Hi,
We are successfully able to logout of CAS . But We are in the process of a
seamles redirection of the CAS logout to the application again. We are also
able to achieve this as configuring the url parameter of the /cas/logout
pointing to the application URL.
Our spring has been configured with the service URL as
https://APPURL/j_spring_cas_security_check for ServiceProperties and refered by
the casProcessingFilterEntryPoint.So the request is further redirected to the
CAS Loginpage configured as the loginurl in the spring.xml.
A strange thing i notice is with the cookies in the Http Fox that shows calling
of the /cas/logout as below
Cookie sent :
CASTGC
TGT-8-nnnUWE4IytFrwJX6LZfmSHu3RF7CmBewwEJPOohCtexzRnTLAQ-cas01.example.org End
Of Session
Cookie Recieved:
CASTGC
TGT-8-nnnUWE4IytFrwJX6LZfmSHu3RF7CmBewwEJPOohCtexzRnTLAQ-cas01.example.org
/cas-server-webapp-3.5.1 End Of Session
CASTGC "" /cas-server-webapp-3.5.1/ Thu, 01-Jan-1970 00:00:10 GMT
CASPRIVACY "" /cas-server-webapp-3.5.1/ Thu, 01-Jan-1970 00:00:10 GMT
There is a redirect to /login Page of CAS after this ,which shows existence of
the CASTGC cookie still in the browser, which ideally should not be. I am not
sure why this redirection to /login page happens and also I suppose this might
be a cause of issue. To trace the flow , I debugged CAS and I could see the
following exception
java.lang.IllegalStateException: No active FlowSession to access; this
FlowExecution has ended
It looks like the InitialFlowSetupAction is either not setting the configured
service in Flowscope or there is some problem due to the call of /login page
which interrupts the flow.
I am looking for the solution for the following:
1. Is there any workaround so that i need not close my browser after logging
out, which will givem a seamless experience.
2. Does the LogoutController invoked at call of /logout clear the cookies even
in the browser side as well. if so what is that i am missing which makes me see
the cookie still there.
Please provide guidance. I have attached the spring config we are using. If
there needs any change please suggest.
Thanks,
Mckenzie
Regards,
Mckenzie
--
You are currently subscribed to cas-dev@lists.jasig.org as:
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-dev
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:security="http://www.springframework.org/schema/security";
xmlns:util="http://www.springframework.org/schema/util";
xmlns:p="http://www.springframework.org/schema/p";
xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd";>
<!-- ********************************************************************************************** -->
<!-- Authentication configuration -->
<!-- ********************************************************************************************** -->
<!-- This bean is the main entry point of the Spring Security Filter and a critical configuration point.
Filters referenced here are defined below. -->
<bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy">
<security:filter-chain-map path-type="ant">
<security:filter-chain pattern="/j_spring_cas_security_logout"
filters="requestSingleLogoutFilter, singleLogoutFilter"/>
</security:filter-chain-map>
</bean>
<bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">
<property name="service" value="https://appURL/j_spring_cas_security_check"/>
<property name="sendRenew" value="false"/>
</bean>
<bean id="casProcessingFilterEntryPoint" class="com.blah.sso.security.filters.cas.CasAuthenticationEntryPoint">
<property name="loginUrl"><value>https://CASserverURL/cas-server-webapp-3.5.1/login</value></property>
<property name="serviceProperties"><ref bean="serviceProperties"/></property>
</bean>
<!-- Cross Checked with for Spring Security 3 Compatibility -->
<bean id="casProcessingFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter">
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="authenticationSuccessHandler">
<bean class="com.blah.CasAuthenticationSuccessHandler">
<property name="UserManager" ref="userManagerImpl" />
<property name="defaultTargetUrl" value="/index.jspa"/>
</bean>
</property>
<property name="authenticationFailureHandler" ref="exceptionMappingFailureHandler" />
<property name="filterProcessesUrl"><value>/j_spring_cas_security_check</value></property>
</bean>
<bean id="exceptionMappingFailureHandler" class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
<property name="exceptionMappings" ref="exceptionMappings"/>
<property name="defaultFailureUrl" value="/securityException.jsp"/>
</bean>
<bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager">
<property name="providers">
<list>
<ref bean="casAuthenticationProvider"/>
</list>
</property>
</bean>
<bean id="casAuthenticationProvider" class="com.blah.sso.security.filters.cas.CasAuthenticationProvider">
<property name="serviceProperties" ref="serviceProperties" />
<property name="ticketValidator">
<bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
<constructor-arg index="0" value="https://CASserverURL/cas-server-webapp-3.5.1/"/>
</bean>
</property>
<property name="key"><value>changeit</value></property>
<property name="authenticationUserDetailsService"><ref bean="authenticationUserDetailsService"/></property>
</bean>
<bean id="authenticationUserDetailsService" class="com.blah.CasUserDetailsService" >
<property name="UserManager" ref="userManagerImpl"/>
</bean>
<!-- AuthenticationExceptions punt to the auth entry point. If a user is not authenticated
by a filter in the chain, they will be redirected to the entry point configured
here. -->
<bean id="exceptionTranslationFilter" class="org.springframework.security.web.access.ExceptionTranslationFilter">
<property name="authenticationEntryPoint" ref="casProcessingFilterEntryPoint"/>
</bean>
<bean id="customLogoutHandler" class="com.blah.sso.logout.CustomLogoutHandler">
</bean>
<!-- This filter handles a Single Logout Request from the CAS Server -->
<bean id="singleLogoutFilter" class="org.jasig.cas.client.session.SingleSignOutFilter"/>
<!-- This filter redirects to the CAS Server to signal Single Logout should be performed -->
<bean id="requestSingleLogoutFilter"
class="org.springframework.security.web.authentication.logout.LogoutFilter">
<constructor-arg value="https://CASserverURL/cas-server-webapp-3.5.1/logout?url=https://appURL/"/>
<constructor-arg>
<bean class=
"org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"/>
</constructor-arg>
<property name="filterProcessesUrl" value="/j_spring_cas_security_logout"/>
</bean>
<!-- CAS Changes End -->
</beans>
