Hi, I just thought I'd post this in case it's interesting to the CAS developers. I've been evaluating CAS for a new project and setting up a demonstration on my local machine. I'm using CAS 3.3.5 integrated with spring security 2.0.5, following the configuration example given at http://mattfleming.com/node/269. I set up everything following the demo instructions at http://www.ja-sig.org/wiki/display/CASUM/Demo and everything worked fine, single-sign-on and single-sign-out. I then repeated the exercise on another machine, but didn't put the CAS server webapp behind HTTPS, I left it on 8080. I realise that this is insecure, but I was just checking to see if I could repeat the demo setup on another machine. I found that single-sign-on worked fine, but that single-sign-out stopped working. Some inspection of the TCP traffic showed that, under this second configuration, the logout request is *not* sent by the CAS service to registered services.
I.e., when CAS is behind HTTPS then I see requests like POST /my-app/j_spring_cas_security_check;jsessionid=1441FABE23628F2B1A8D95C9E32F1B58 HTTP/1.1 Content-Length: 470 Content-Type: application/x-www-form-urlencoded User-Agent: Java/1.6.0_16 Host: localhost:8888 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive logoutRequest=%3Csamlp%3ALogoutRequest+xmlns%3Asamlp%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aprotocol%22+ID%3D%22LR-1-FB660PxuTb6xZoYLsAJdYFpgdx9XsFH0U6B%22+Version%3D%222.0%22+IssueInstant%3D%222010-02-24T10%3A03%3A21Z%22%3E%3Csaml%3ANameID+xmlns%3Asaml%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aassertion%22%3E%40NOT_USED%40%3C%2Fsaml%3ANameID%3E%3Csamlp%3ASessionIndex%3EST-1-AxoKlc22anaKaq0fvAO7-cas%3C%2Fsamlp%3ASessionIndex%3E%3C%2Fsamlp%3ALogoutRequest%3E ... but when CAS is on HTTP I see no such requests. This may be by design, but I thought I'd drop a note in case it's interesting. Thanks for the great work. Regards, Alistair -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
