I am not seeing any SSL errors in either the CAS log or our proxy access log.
The only errors I see are: 2010-06-28 09:08:32,056 ERROR [org.jasig.cas.util.HttpClient] - java.net.SocketTimeoutException: Read timed out However, I still believe the certs could be the problem. Thanks, Bryan Wooten UIT Systems Administrator University of Utah [email protected] Work: 801.585.9323 Cell: 801.414.3593 -----Original Message----- From: Joachim Fritschi [mailto:[email protected]] Sent: Monday, June 28, 2010 9:52 AM To: [email protected] Subject: Re: [cas-user] Question about CAS login/logout - Show stopper Please check that your Sign-Out request works by examining the logs on both server (ssl errors) and client (access log). The cas server has to initiate a ssl connection to your app server. This requires trusted certificates on your application server that are recognized by the cas server. Any CAS since 3.1 should be fine. https://wiki.jasig.org/display/CASUM/Single+Sign+Out Please check both server logs for the sign-out calls. My first guess would be no https or unknown certificates on the app server. Cheers, Joachim Am 28.06.2010 17:20, schrieb Bryan Wooten: > Thanks for reply. The testers get the login the second time by simply going > to the CAS login page directly. Yes the login page recognizes the previous > login, so they do an logout and then login as the second user. > > > I have added the following to my web.xml: > > <!-- CAS:START - Java Client Single Sign Out Listener --> > <listener> > > <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> > </listener> > <!-- CAS:END --> > <filter> > <filter-name>CasSingleSignOutFilter</filter-name> > > <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> > </filter> > <filter-mapping> > <filter-name>CasSingleSignOutFilter</filter-name> > <url-pattern>/*</url-pattern> > </filter-mapping> > > But the test yields the same results. > > Our CAS server is 3.2.? Do we need to upgrade the CAS server? > > Thanks for you help. > > > Bryan Wooten > > UIT Systems Administrator > University of Utah > > [email protected] > > Work: 801.585.9323 > Cell: 801.414.3593 > > > -----Original Message----- > From: Joachim Fritschi [mailto:[email protected]] > Sent: Monday, June 28, 2010 8:22 AM > To: [email protected] > Subject: Re: [cas-user] Question about CAS login/logout - Show stopper > > How do you get to login a second time? If i hit the CAS server a second > time while i still habe a valid CAS session i will never see a prompt > but just the message "Log In Successful" or the usual sso autologin for > any casified app. To change my identity i have to /logout and then hit a > new /login page. > > What you might experience is some kind of nasty overlap of local > sessions vs. CAS (TGT Sesssion) and maybe disabled sso for the service ? > A "normal" casified application will not refresh your cas-authenticated > session unless you trigger ist manually (renew=true). The "client > session" is not really dependent on any existing CAS session and is > created during the initial login process for the client application. > It's also depends on your casified application itself that might have > their own session handling. > > The only way a dependency between the CAS session and the > "client-session" can be created is a working single sign-out connector > between your cas server and your local applications. Destroying a CAS > session will then kill _all_ session casified apps that have single > sign-out enabled. > > Switching with single sign-out would then work like this: > > - hit app1 > - redirect to cas login as user1 > - work as user 1 > - hit the /logout url > - CAS server broadcasts the logout to all apps > - all cas clients that habe a single sign-out implemented kill local > sessions > - you can hit any cas app > - redirect to cas and login as user2 > > Another solution without single sign-out is closing the browser as a > quick and dirty solution since cas default cookies are only session > cookies. > This might only be a problem if some of your apps have persistent > cookies that cache the authentication. > > Cheers, > > Joachim > > > > > Am 28.06.2010 15:47, schrieb Bryan Wooten: >> Yes, I understand that Firefox shares cookies between tabs (and >> instances) while IE only shares cookies between tabs. >> >> The behavior I described below is quite disconcerting to our testers. So >> is this test: >> >> 