On Wed, Feb 18, 2009 at 12:52 PM, Bruno Melloni <[email protected] > wrote:
> Hi Scott, > > > > I think I understand the process you describe. I think that I've already > implemented it, including the filter and listener in web.xml as described in > the link. It is very likely that what I am missing is the code that > recognizes the callback from CAS as a callback, and use that info to > invalidate the session. > If you have the filter set to check either * or the original service url then it should work. If its not working, we should find out why. Ways to determine include checking the Apache access logs to see if the call is there after you chose logout and upping the logging level on the server. > <snip /> > 1) When you say that CAS logout calls back to the original service URL… do > you mean: > > > > 1-a) The base URL of the app (ie.: http://.../myApp). > > 1-b) A designated entry-point for the app (i.e.: > http://.../myApp/index.jsp) > > 1-c) The page the user was trying to access within the app when it got > intercepted and redirected to the CAS login screen (i.e.: > http:/…/myApp/folder1/pageX.jsp) – which might have happened because the > user kept a bookmark of the page he needed to access, or –often- might be > the default entry-point page for the ap. > > > > I suspect that you are saying 1-c. Which would mean that unless the app > enforces a mandatory entry point (as in 1-b), every page would have to be > able to recognize the callback from CAS. > Its calling the original URL provided as the service url. (so https://cas.server.com/login?service=FOO where FOO is what it will call back to). > > > 2) How is CAS 'calling back' the original service URL? > It does it via behind the scenes URLConnection to the server. If your CAS server is firewalled to not allow outgoing connections, this will fail. > > > 2-a) Does it redirect browser control so that the page displays? I haven't > seen that behavior – When I go to the URL cas/logout it always just displays > the CAS logout screen – which I think is > view/jsp/default/ui/casLogoutView.jsp. I doubt that it redirects browser > control, since a CAS logout can logout multiple client apps at once. > You are correct, no redirect. > 2-b) Does it make a call to the original page using http but does not > display? > it does it behind the scenes before it displays the logout page. It opens a URLConnection to the original url. > > > 3) When CAS calls back the original service URL, does it pass any > parameters that can be read to determine that it is a logout attempt? > It POSTs with a SAML message. > > > 4) If CAS does not pass parameters on the logout callback call to the > service URL, is there something else that can be used to distinguish between > logout callback from CAS and a normal access of the page? > The filter is able to determine (it recognizes the POST and SAML message) > > > 5) When the application calls CAS for a global logout, should it be > directing the browser to http:/…/cas/logout, or should it really be making a > silent call of that URL (perhaps through Ajax)? I suspect both are > possible, in which case I'd ask… what's the best practice? > We generally recommend you never call it without the user knowing (that said, we actually do it at Rutgers). Our sample pages always say to notify the user their local session has ended and how to end their global session. > > > Thanks, > > > > b. > > > ------------------------------ > > *From:* Scott Battaglia [mailto:[email protected]] > *Sent:* Wednesday, February 18, 2009 10:54 AM > *To:* [email protected] > *Subject:* Re: [cas-user] Spring Security & CAS logout > > > > -- > > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
