You can disable it on the CAS server (there should be a property on the CasArgumentExtractor (or the Saml one).
However, you may wish to upgrade your CAS Client which might fix the session problem (I think older versions created sessions if one didn't exist with the Single Sign Out Filter). If you don't have the single sign out filter catching those messages that could also be a problem. Cheers, Scott On Thu, Jan 28, 2010 at 1:38 PM, Barry Silk <[email protected]>wrote: > I am having a problem that I've struggled with for the past couple of > days. Not sure whether this is a CAS issue or a Spring Security issue, but > I have a feeling it might be CAS. The problem is logging out from a CAS > client that is configured with Spring Security (2.0.2) limiting the user to > one concurrent session and then trying to log back in. I have posted the > details of the Spring Security configuration and logs to the Spring Security > forum: > > http://forum.springsource.org/showthread.php?t=83840 > > I have been using the CAS (3.2.1) without any problems for about a year. > However, a new requirement requires that I limit each user to one login > session. I changed the Spring Security configuration with the following > element: > > <concurrent-session-control max-sessions="1" > exception-if-maximum-exceeded="true"/> > > As expected, this does not permit the user to login to the web-app with an > active session open. The problem is, even after logging out from the > web-app, Spring Security still thinks the session is open. During logout, > after the user's session has been destroyed by Spring Security's > HttpSessionEventPublisher: > > 13:06:08,068 DEBUG > [org.springframework.security.ui.session.HttpSessionEventPublisher] - > <Publishing event: > org.springframework.security.ui.session.httpsessiondestroyedevent[source=weblogic.servlet.internal.session.replicatedsessiond...@2b1475d > ]> > But, then, it appears to get re-established during the CAS logout process > by the SamlService, before removing the CASTGC cookie: > > 13:06:08,146 DEBUG [org.jasig.cas.authentication.principal.SamlService] - > <Sending logout request for: > https://myserver/central/j_spring_cas_security_check> > 13:06:08,146 DEBUG [org.jasig.cas.util.HttpClient] - <Attempting to access > https://myserver/central/j_spring_cas_security_check> > 13:06:13,286 ERROR [org.jasig.cas.util.HttpClient] - > <java.net.SocketTimeoutException: Read timed out> > > Then, the CASTGC cookie gets removed: > > 13:06:13,724 DEBUG > [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - <Removed > cookie with name [CASTGC]> > > > > And then, the session appears to get re-established with the SamlService > logout request: > > > > 2010-01-28 13:06:13,880 DEBUG > [org.springframework.security.util.FilterChainProxy] - > </j_spring_cas_security_check at position 3 of 9 in additional filter chain; > firing Filter: > 'org.springframework.security.context.HttpSessionContextIntegrationFilter[ > order=200; ]'> > 2010-01-28 13:06:13,880 DEBUG > [org.springframework.security.ui.session.HttpSessionEventPublisher] - > <Publishing event: > org.springframework.security.ui.session.httpsessioncreatedevent[source=weblogic.servlet.internal.session.replicatedsessiond...@2b9cd26 > ]> > > So, when I try to login again, first CAS authenticates, then Spring > Security rejects the authenticated user because it appears the session is > active. > > > > My questions are: > > - Can the SamlService logout request may be causing this problem? > > - How do I configure CAS not to issue that SamlService logout request > during a CAS logout? > > > > Thanks and help would be greatly appreciated. > > > > Barry Silk > > -- > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