1. Login into CAS as user1 and goto Application >> >> 2. Open new tab >> >> 3. Login into CAS as user2 >> >> 4. Goto application in new tab - you are still user one! >> >> 5. >> >> This is true for both IE and Firefox. This behavior will be a show >> stopper for us. It is imperative we maintain the behavior our users >> expect. If I do the same test logging into our Peoplesoft portal the >> application will always see the user as the second login. This is the >> behavior I also would expect. (i.e. last login wins) >> >> Is something mis-configured on our CAS server? >> >> I thought I could change this behavior by setting "useSession = false" >> in the Cas20ProxyReceivingTicketValidationFilter but that completely >> broke the application. Firefox detected an endless redirect loop and >> stopped. In IE I could the endless loop in my log files. >> >> Thanks for any help on this. >> >> Here is my web.xml: >> >> <filter> >> >> <filter-name>CAS Authentication Filter</filter-name> >> >> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> >> >> <init-param> >> >> <param-name>casServerLoginUrl</param-name> >> >> <param-value>https://xxx.utah.edu/cas/login</param-value> >> >> </init-param> >> >> <init-param> >> >> <param-name>service</param-name> >> >> <param-value>https://guide/uofu/stu/GraduateTracking</param-value> >> >> </init-param> >> >> <init-param> >> >> <param-name>serverName</param-name> >> >> <param-value>https://guide</param-value> >> >> </init-param> >> >> <init-param> >> >> <param-name>artifactParameterName</param-name> >> >> <param-value>ticket</param-value> >> >> </init-param> >> >> </filter> >> >> <filter> >> >> <filter-name>CAS Validation Filter</filter-name> >> >> <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> >> >> <init-param> >> >> <param-name>casServerUrlPrefix</param-name> >> >> <param-value>https://xxx.utah.edu/cas</param-value> >> >> </init-param> >> >> <init-param> >> >> <param-name>service</param-name> >> >> <param-value>https://guide/uofu/stu/GraduateTracking</param-value> >> >> </init-param> >> >> <init-param> >> >> <param-name>serverName</param-name> >> >> <param-value>https://guide</param-value> >> >> </init-param> >> >> <!--<init-param> >> >> <param-name>useSession</param-name> >> >> <param-value>false</param-value> >> >> </init-param>--> >> >> </filter> >> >> <filter> >> >> <filter-name>CAS Wrapper Filter</filter-name> >> >> <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> >> >> </filter> >> >> Bryan Wooten >> >> UIT Systems Administrator >> >> University of Utah >> >> [email protected] >> >> Work: 801.585.9323 >> >> Cell: 801.414.3593 >> >> *From:* Scott Battaglia [mailto:[email protected]] >> *Sent:* Thursday, June 24, 2010 8:13 PM >> *To:* [email protected] >> *Subject:* Re: [cas-user] Question about CAS login/logout >> >> Browsers share state between tabs. If you've logged into one and then >> attempt to log into a second, its most likely that it read the cookie >> and used that session. >> >> On Thu, Jun 24, 2010 at 3:11 PM, Bryan Wooten<[email protected] >> <mailto:[email protected]>> wrote: >> >> Hi all, >> >> I am seeing some behavior I can't quite explain or understand. >> >> Using Firefox I login into a CASified application (hitting the app >> directly and then redirected to CAS login page). I then open a second >> tab and login as a different user using the CAS login page. On the >> second tab I then hit the CASified application. On the second tab I >> still have the identity of the first login. Why don't I get the identity >> of the second login? >> >> Does this make sense? >> >> Bryan Wooten >> >> UIT Systems Administrator >> >> University of Utah >> >> [email protected]<mailto:[email protected]> >> >> Work: 801.585.9323 >> >> Cell: 801.414.3593 >> >> -- >> >> You are currently subscribed >> [email protected]<mailto:[email protected]> >> as:[email protected]<mailto:[email protected]> >> >> >> >> >> >> To unsubscribe, change settings or access archives, >> seehttp://www.ja-sig.org/wiki/display/JSG/cas-user >> >> -- >> >> You are currently subscribed to [email protected] as: >> [email protected] >> >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> > > -- Joachim Fritschi Hochschulrechenzentrum (HRZ) L1|01 Raum 248 Petersenstr. 30 64287 Darmstadt Tel. +49 6151 16-5638 Fax. +49 6151 16-3050 E-Mail: [email protected] -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
