Hi,
I have setup CAS with spring security for my application. It seems to work
fine except, I can't for the life of me figure out how I can logout. When I
close my browser this happens automatically and I am asked for password
again. But how do I create a hyperlink that will log me out completely? I
have tried invalidating the session in usual JSP way. I have also added
SingleSignOut filter as described here in my web.xml:
http://www.ja-sig.org/wiki/display/CASC/Configuring+Single+Sign+Out
I have tried calling URLs like:
https://localhost:8080/myapp/j_spring_security_logout
https://localhost:8080/cas/j_spring_security_logout
but nothing really happens. When I call https://localhost:8080/cas/logout I
get a message saying you have been locked out and should close browser
window for security reasons, but when I go back into myapp its still logged
in.
The only way to logout currently seems to be to close browser window. Can
anyone please give me some hits?
I have attached my configuration files, I really need help on this.
Thanks,
Ravi
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security";
xmlns:beans="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd";>
<!--
<bean id="daoAuthenticationProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="inMemoryDaoImpl"/>
<property name="saltSource" ref="saltSource"/>
<property name="passwordEncoder" ref="passwordEncoder"/>
</bean>-->
<http entry-point-ref="casEntryPoint">
<!--<intercept-url pattern="/index.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY"/>-->
<intercept-url pattern="/**" access="ROLE_USER" />
<intercept-url pattern="/controlservlet**" access="ROLE_USER" />
<custom-filter position="CAS_FILTER" ref="casProcessingFilter" />
<!--<custom-filter position="FORM_LOGIN_FILTER" ref="myFilter"/>-->
</http>
<beans:bean id="casProcessingFilter"
class="org.springframework.security.cas.web.CasAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="casAuthenticationProvider"/>
</authentication-manager>
<beans:bean id="casAuthenticationProvider"
class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
<beans:property name="serviceProperties" ref="serviceProperties"/>
<beans:property name="userDetailsService" ref="userService"/>
<beans:property name="ticketValidator">
<beans:bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
<beans:constructor-arg index="0" value="https://localhost:8080/cas"/>
</beans:bean>
</beans:property>
<beans:property name="key" value="an_id_for_this_auth_provider_only"/>
</beans:bean>
<beans:bean id="userService" class="MyUserDetailsService">
<beans:property name="dataSource" ref="dataSource"/>
</beans:bean>
<beans:bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource" destroy-method="close">
<beans:property name="driverClassName" value="com.mysql.jdbc.Driver"/>
<beans:property name="url" value="jdbc:mysql://localhost:3306/know_users"/>
<beans:property name="username" value="root"/>
<beans:property name="password" value="fi$hcake"/>
</beans:bean>
<beans:bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">
<beans:property name="service" value="https://localhost:8080/k-forms/j_spring_cas_security_check"/>
<beans:property name="sendRenew" value="false"/>
</beans:bean>
<!--<beans:bean id="casFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager"/>
</beans:bean>-->
<beans:bean id="casEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
<beans:property name="loginUrl" value="https://localhost:8080/cas/login"/>
<beans:property name="serviceProperties" ref="serviceProperties"/>
</beans:bean>
</beans:beans><?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd";>
<web-app>
<!-- order is very important here -->
<display-name>MyApp</display-name>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/applicationContext*.xml
</param-value>
</context-param>
<context-param>
<param-name>log4jConfigLocation</param-name>
<param-value>/WEB-INF/classes/log4j.properties</param-value>
</context-param>
<context-param>
<param-name>webAppRootKey</param-name>
<param-value>tutorial.root</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<!--
- Loads the root application context of this web app at startup.
- The application context is then available via
- WebApplicationContextUtils.getWebApplicationContext(servletContext).
-->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!--
- Publishes events for session creation and destruction through the application
- context. Optional unless concurrent session control is being used.
-->
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<listener>
<listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
</listener>
<listener>
<listener-class>uk.co.myapp.search.KToolsAppInitializer</listener-class>
</listener>
<listener>
<listener-class>uk.co.myapp.session.SessionListener</listener-class>
</listener>
<servlet>
<servlet-name>ControlServlet</servlet-name>
<servlet-class>command.ControlServlet</servlet-class>
<init-param>
<param-name>clientName</param-name>
<param-value>talkback</param-value>
</init-param>
<init-param>
<param-name>themeName</param-name>
<!--<param-value>Theme</param-value>-->
<param-value>myTheme</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>ControlServlet</servlet-name>
<url-pattern>/controlservlet</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<taglib>
<taglib-uri>http://jakarta.apache.org/taglibs/xsl-1.0</taglib-uri>
<taglib-location>/WEB-INF/taglibs-xsl.tld</taglib-location>
</taglib>
</web-app>
