Scott, Thanks for your reply. I have tried your suggestions without success.
I tried to disable the SamlService by removing Saml refererces in the CasArgumentExtractor, but CAS upon logout still issues this: 2010-01-29 10:40:28,528 DEBUG [org.jasig.cas.authentication.principal.SamlService] - <Sending logout request for: https://myserver/central/j_spring_cas_security_check> How to prevent that? Or how to remove the SamlService altogether? I've also replaced the older version of the CAS client (3.1.3) with the newer one (3.1.10). Still, I can't log back in after a logout. I do have the CAS Single Sign Out Filter in the web-app, defined in the web.xml. Do I have to add the CAS Single Sign out Filter in the Spring Security configuration file instead (or in addition to the web.xml)? I do notice that with the new version of the CAS client, the log messages for the filter have changed to: 2010-01-29 10:41:21,324 DEBUG [org.jasig.cas.client.session.SingleSignOutFilter] - <No Artifact Provided; no action taking place.> All the messages from the filter are the same as this. Should there be a different message when the user performs a logout? Any further suggestions would be appreciated! Thanks again, Barry ________________________________ From: Scott Battaglia [[email protected]] Sent: Thursday, January 28, 2010 10:06 PM To: [email protected] Subject: Re: [cas-user] Problem with CAS Logout / Spring Security with Concurrent-session-control You can disable it on the CAS server (there should be a property on the CasArgumentExtractor (or the Saml one). However, you may wish to upgrade your CAS Client which might fix the session problem (I think older versions created sessions if one didn't exist with the Single Sign Out Filter). If you don't have the single sign out filter catching those messages that could also be a problem. Cheers, Scott On Thu, Jan 28, 2010 at 1:38 PM, Barry Silk <[email protected]<mailto:[email protected]>> wrote: I am having a problem that I've struggled with for the past couple of days. Not sure whether this is a CAS issue or a Spring Security issue, but I have a feeling it might be CAS. The problem is logging out from a CAS client that is configured with Spring Security (2.0.2) limiting the user to one concurrent session and then trying to log back in. I have posted the details of the Spring Security configuration and logs to the Spring Security forum: http://forum.springsource.org/showthread.php?t=83840 I have been using the CAS (3.2.1) without any problems for about a year. However, a new requirement requires that I limit each user to one login session. I changed the Spring Security configuration with the following element: <concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="true"/> As expected, this does not permit the user to login to the web-app with an active session open. The problem is, even after logging out from the web-app, Spring Security still thinks the session is open. During logout, after the user's session has been destroyed by Spring Security's HttpSessionEventPublisher: 13:06:08,068 DEBUG [org.springframework.security.ui.session.HttpSessionEventPublisher] - <Publishing event: org.springframework.security.ui.session.httpsessiondestroyedevent[source=weblogic.servlet.internal.session.replicatedsessiond...@2b1475d]> But, then, it appears to get re-established during the CAS logout process by the SamlService, before removing the CASTGC cookie: 13:06:08,146 DEBUG [org.jasig.cas.authentication.principal.SamlService] - <Sending logout request for: https://myserver/central/j_spring_cas_security_check> 13:06:08,146 DEBUG [org.jasig.cas.util.HttpClient] - <Attempting to access https://myserver/central/j_spring_cas_security_check> 13:06:13,286 ERROR [org.jasig.cas.util.HttpClient] - <java.net.SocketTimeoutException: Read timed out> Then, the CASTGC cookie gets removed: 13:06:13,724 DEBUG [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - <Removed cookie with name [CASTGC]> And then, the session appears to get re-established with the SamlService logout request: 2010-01-28 13:06:13,880 DEBUG [org.springframework.security.util.FilterChainProxy] - </j_spring_cas_security_check at position 3 of 9 in additional filter chain; firing Filter: 'org.springframework.security.context.HttpSessionContextIntegrationFilter[ order=200; ]'> 2010-01-28 13:06:13,880 DEBUG [org.springframework.security.ui.session.HttpSessionEventPublisher] - <Publishing event: org.springframework.security.ui.session.httpsessioncreatedevent[source=weblogic.servlet.internal.session.replicatedsessiond...@2b9cd26]> So, when I try to login again, first CAS authenticates, then Spring Security rejects the authenticated user because it appears the session is active. My questions are: - Can the SamlService logout request may be causing this problem? - How do I configure CAS not to issue that SamlService logout request during a CAS logout? Thanks and help would be greatly appreciated. Barry Silk -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
