Hi Scott, I think I understand the process you describe. I think that I've already implemented it, including the filter and listener in web.xml as described in the link. It is very likely that what I am missing is the code that recognizes the callback from CAS as a callback, and use that info to invalidate the session.
I believe I know the answers, but it could be that my understanding is wrong and that would likely be the main cause of misunderstanding, so just in case I'll ask a few of dumb questions: 1) When you say that CAS logout calls back to the original service URL... do you mean: 1-a) The base URL of the app (ie.: http://.../myApp). 1-b) A designated entry-point for the app (i.e.: http://.../myApp/index.jsp) 1-c) The page the user was trying to access within the app when it got intercepted and redirected to the CAS login screen (i.e.: http:/.../myApp/folder1/pageX.jsp) - which might have happened because the user kept a bookmark of the page he needed to access, or -often- might be the default entry-point page for the ap. I suspect that you are saying 1-c. Which would mean that unless the app enforces a mandatory entry point (as in 1-b), every page would have to be able to recognize the callback from CAS. 2) How is CAS 'calling back' the original service URL? 2-a) Does it redirect browser control so that the page displays? I haven't seen that behavior - When I go to the URL cas/logout it always just displays the CAS logout screen - which I think is view/jsp/default/ui/casLogoutView.jsp. I doubt that it redirects browser control, since a CAS logout can logout multiple client apps at once. 2-b) Does it make a call to the original page using http but does not display? 3) When CAS calls back the original service URL, does it pass any parameters that can be read to determine that it is a logout attempt? 4) If CAS does not pass parameters on the logout callback call to the service URL, is there something else that can be used to distinguish between logout callback from CAS and a normal access of the page? 5) When the application calls CAS for a global logout, should it be directing the browser to http:/.../cas/logout, or should it really be making a silent call of that URL (perhaps through Ajax)? I suspect both are possible, in which case I'd ask... what's the best practice? Thanks, b. ________________________________ From: Scott Battaglia [mailto:[email protected]] Sent: Wednesday, February 18, 2009 10:54 AM To: [email protected] Subject: Re: [cas-user] Spring Security & CAS logout -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
