As a test, in the application I changed the URL pattern of the CAS Single Sign Out Filter in web.xml from /* to /j_spring_security_logout (the default spring security logout URL). Now after I logout through CAS, I can still navigate the whole app as if it was still logged on.
So, I think I confirmed without any doubt that CAS is not calling the URL specified in the SSO filter. Is there any other place where I need to specify URL so that CAS knows to call it? b. ________________________________ From: Bruno Melloni Sent: Tuesday, February 17, 2009 1:13 PM To: [email protected] Subject: RE: [cas-user] Spring Security & CAS logout Sure, where do I look for the redirect? In case it helps figure out what's going on, this is the sequence of URLs I am accessing: 1) Try to go to myApp/app/home.jsp (a secure page) - it gets redirected to https://mysSvr:8443/cas/login?service=https%3A%2F%2FLCEIT1664%3A8443%2FmyApp%2Fj_spring_cas_security_check 2) I enter the credentials and it goes to https://mySvr:8443/myApp<https://mysvr:8443/myApp> (the fix you gave me earlier by setting alwaysUseDefaultTargetUrl="false" worked once, but no longer after restarting the server). But at this point I see the user info and roles in the session. 3) I again go to myApp/app/home.jsp - this time it displays, since I'm already authenticated. 4) I do https://mySvr:8443/cas/logout<https://mysvr:8443/cas/logout> - it displays the CAS logout page - no redirection happens - it does log out of CAS. 5) I go to myApp/app/home.jsp again - it displays, with user info and roles, apparently still logged in through Spring Security. 6) I go to myApp/app/, it has lost the credentials. After doing the Single Sign Out configuration, the impression that I get is that once I logout in CAS it will only clear the Spring Security credentials if I navigate through the one URL listed in the Single Sign Out configuration, but CAS does not redirect me to that URL. ________________________________ From: Scott Battaglia [mailto:[email protected]] Sent: Tuesday, February 17, 2009 12:53 PM To: [email protected] Subject: Re: [cas-user] Spring Security & CAS logout -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
