Scott, Thanks for your reply. Actually both the CAS server box and CAS client box are within our organization's firewall, and those two boxes don't have firewall set up to block each other. I tried to add a third application to the client box and it works as follows: CAS server: box1 app1 is a Spring Acegi application in box2 app2 is a Spring Security application in box2 app3 is a jsp servlet application (Hello World example from Tomcat) in box2
All 3 client apps are configured for Single Sign Out. 1) I have all three apps running in the same browser. When I logout of app1, it also log me out of app3, but I can still access app2. 2) I have all three apps running in the same browser. When I logout of app2, it also log me out of app3, but I can still access app1. Below is the web.xml configure for app1 and app2: web.xml for app1: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ <?xml version="1.0" encoding="UTF-8"?> <web-app xmlns="http://java.sun.com/xml/ns/j2ee"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"; version="2.4"> <!-- Session timeout is x minutes --> <session-config> <session-timeout>30</session-timeout> </session-config> <!-- The Spring Application Contexts --> <context-param> <param-name>contextConfigLocation</param-name> <param-value> classpath:gov/pc/portal/acegi/spring.xml /WEB-INF/applicationContext.xml </param-value> </context-param> <!--CAS single sign out--> <filter> <filter-name>CAS Single Sign Out Filter</filter-name> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS Single Sign Out Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <listener> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> </listener> <!-- The Spring Context Loader Listener --> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <listener> <listener-class>org.acegisecurity.ui.session.HttpSessionEventPublisher</listener-class> </listener> <!-- The Acegi Security Filter --> <filter> <filter-name>Acegi Filter Chain Proxy</filter-name> <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class> <init-param> <param-name>targetClass</param-name> <param-value>org.acegisecurity.util.FilterChainProxy</param-value> </init-param> </filter> <!-- The Acegi Security Filter Mapping --> <filter-mapping> <filter-name>Acegi Filter Chain Proxy</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- Welcome Files --> <welcome-file-list> <welcome-file>index.jsp</welcome-file> </welcome-file-list> </web-app> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ web.xml for app2: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ <?xml version="1.0" encoding="UTF-8"?> <web-app xmlns="http://java.sun.com/xml/ns/j2ee"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"; version="2.4"> <display-name>Spring Security Tutorial Application</display-name> <context-param> <param-name>contextConfigLocation</param-name> <param-value> classpath:applicationContext-business.xml classpath:gov/pc/portal/springsecurity/spring.xml /WEB-INF/applicationContext-security.xml </param-value> </context-param> <context-param> <param-name>log4jConfigLocation</param-name> <param-value>/WEB-INF/classes/log4j.properties</param-value> </context-param> <filter> <filter-name>CAS Single Sign Out Filter</filter-name> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> </filter> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>CAS Single Sign Out Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <listener> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> </listener> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <listener> <listener-class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-class> </listener> <listener> <listener-class>org.springframework.web.util.Log4jConfigListener</listener-class> </listener> <servlet> <servlet-name>bank</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>bank</servlet-name> <url-pattern>*.html</url-pattern> </servlet-mapping> <!-- Test on session timeout configuration --> <session-config> <session-timeout>1</session-timeout> </session-config> <welcome-file-list> <welcome-file>index.jsp</welcome-file> </welcome-file-list> </web-app> ~~~~~~~~~~~~~~~~~~~~~~~~~~ For spring security application, I used "j_spring_security_logout" to logout. I even explicitly added a SingleSignOut filter in applicationContext.xml file: <bean id="casSingleSignOutFilter" class="org.jasig.cas.client.session.SingleSignOutFilter"> <sec:custom-filter before="CAS_PROCESSING_FILTER"/> </bean> What else do I need to do, or what did I do wrong? Please help! Thanks so much, Xuejin scott_battaglia wrote: > > Check your firewall settings, etc. to see if your outgoing call is being > blocked. > > > On Tue, Jul 7, 2009 at 5:14 PM, Xuejin Ruan <[email protected]> wrote: > >> >> Hi all, >> >> I have a couple applications implementing Single Sign Out solution. When >> CAS >> Server and CAS clients running on the same box, everything works as >> expected. When I log off one applcation, it also logs off another >> application. However, when I put them in distributed environment, Single >> Sign Out doesn't work correctly. >> >> I am running cas-server-3.3.3 in boxA, and I have a Spring Security >> application (app1) running on boxB using cas-client-3.1.6, and another >> Spring Acegi application (app2) using cas-client-3.1.6 also on boxB. I >> have >> configured Single Sign Out filter and listener in web.xml file for both >> apps >> (http://www.ja-sig.org/wiki/display/CASC/Configuring+Single+Sign+Out). >> For >> app1, I defined logout-success-url as >> "https://casserver:8443/cas/logout";; >> and for app2, I have customed code to invalidate session variable and >> then >> redirect to "https://casserver:8443/cas/logout"; upon logout. Single Sign >> On >> works correctly for both apps. However, if I have both app1 and app2 >> running, when I logout of app1, app1's session was invalidated, it logout >> of >> app1 and logout-success-url was correctly displayed. But I can still >> browse >> app2 without being challenged for credentials. The same thing happens if >> I >> logout of app2, app1 seems still running fine. >> >> From what I have learned, for a Spring Security application, when user >> click >> the following link to logout: >> '<c:url value="../j_spring_security_logout" '>Logout >> it will invalidate user's session, and then it will be redirected to >> logout-success-url defined in the xml config file. Then cas server will >> send >> out a request to other applications to destroy cache entry contraining >> the >> corresponding service ticket. I don't have a very deep understanding >> about >> this process. It seems to me that when app1 logout, and triggers cas >> server >> to logout, it seems app2's SingleSignOutHttpSessionListener is not really >> listening to the request sent out by cas server. Can someone correct me >> if >> I >> am wrong? >> >> Is there any configuration that I am missing? Please help! Another thing >> I >> don't understand is, why it works with no problem when CAS server and >> client >> applications are in the same box same tomcat server? >> >> Thanks, >> >> Xuejin >> -- >> View this message in context: >> http://www.nabble.com/Single-Sign-Out-problem-tp24381456p24381456.html >> Sent from the CAS Users mailing list archive at Nabble.com. >> >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- View this message in context: http://www.nabble.com/Single-Sign-Out-problem-tp24381456p24397198.html Sent from the CAS Users mailing list archive at Nabble.com. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
