On Wed, Feb 18, 2009 at 10:22 AM, Bruno Melloni <[email protected] > wrote:
> Thank you, Marvin. That just gave me the information I was missing and made > me realize that I was on a wild goose chase. Let me mention what I've > learned so far about Single Sign Out, from previous emails and all of my > research. I think it clarifies a lot of misconceptions, and gave me the key > clue to the answer to logging out with Spring Security: > > - Single Sign Out within CAS is fairly young. It has not evolved yet to > full maturity, and further improvements are likely in the future. Actually single sign out works fine. It calls back like its supposed to. Maybe we don't support YOUR definition of single sign out, but that's different. > > > - Support for Single Sign Out when using Spring Security on the client app > is even younger (if supported - I'm not quite sure). Single Sign Out Support relies on the JASIG CAS Client, which means you configure the filter. We're not going to duplicate code in both when you can configure the filter. > > > - There is no ability in CAS to logout from a single application > (invalidate just the one ticket). If https:/.../cas/logout is called, it > will logout from all applications (expiring all tickets). The intuitive > logout form that can sometimes be seen when googling > (https:/.../cas/logout?service=https/.../myapp) is not a way to logout from > a single app. If you want to log out of your application, then you end your application's session. It doesn't involve CAS. It doesn't need to involve CAS and CAS doesn't have any outstanding tickets for your application. Service Tickets are used ONCE and then discarded/expired > > > - There is no ability in CAS to specify which URL to call when an app is > being logged out. Only the original URL that caused the login will be > called. Unfortunately, this means that if one user enters an app at page > http/.../clientApp/page1.html and another at http/.../clientApp/page2.html, > when each user logs out CAS will call page1 or page2, and it would be hard > to code some kind of logout intercept at that point since it does not happen > always at the same page. That's why you have the filter. And also if you're using Spring Security you always use the same endpoint no matter what. > > > - If the client is using Spring Security as its interface to CAS, it is > possible to specify a callback URL that triggers a Spring Security logout > (not of CAS). This is by default /j_spring_security_logout. In the same > tag, it is possible to specify a Spring Security logout success URL, and... > it can be https:/.../cas/logout, thus causing a logout of both Spring > Security and CAS! You've now killed your entire CAS session because you logged out of one application. Is that what you want? Information on logging out of an application and recommended text is here: http://www.ja-sig.org/wiki/display/CASC/CAS+Client+for+Java+3.1 > > > Solution (for clients that use Spring Security to access CAS): > ============================================================= > > 1) Do not bother with the CAS Single Sign Out filter. If you don't do that then you don't have single sign out. Good luck. > > > 2) Define a <security-logout/> tag that specifies the logout-success-url to > be the CAS logout URL. Example: > > <security:http entry-point-ref="casProcessingFilterEntryPoint"> > <security:intercept-url pattern="/secure/**" access="ROLE_USER " /> > <security:intercept-url pattern="/**" > access="IS_AUTHENTICATED_ANONYMOUSLY" /> > <security:anonymous/> > <security:logout logout-success-url="https://LCEIT1664:8443/cas/logout > "/> > </security:http> > > 3) The above is not perfect. It will only logout from Spring Security when > the application is logged out from -that- application. A CAS logout from > another application will not guarantee that the application gets logged out > from Spring Security. But then, neither does the web.xml-based Single > Signout procedure. Actually the Single Sign Out feature does guarantee that you are logged out, as long as you've configured it. > > > > It might be a good idea to add this Spring Security Single Sign Out > procedure to the documentation. > > Recommendations for future CAS Single Sign Out enhancements: > =========================================================== > > These are not critical, but would make CAS better. > > - Add a client configuration parameter to the CAS client that allows > specifying the client logout URL (and of course the supporting server code > to record it at login and call it at logout). This will allow 'guaranteed' > single sign out at the client. Using the filter guarantees it works too. There's a difference between a bug in the server and you not getting it to work. > > > - In addition to the current global logout in CAS (logs out from all > applications), implement the ability to pass a service URL as a parameter to > cas/logout. When used, it would logout only from that application / expire > its ticket without logging out all of the other applications for the user. > Note that a user could have logged in from a page deeper in the tree (i.e.: > https:/.../clientApp/folder1/folder2/page.html) than the root service URL > (i.e.: https:/.../clientApp). Therefore if a service URL is passed, CAS > would need to expire all tickets that 'start' with it. You may wish to understand how CAS works before you go around telling us how to solve every problem. CAS doesn't maintain a session for an individual application. It mains a global single sign on session and issues one time tickets to log you into other applications. At that point its the applications responsibility to manage its own session and terminate it if necessary. You may wish to look at the following: http://www.jasig.org/cas/protocol http://www.jasig.org/cas/cas2-architecture http://www.jasig.org/cas/cas1-architecture > > > I hope that helps, and that it reaches the right people in the CAS > documentation and development teams. > > b. > > -----Original Message----- > From: Marvin Addison [mailto:[email protected]] > Sent: Wednesday, February 18, 2009 8:16 AM > To: [email protected] > Subject: Re: [cas-user] Spring Security & CAS logout > > > Is there any other place where I need to specify URL so that CAS knows to > > call it? > > The URL that CAS calls is not configurable. It simply replays the > referring URL of the service that contacted CAS for a service ticket. > So if you enter your application through > https://yourhost/myApp/app/home.jsp, it will attempt to contact that > _exact_ URL at logout time. You should configure the scope of > SingleSignOutFilter accordingly. Also, as I believe is mentioned in > the Wiki document, that filter must be defined before all other CAS > filters. > > You can confirm SingleSignOutFilter/SingleSignOutHttpSessionListener > received the CAS logout request by looking for the following in your > application logs, assuming you have org.jasig.cas set to DEBUG or > lower: > > 2008-12-04 16:05:07,610 DEBUG > [org.jasig.cas.client.session.SingleSignOutHttpSessionListener] > Removing HttpSession: QXdhBMmvsm+0FuvJJ4p23A** > > Hope that helps, > Marvin Addison > Middleware Services > Virginia Tech > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
