From eb65d69e072c69e916d980b0669653e38934de8f Mon Sep 17 00:00:00 2001
From: yzyunzhang <yzyunzhang@foxmail.com>
Date: Mon, 22 May 2023 00:33:57 +0000
Subject: [PATCH] =?UTF-8?q?:zap:=20=E5=A2=9E=E5=8A=A0CAS=E7=99=BB=E5=87=BA?=
 =?UTF-8?q?=E5=8A=9F=E8=83=BD?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../protocol/cas/idp/CasIdpConfigurer.java    |   7 ++
 .../CasIdpSingleSignOutEndpointFilter.java    | 101 ++++++++++++++++++
 2 files changed, 108 insertions(+)
 create mode 100644 eiam-protocol/eiam-protocol-cas/src/main/java/cn/topiam/employee/protocol/cas/idp/endpoint/CasIdpSingleSignOutEndpointFilter.java

diff --git a/eiam-protocol/eiam-protocol-cas/src/main/java/cn/topiam/employee/protocol/cas/idp/CasIdpConfigurer.java b/eiam-protocol/eiam-protocol-cas/src/main/java/cn/topiam/employee/protocol/cas/idp/CasIdpConfigurer.java
index 95005508..a08f8c55 100644
--- a/eiam-protocol/eiam-protocol-cas/src/main/java/cn/topiam/employee/protocol/cas/idp/CasIdpConfigurer.java
+++ b/eiam-protocol/eiam-protocol-cas/src/main/java/cn/topiam/employee/protocol/cas/idp/CasIdpConfigurer.java
@@ -35,6 +35,7 @@ import cn.topiam.employee.protocol.cas.idp.auth.CentralAuthenticationService;
 import cn.topiam.employee.protocol.cas.idp.endpoint.Cas10IdpValidateEndpointFilter;
 import cn.topiam.employee.protocol.cas.idp.endpoint.Cas30IdpValidateEndpointFilter;
 import cn.topiam.employee.protocol.cas.idp.endpoint.CasIdpSingleSignOnEndpointFilter;
+import cn.topiam.employee.protocol.cas.idp.endpoint.CasIdpSingleSignOutEndpointFilter;
 import cn.topiam.employee.protocol.cas.idp.filter.CasAuthorizationServerContextFilter;
 import cn.topiam.employee.protocol.cas.idp.util.CasUtils;
 import static cn.topiam.employee.protocol.cas.idp.util.CasUtils.*;
@@ -60,6 +61,11 @@ public class CasIdpConfigurer<B extends HttpSecurityBuilder<B>>
         http.addFilterAfter(new CasIdpSingleSignOnEndpointFilter(applicationServiceLoader,
             centralAuthenticationService), UsernamePasswordAuthenticationFilter.class);
 
+        //CAS 登出过滤器
+        http.addFilterAfter(
+            new CasIdpSingleSignOutEndpointFilter(applicationServiceLoader, sessionRegistry),
+            CasIdpSingleSignOnEndpointFilter.class);
+
         //cas 1.0 验证过滤器
         http.addFilterBefore(
             new Cas10IdpValidateEndpointFilter(applicationServiceLoader, sessionRegistry,
@@ -83,6 +89,7 @@ public class CasIdpConfigurer<B extends HttpSecurityBuilder<B>>
         requestMatchers.add(CasIdpSingleSignOnEndpointFilter.getRequestMatcher());
         requestMatchers.add(Cas30IdpValidateEndpointFilter.getRequestMatcher());
         requestMatchers.add(Cas10IdpValidateEndpointFilter.getRequestMatcher());
+        requestMatchers.add(CasIdpSingleSignOutEndpointFilter.getRequestMatcher());
         return new OrRequestMatcher(requestMatchers);
     }
 }
diff --git a/eiam-protocol/eiam-protocol-cas/src/main/java/cn/topiam/employee/protocol/cas/idp/endpoint/CasIdpSingleSignOutEndpointFilter.java b/eiam-protocol/eiam-protocol-cas/src/main/java/cn/topiam/employee/protocol/cas/idp/endpoint/CasIdpSingleSignOutEndpointFilter.java
new file mode 100644
index 00000000..ce71acd3
--- /dev/null
+++ b/eiam-protocol/eiam-protocol-cas/src/main/java/cn/topiam/employee/protocol/cas/idp/endpoint/CasIdpSingleSignOutEndpointFilter.java
@@ -0,0 +1,101 @@
+/*
+ * eiam-protocol-cas - Employee Identity and Access Management Program
+ * Copyright © 2020-2023 TopIAM (support@topiam.cn)
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+package cn.topiam.employee.protocol.cas.idp.endpoint;
+
+import java.io.IOException;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+
+import org.springframework.boot.web.servlet.filter.OrderedFilter;
+import org.springframework.core.Ordered;
+import org.springframework.http.HttpMethod;
+import org.springframework.security.core.session.SessionRegistry;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import cn.topiam.employee.application.ApplicationService;
+import cn.topiam.employee.application.ApplicationServiceLoader;
+import cn.topiam.employee.application.cas.CasApplicationService;
+import cn.topiam.employee.application.cas.model.CasSsoModel;
+import cn.topiam.employee.application.context.ApplicationContext;
+import cn.topiam.employee.application.context.ApplicationContextHolder;
+import cn.topiam.employee.common.constants.ProtocolConstants;
+import cn.topiam.employee.core.context.ServerContextHelp;
+
+import lombok.RequiredArgsConstructor;
+import static cn.topiam.employee.common.constants.AuthorizeConstants.FE_LOGIN;
+import static cn.topiam.employee.protocol.cas.idp.constant.ProtocolConstants.SERVICE;
+
+/**
+ * @author yunzhang
+ */
+@RequiredArgsConstructor
+public class CasIdpSingleSignOutEndpointFilter extends OncePerRequestFilter
+                                               implements OrderedFilter {
+
+    private static final RequestMatcher    REQUEST_MATCHER = new AntPathRequestMatcher(
+        ProtocolConstants.CasEndpointConstants.CAS_LOGOUT_PATH);
+
+    private final ApplicationServiceLoader applicationServiceLoader;
+
+    private final SessionRegistry          sessionRegistry;
+
+    @Override
+    public int getOrder() {
+        return Ordered.LOWEST_PRECEDENCE;
+    }
+
+    @Override
+    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
+                                    FilterChain filterChain) throws ServletException, IOException {
+        if (REQUEST_MATCHER.matches(request) && HttpMethod.GET.matches(request.getMethod())) {
+
+            //获取应用配置
+            ApplicationContext applicationContext = ApplicationContextHolder
+                .getApplicationContext();
+            ApplicationService applicationService = applicationServiceLoader
+                .getApplicationService(applicationContext.getAppTemplate());
+            CasSsoModel casSsoModel = ((CasApplicationService) applicationService)
+                .getSsoModel(applicationContext.getAppId());
+
+            //登出用户
+            HttpSession session = request.getSession(false);
+            if (session != null) {
+                sessionRegistry.removeSessionInformation(session.getId());
+            }
+
+            String service = request.getParameter(SERVICE);
+            //all service urls be filtered via the service management tool
+            if (service != null && service.equals(casSsoModel.getClientServiceUrl())) {
+                response.sendRedirect(service);
+            } else {
+                //跳转登录
+                response.sendRedirect(ServerContextHelp.getPortalPublicBaseUrl() + FE_LOGIN);
+            }
+        }
+    }
+
+    public static RequestMatcher getRequestMatcher() {
+        return REQUEST_MATCHER;
+    }
+}