It seems you didn't add the casLogoutFilter in your config: 13:06:13,286 ERROR [org.jasig.cas.util.HttpClient] - <java.net.SocketTimeoutException: Read timed out>
This is the CAS single logout POST request from CAS server to your CAS service URL. It seems it doesn't get accepted but is ignored within your app. I recommend to add the SingleSignOutFilter to your web.xml and a pgt storage (if not done, yet): web.xml: <filter> <filter-name>CAS Single Sign Out Filter</filter-name> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> </filter> (add a corresponding filter mapping, which at least maps to your CAS service url) and add the SingleSignOutHttpSessionListener to web.xml <listener> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> </listener> Spring config: <bean id="proxyGrantingTicketStorage" class="org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl" /> Add this proxyGrantingTicketStorage to the casAuthenticationFilter as a property if not done, yet) I use this config since Spring Security 2.x and it works. With this config, CAS posts the CAS logout XML to your app and the filter logs out the user. Unfortunately, there doesn't exists a complete documentation for CAS Client with Spring AND Spring Security (or I haven't found it, yet). The documentation in CAS Wiki is for Spring _only_ (without Spring Security and isn't using any Spring Framework Cas Classes like org.springframework.security.cas.web.CasProcessingFilter). The documentation provided by SpringSource misses the Cas Single Log Out config described above. But in the Spring Cas Client example, you can find a working configuration. See http://jira.springframework.org/browse/SEC-937 for details. It would be great if one could add a HowTo to the CAS wiki which describes how to configure CAS+Spring+Spring Security. Robert Am 28.01.2010 um 19:38 schrieb Barry Silk: > I am having a problem that I've struggled with for the past couple of days. > Not sure whether this is a CAS issue or a Spring Security issue, but I have a > feeling it might be CAS. The problem is logging out from a CAS client that > is configured with Spring Security (2.0.2) limiting the user to one > concurrent session and then trying to log back in. I have posted the details > of the Spring Security configuration and logs to the Spring Security forum: > > http://forum.springsource.org/showthread.php?t=83840 > > I have been using the CAS (3.2.1) without any problems for about a year. > However, a new requirement requires that I limit each user to one login > session. I changed the Spring Security configuration with the following > element: > > <concurrent-session-control max-sessions="1" > exception-if-maximum-exceeded="true"/> > > As expected, this does not permit the user to login to the web-app with an > active session open. The problem is, even after logging out from the > web-app, Spring Security still thinks the session is open. During logout, > after the user's session has been destroyed by Spring Security's > HttpSessionEventPublisher: > > 13:06:08,068 DEBUG > [org.springframework.security.ui.session.HttpSessionEventPublisher] - > <Publishing event: > org.springframework.security.ui.session.httpsessiondestroyedevent[source=weblogic.servlet.internal.session.replicatedsessiond...@2b1475d]> > But, then, it appears to get re-established during the CAS logout process by > the SamlService, before removing the CASTGC cookie: > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
