Here is the explanation of the links and flow. May be this can help us find the cause:
1) I click logout in my application whihc calls /casLogout.jspa which invokes an action class to logout from application. It appends /j_spring_cas_security_logout to the redirected url on successful session invalidation of application. 2) now this url pattern is what you see here.(https://appURL/j_spring_cas_security_logout) Now we use this pattern to invoke the LogoutFilter (please see the spring.xml) which has the SecurityContextLogoutHandler as the argument bean and also the logoutsuccessful redirection configured to call the https://CASserver/cas-server-webapp-3.5.1/logout url. This invokes the logout controller and my debug shows me the execution of the handleRequestInternal method successfully and removing the cookies part getting executed and i get the logout view but with the cookie.. Do you see any missing part here?Any idea of why we are again getting a login page. And also is there anything wrong with the spring configs. 1 more important thing i need to add is that we have a plugin in our application which will redirect any incoming request ,to CAS always, when once session is invalid or it is an anonymous user trying to gain access.(with Anonymous authentication). You can help me in probing at this angle as well. Thanks, Mckenzie On Thu, Dec 20, 2012 at 7:27 AM, Scott Battaglia <scott.battag...@gmail.com> wrote: > I don't understand this: > 00:00:01.351 0.088 670 167 GET 302 Redirect to: > https://CASserver/cas-server-webapp-3.5.1/logout > URL:https://appURL/j_spring_cas_security_logout > - This invokes the Logout FIlter (as per the spring config shared in > the start of the thread) Now here is the STRANGE THING > > Calling /cas/logout doesn't go through a filter. Its a Controller. Can you > elaborate? > > > > On Wed, Dec 19, 2012 at 9:32 AM, Mckenzie J <mck2...@gmail.com> wrote: >> >> Hi Scott, i have removed the redirect to the specifiedin the >> contructor-arg od LogutFilter. I accessed the appln again and watched >> for the cookie transmission. PFA the Http Fox Observation: >> >> >> Login >> 00:09:59.108 0.129 883 206 POST 302 Redirect to: >> >> https://appURL/j_spring_cas_security_check?ticket=ST-24-2mO5yodZkuZQ2MH0c6PA-cas01.example.org >> >> URL: >> >> https://CASserver/cas-server-webapp-3.5.1/login;jsessionid=FA6B5B747837F7387A0501C8246FF7BF.node1?service=https://appURL/j_spring_cas_security_check >> >> CASTGC >> TGT-22-vfqFQYn67nLrgPMfjdxnmnCgVbV3IhZ9QbRoQT5rivlpJddZgK-cas01.example.org >> /cas-server-webapp-3.5.1/ CASserver End >> Of Session >> >> Logout >> >> 00:00:01.077 0.268 656 219 GET 302 Redirect to: >> https://appURL/j_spring_cas_security_logout >> URL:https://appURL/caslogout.jspa >> - This calls an action class which will log me out of the underlying >> application and redirect URL to /j_spring_cas_security_logout >> >> >> 00:00:01.351 0.088 670 167 GET 302 Redirect to: >> https://CASserver/cas-server-webapp-3.5.1/logout >> URL:https://appURL/j_spring_cas_security_logout >> - This invokes the Logout FIlter (as per the spring config shared in >> the start of the thread) Now here is the STRANGE THING >> >> PLEASE SEE THIS - I HAVE NO CLUE WHY THE LOGIN PAGE IS GETTING LOADED >> HERE AND THIS HAS THE COOKIE SENT AND RECIEVED. How is the /logout >> page making a call or redirect to /login page >> >> 00:00:01.544 0.093 565 169 GET 302 Redirect to: >> https://CASserver/cas-server-webapp-3.5.1/login >> URL: >> https://CASserver/cas-server-webapp-3.5.1/css/images/header_background.png >> Cookie Sent >> CASTGC >> TGT-22-vfqFQYn67nLrgPMfjdxnmnCgVbV3IhZ9QbRoQT5rivlpJddZgK-cas01.example.org >> End >> Of Session >> >> Cookie Recieved >> CASTGC >> TGT-22-vfqFQYn67nLrgPMfjdxnmnCgVbV3IhZ9QbRoQT5rivlpJddZgK-cas01.example.org >> /cas-server-webapp-3.5.1 CASserver End >> Of Session >> >> >> 00:00:01.638 0.036 619 2713 GET 200 text/html >> (NS_IMAGELIB_ERROR_NO_DECODER) >> https://CASserver/cas-server-webapp-3.5.1/login >> Cookie sent >> CASTGC >> TGT-22-vfqFQYn67nLrgPMfjdxnmnCgVbV3IhZ9QbRoQT5rivlpJddZgK-cas01.example.org >> End >> Of Session >> >> Cookie recieved >> >> CASTGC >> TGT-22-vfqFQYn67nLrgPMfjdxnmnCgVbV3IhZ9QbRoQT5rivlpJddZgK-cas01.example.org >> /cas-server-webapp-3.5.1 CASserver End >> Of Session >> CASTGC "" /cas-server-webapp-3.5.1/ CASserver Thu, >> 01-Jan-1970 00:00:10 GMT >> CASPRIVACY "" /cas-server-webapp-3.5.1/ CASserver >> Thu, 01-Jan-1970 00:00:10 GMT >> >> I am sure there is something to do with the /login page as i can see >> TICKET_GRANTING_TICKET_DESTROYED in CAS logs.Also there is another >> exception >> 2012-12-19 23:17:10,558 DEBUG [org.jasig.cas.util.HttpClient] - >> <Attempting to access https://appURL/j_spring_cas_security_check> >> 2012-12-19 23:17:10,562 WARN [org.jasig.cas.util.HttpClient] - <Error >> Sending message to url endpoint >> [https://appURL/j_spring_cas_security_check]. Error is [app >> hostname]> >> >> 012-12-19 23:17:10,747 DEBUG >> [org.jasig.cas.web.flow.TerminateWebSessionListener] - <Error getting >> service from flow state.> >> java.lang.IllegalStateException: No active FlowSession to access; this >> FlowExecution has ended >> at >> org.springframework.webflow.engine.impl.FlowExecutionImpl.getActiveSession(FlowExecutionImpl.java:191) >> >> I am having no clue . Being a newbie to spring security and CAS and i >> m really struggling. Please analyse the spring.xml and help me out. >> Thanks, >> Mckenzie >> On Wed, Dec 19, 2012 at 7:00 PM, Scott Battaglia >> <scott.battag...@gmail.com> wrote: >> > You're actually getting two cookies. The original one created on login, >> > and >> > during logout, one is being created with an extra "/", thus you end up >> > with >> > two cookies instead of the original one being overwritten with an empty >> > value. >> > >> > Does anything different happen if you don't send the "url" parameter? >> > (it >> > shouldn't but it helps to strip it down to the minimum). >> > >> > >> > >> > >> > On Wed, Dec 19, 2012 at 8:27 AM, Mckenzie J <mck2...@gmail.com> wrote: >> >> >> >> No the cookie sent does not have a path . i rechecked or domain. there >> >> is no typo:( >> >> >> >> On Wed, Dec 19, 2012 at 6:00 PM, Scott Battaglia >> >> <scott.battag...@gmail.com> wrote: >> >> > According to this your cookies have two different paths: >> >> > >> >> > CASTGC >> >> > >> >> > >> >> > TGT-8-nnnUWE4IytFrwJX6LZfmSHu3RF7CmBewwEJPOohCtexzRnTLAQ-cas01.example.org >> >> > /cas-server-webapp-3.5.1 End Of Session >> >> > >> >> > CASTGC "" /cas-server-webapp-3.5.1/ Thu, 01-Jan-1970 00:00:10 GMT >> >> > >> >> > Their paths should have been constructed the same way. Is that a typo >> >> > on >> >> > your end? >> >> > >> >> > >> >> > >> >> > On Wed, Dec 19, 2012 at 1:12 AM, Mckenzie J <mck2...