On Wed, Feb 18, 2009 at 11:43 AM, Bruno Melloni <[email protected] > wrote:
> It seems that I offended you. It was not my intent. It is obvious that > CAS is a great product, even if it is a nightmare to understand and > configure. I thought I had finally understood it and was trying to > summarize for those that only know English and Java, and are beginners at > CAS. As a matter of fact, half of what I summarized was my understanding of > your previous answers. Obviously I didn't understand as well as I thought. > No problem, I was mostly just trying to correct incorrect info since all of this stuff is archived! > > > The thing that confuses me the most is when you say that CAS can be > configured to call back the Spring Security /j_spring_security_logout URL. > Of course I'd rather do that!!! > It won't call that page and *it shouldn't*. That's your application's logout page. > > > From all the information available (including what you gave me) it looked > like CAS couldn't, and that at best it could only go back to the URL > accessed when CAS redirected to the login page. > It doesn't go back to any page. It *calls back* to the original URL to tell it to destroy the session. > I trust you on 'faith' that it is possible to configure CAS through > Spring Security so that it calls the j_spring_security_logout URL of the > client app during a CAS logout, but even though it sounds like a trivial > thing, I've seen no sign of how to do so anywhere in the docs nor the > internet. > It won't call the logout page. It will *call back* to your application at the original service url and destory the session if you've configured the filter. You're responsible if you want that logout page called. I'm not sure you're understanding what happens here. Let me try again: 1. Your application has a logout page. You call that when you want to destroy your LOCAL session. 2. CAS has a logout page. You call that when you want to destroy the SSO session. Destroying the SSO session tells CAS to call back to all applications and let them know the SSO session has been destroyed. 3. If your application has the filter configured for Single Log Out, it will intercept the logout information from the CAS server and destory the local session if it still exists. All the posts out there are either of somebody who tried and failed, or of > some crazy hack to get around it. If it can really be done, that would be > the Holy Grail… please show me an example of such a configuration done in a > Spring Security applicationContext-security.xml. > This is the configuration you need in your web xml https://src.springframework.org/svn/spring-security/trunk/samples/cas/client/src/main/webapp/WEB-INF/web.xml -Scott > > > b. > > > ------------------------------ > > *From:* Scott Battaglia [mailto:[email protected]] > *Sent:* Wednesday, February 18, 2009 9:36 AM > *To:* [email protected] > *Subject:* Re: [cas-user] Spring Security & CAS logout > > > > -- > > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > -- > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
