I am having a problem that I've struggled with for the past couple of days. Not sure whether this is a CAS issue or a Spring Security issue, but I have a feeling it might be CAS. The problem is logging out from a CAS client that is configured with Spring Security (2.0.2) limiting the user to one concurrent session and then trying to log back in. I have posted the details of the Spring Security configuration and logs to the Spring Security forum:
http://forum.springsource.org/showthread.php?t=83840 I have been using the CAS (3.2.1) without any problems for about a year. However, a new requirement requires that I limit each user to one login session. I changed the Spring Security configuration with the following element: <concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="true"/> As expected, this does not permit the user to login to the web-app with an active session open. The problem is, even after logging out from the web-app, Spring Security still thinks the session is open. During logout, after the user's session has been destroyed by Spring Security's HttpSessionEventPublisher: 13:06:08,068 DEBUG [org.springframework.security.ui.session.HttpSessionEventPublisher] - <Publishing event: org.springframework.security.ui.session.httpsessiondestroyedevent[source=weblogic.servlet.internal.session.replicatedsessiond...@2b1475d]> But, then, it appears to get re-established during the CAS logout process by the SamlService, before removing the CASTGC cookie: 13:06:08,146 DEBUG [org.jasig.cas.authentication.principal.SamlService] - <Sending logout request for: https://myserver/central/j_spring_cas_security_check> 13:06:08,146 DEBUG [org.jasig.cas.util.HttpClient] - <Attempting to access https://myserver/central/j_spring_cas_security_check> 13:06:13,286 ERROR [org.jasig.cas.util.HttpClient] - <java.net.SocketTimeoutException: Read timed out> Then, the CASTGC cookie gets removed: 13:06:13,724 DEBUG [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - <Removed cookie with name [CASTGC]> And then, the session appears to get re-established with the SamlService logout request: 2010-01-28 13:06:13,880 DEBUG [org.springframework.security.util.FilterChainProxy] - </j_spring_cas_security_check at position 3 of 9 in additional filter chain; firing Filter: 'org.springframework.security.context.HttpSessionContextIntegrationFilter[ order=200; ]'> 2010-01-28 13:06:13,880 DEBUG [org.springframework.security.ui.session.HttpSessionEventPublisher] - <Publishing event: org.springframework.security.ui.session.httpsessioncreatedevent[source=weblogic.servlet.internal.session.replicatedsessiond...@2b9cd26]> So, when I try to login again, first CAS authenticates, then Spring Security rejects the authenticated user because it appears the session is active. My questions are: - Can the SamlService logout request may be causing this problem? - How do I configure CAS not to issue that SamlService logout request during a CAS logout? Thanks and help would be greatly appreciated. Barry Silk -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
