Thank you, Marvin. That just gave me the information I was missing and made me realize that I was on a wild goose chase. Let me mention what I've learned so far about Single Sign Out, from previous emails and all of my research. I think it clarifies a lot of misconceptions, and gave me the key clue to the answer to logging out with Spring Security:
- Single Sign Out within CAS is fairly young. It has not evolved yet to full maturity, and further improvements are likely in the future. - Support for Single Sign Out when using Spring Security on the client app is even younger (if supported - I'm not quite sure). - There is no ability in CAS to logout from a single application (invalidate just the one ticket). If https:/.../cas/logout is called, it will logout from all applications (expiring all tickets). The intuitive logout form that can sometimes be seen when googling (https:/.../cas/logout?service=https/.../myapp) is not a way to logout from a single app. - There is no ability in CAS to specify which URL to call when an app is being logged out. Only the original URL that caused the login will be called. Unfortunately, this means that if one user enters an app at page http/.../clientApp/page1.html and another at http/.../clientApp/page2.html, when each user logs out CAS will call page1 or page2, and it would be hard to code some kind of logout intercept at that point since it does not happen always at the same page. - If the client is using Spring Security as its interface to CAS, it is possible to specify a callback URL that triggers a Spring Security logout (not of CAS). This is by default /j_spring_security_logout. In the same tag, it is possible to specify a Spring Security logout success URL, and... it can be https:/.../cas/logout, thus causing a logout of both Spring Security and CAS! Solution (for clients that use Spring Security to access CAS): ============================================================= 1) Do not bother with the CAS Single Sign Out filter. 2) Define a <security-logout/> tag that specifies the logout-success-url to be the CAS logout URL. Example: <security:http entry-point-ref="casProcessingFilterEntryPoint"> <security:intercept-url pattern="/secure/**" access="ROLE_USER " /> <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" /> <security:anonymous/> <security:logout logout-success-url="https://LCEIT1664:8443/cas/logout"/> </security:http> 3) The above is not perfect. It will only logout from Spring Security when the application is logged out from -that- application. A CAS logout from another application will not guarantee that the application gets logged out from Spring Security. But then, neither does the web.xml-based Single Signout procedure. It might be a good idea to add this Spring Security Single Sign Out procedure to the documentation. Recommendations for future CAS Single Sign Out enhancements: =========================================================== These are not critical, but would make CAS better. - Add a client configuration parameter to the CAS client that allows specifying the client logout URL (and of course the supporting server code to record it at login and call it at logout). This will allow 'guaranteed' single sign out at the client. - In addition to the current global logout in CAS (logs out from all applications), implement the ability to pass a service URL as a parameter to cas/logout. When used, it would logout only from that application / expire its ticket without logging out all of the other applications for the user. Note that a user could have logged in from a page deeper in the tree (i.e.: https:/.../clientApp/folder1/folder2/page.html) than the root service URL (i.e.: https:/.../clientApp). Therefore if a service URL is passed, CAS would need to expire all tickets that 'start' with it. I hope that helps, and that it reaches the right people in the CAS documentation and development teams. b. -----Original Message----- From: Marvin Addison [mailto:[email protected]] Sent: Wednesday, February 18, 2009 8:16 AM To: [email protected] Subject: Re: [cas-user] Spring Security & CAS logout > Is there any other place where I need to specify URL so that CAS knows to > call it? The URL that CAS calls is not configurable. It simply replays the referring URL of the service that contacted CAS for a service ticket. So if you enter your application through https://yourhost/myApp/app/home.jsp, it will attempt to contact that _exact_ URL at logout time. You should configure the scope of SingleSignOutFilter accordingly. Also, as I believe is mentioned in the Wiki document, that filter must be defined before all other CAS filters. You can confirm SingleSignOutFilter/SingleSignOutHttpSessionListener received the CAS logout request by looking for the following in your application logs, assuming you have org.jasig.cas set to DEBUG or lower: 2008-12-04 16:05:07,610 DEBUG [org.jasig.cas.client.session.SingleSignOutHttpSessionListener] Removing HttpSession: QXdhBMmvsm+0FuvJJ4p23A** Hope that helps, Marvin Addison Middleware Services Virginia Tech -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