@gmail.com> >> >> > wrote: >> >> >> >> >> >> Hi, >> >> >> >> >> >> We are successfully able to logout of CAS . But We are in the >> >> >> process >> >> >> of a >> >> >> seamles redirection of the CAS logout to the application again. We >> >> >> are >> >> >> also >> >> >> able to achieve this as configuring the url parameter of the >> >> >> /cas/logout >> >> >> pointing to the application URL. >> >> >> >> >> >> Our spring has been configured with the service URL as >> >> >> https://APPURL/j_spring_cas_security_check for ServiceProperties and >> >> >> refered >> >> >> by the casProcessingFilterEntryPoint.So the request is further >> >> >> redirected to >> >> >> the CAS Loginpage configured as the loginurl in the spring.xml. >> >> >> >> >> >> A strange thing i notice is with the cookies in the Http Fox that >> >> >> shows >> >> >> calling of the /cas/logout as below >> >> >> Cookie sent : >> >> >> >> >> >> CASTGC >> >> >> >> >> >> >> >> >> TGT-8-nnnUWE4IytFrwJX6LZfmSHu3RF7CmBewwEJPOohCtexzRnTLAQ-cas01.example.org >> >> >> End Of Session >> >> >> >> >> >> Cookie Recieved: >> >> >> >> >> >> CASTGC >> >> >> >> >> >> >> >> >> TGT-8-nnnUWE4IytFrwJX6LZfmSHu3RF7CmBewwEJPOohCtexzRnTLAQ-cas01.example.org >> >> >> /cas-server-webapp-3.5.1 End Of Session >> >> >> >> >> >> CASTGC "" /cas-server-webapp-3.5.1/ Thu, 01-Jan-1970 00:00:10 GMT >> >> >> >> >> >> CASPRIVACY "" /cas-server-webapp-3.5.1/ Thu, 01-Jan-1970 00:00:10 >> >> >> GMT >> >> >> >> >> >> There is a redirect to /login Page of CAS after this ,which shows >> >> >> existence of the CASTGC cookie still in the browser, which ideally >> >> >> should >> >> >> not be. I am not sure why this redirection to /login page happens >> >> >> and >> >> >> also I >> >> >> suppose this might be a cause of issue. To trace the flow , I >> >> >> debugged >> >> >> CAS >> >> >> and I could see the following exception >> >> >> java.lang.IllegalStateException: No active FlowSession to access; >> >> >> this >> >> >> FlowExecution has ended >> >> >> >> >> >> It looks like the InitialFlowSetupAction is either not setting the >> >> >> configured service in Flowscope or there is some problem due to the >> >> >> call of >> >> >> /login page which interrupts the flow. >> >> >> >> >> >> I am looking for the solution for the following: >> >> >> >> >> >> 1. Is there any workaround so that i need not close my browser after >> >> >> logging out, which will givem a seamless experience. >> >> >> >> >> >> 2. Does the LogoutController invoked at call of /logout clear the >> >> >> cookies >> >> >> even in the browser side as well. if so what is that i am missing >> >> >> which >> >> >> makes me see the cookie still there. >> >> >> >> >> >> Please provide guidance. I have attached the spring config we are >> >> >> using. >> >> >> If there needs any change please suggest. >> >> >> >> >> >> Thanks, >> >> >> Mckenzie >> >> >> >> >> >> >> >> >> >> >> >> Regards, >> >> >> Mckenzie >> >> >> -- >> >> >> You are currently subscribed to cas-dev@lists.jasig.org as: >> >> >> scott.battag...@gmail.com >> >> >> >> >> >> To unsubscribe, change settings or access archives, see >> >> >> http://www.ja-sig.org/wiki/display/JSG/cas-dev >> >> > >> >> > >> >> > -- >> >> > You are currently subscribed to cas-dev@lists.jasig.org as: >> >> > mck2...@gmail.com >> >> > To unsubscribe, change settings or access archives, see >> >> > http://www.ja-sig.org/wiki/display/JSG/cas-dev >> >> >> >> -- >> >> You are currently subscribed to cas-dev@lists.jasig.org as: >> >> scott.battag...@gmail.com >> >> To unsubscribe, change settings or access archives, see >> >> http://www.ja-sig.org/wiki/display/JSG/cas-dev >> > >> > >> > -- >> > You are currently subscribed to cas-dev@lists.jasig.org as: >> > mck2...@gmail.com >> > To unsubscribe, change settings or access archives, see >> > http://www.ja-sig.org/wiki/display/JSG/cas-dev >> >> -- >> You are currently subscribed to cas-dev@lists.jasig.org as: >> scott.battag...@gmail.com >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-dev > > > -- > You are currently subscribed to cas-dev@lists.jasig.org as: > mck2...@gmail.com > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
