加入cas-server-integration-ehcache-3.5.2.jar
ehcache-core.jar
6.至此配置完毕。
上面的一些bean我是直接从cas 的项目中直接拿过来了,并且已经经过本地测试。在这个配置中我们会发现tgt与st的缓存策略是不同的,并且没有了ticket cleaner,因为用ehcache,我们已经不再需要它了。
热点内容
发表评论(对文章涉及的知识点还有疑问,可以在这里留言,老高看到后会及时回复的。)