Your Single Log Out Filter has to be first in the chain if you want it to process log out requests.
On Wed, Aug 4, 2010 at 6:03 PM, Jiangpeng Shi < [email protected]> wrote: > I think I'd better add some more details information about my case: > > Currently I am using CAS 3.3.5, the client is 3.1.10. All the CAS server > and client application are sitting in same server (weblogic), and all the > client apps are participant of SSO. The sign on process works very good for > all the client applications, and, I can also sign out client application if > I use request.getSession().invalidate(). Now the problem is that I couldn't > get single sign out work..... > > Here is my Client app's web.xml setting: > > > <listener> > > > <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> > </listener> > > > <filter> > <filter-name>CAS Single Sign Out Filter</filter-name> > > <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> > </filter> > > > > <filter> > <filter-name>CAS Authentication Filter</filter-name> > > > <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> > <init-param> > <param-name>casServerLoginUrl</param-name> > <param-value> > https://mydev.mydomain.org:7002/cas/login</param-value> > </init-param> > <init-param> > <param-name>serverName</param-name> > <param-value>https://mydev.mydomain.org:7002 > </param-value> > </init-param> > <init-param> > <param-name>renew</param-name> > <param-value>false</param-value> > </init-param> > <init-param> > <param-name>gateway</param-name> > <param-value>false</param-value> > </init-param> > </filter> > > <filter> > <filter-name>CAS Validation Filter</filter-name> > > > <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> > <init-param> > <param-name>casServerUrlPrefix</param-name> > <param-value>https://mydev.mydomain.org:7002/cas/ > </param-value> > </init-param> > <init-param> > <param-name>serverName</param-name> > <param-value>https://mydev.mydomain.org:7002 > </param-value> > </init-param> > > > </filter> > > <filter> > <filter-name>CAS HttpServletRequest Wrapper > Filter</filter-name> > > > <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> > </filter> > > <filter> > <filter-name>CAS Assertion Thread Local Filter</filter-name> > > > <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class> > </filter> > > > <filter-mapping> > <filter-name>CAS Authentication Filter</filter-name> > <url-pattern>/protected/*</url-pattern> > </filter-mapping> > > <filter-mapping> > <filter-name>CAS Validation Filter</filter-name> > <url-pattern>/*</url-pattern> > </filter-mapping> > > <filter-mapping> > <filter-name>CAS HttpServletRequest Wrapper > Filter</filter-name> > <url-pattern>/*</url-pattern> > </filter-mapping> > > <filter-mapping> > <filter-name>CAS Assertion Thread Local Filter</filter-name> > <url-pattern>/*</url-pattern> > </filter-mapping> > > <filter-mapping> > <filter-name>CAS Validation Filter</filter-name> > <url-pattern>/proxyCallback</url-pattern> > </filter-mapping> > > <filter-mapping> > <filter-name>CAS Single Sign Out Filter</filter-name> > <url-pattern>/*</url-pattern> > </filter-mapping> > > > Here is the argumentExtractorsConfiguration.xml: > > <beans xmlns="http://www.springframework.org/schema/beans"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xmlns:p="http://www.springframework.org/schema/p"; > xmlns:util="http://www.springframework.org/schema/util"; > xsi:schemaLocation="http://www.springframework.org/schema/beans > http://www.springframework.org/schema/beans/spring-beans-2.0.xsd > http://www.springframework.org/schema/util > http://www.springframework.org/schema/util/spring-util-2.0.xsd";> > <description> > Argument Extractors are what are used to translate HTTP > requests into requests of the appropriate protocol (i.e. CAS, SAML, SAML2, > OpenId, etc.). By default CAS and SAML are enabled. > </description> > <bean > id="casArgumentExtractor" > class="org.jasig.cas.web.support.CasArgumentExtractor" > p:httpClient-ref="httpClient" /> > > <bean id="samlArgumentExtractor" > class="org.jasig.cas.web.support.SamlArgumentExtractor" > p:httpClient-ref="httpClient" /> > > <util:list id="argumentExtractors"> > <ref bean="casArgumentExtractor" /> > <ref bean="samlArgumentExtractor" /> > </util:list> > </beans> > > > From Client application, I just simply add a link, which redirect to: > https://mydev.mydomain.org:7002/cas/logout?url=/casClient > > > After I click this logout link in client app, I do see CAS's log out > confirm page. Based on my understand, CAS server is supposed to send out > "POST" request to all registered applications, but seems it not happen.... > > I check cas.log in app server, which has no records about log out....or any > records about httpClient....Here is part of cas.log: > > 2010-08-04 16:51:15,958 INFO > [org.jasig.cas.authentication.AuthenticationManagerImpl] - > AuthenticationHandler: > edu.utsw.ais.cas.authentication.UTSWSimpleAuthenticationHandler successfully > authenticated the user which provided the following credentials: [username: > testUser] > 2010-08-04 16:51:16,005 INFO > [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket > [ST-1-uB5GQK0DlpPnJdZc57Ix-cas] for service [ > https://mydev.mydomain.org:7002/casClient2/protected/index.jsp] for user > [testUser] > ...... > > Then there are no any records about sending requst back to client app, not > even any info about "sign out".... > > > I also check access.log in my weblogic server, and here is record saved: > > > 129.112.115.6 - - [04/Aug/2010:16:09:51 -0500] "GET > /casClient2/protected/index.jsp?ticket=ST-16-HzmgD6XNY0O1eIrjCv5P-cas > HTTP/1.1" 302 327 > 129.112.115.6 - - [04/Aug/2010:16:09:51 -0500] "GET > /casClient2/protected/index.jsp HTTP/1.1" 200 1023 > 172.18.101.182 - - [04/Aug/2010:16:10:00 -0500] "POST > /casClient2/protected/index.jsp HTTP/1.1" 302 511 > 129.112.115.6 - - [04/Aug/2010:16:10:00 -0500] "GET > /cas/logout?url=/casClient2 HTTP/1.1" 200 1671 > 172.18.101.182 - - [04/Aug/2010:16:10:00 -0500] "GET > /cas/login?service=https%3A%2F%2Fmydev.mydomain.org%3A7002%2FcasClient2%2Fprotected%2Findex.jsp > HTTP/1.1" 200 3696 > 129.112.115.6 - - [04/Aug/2010:16:10:41 -0500] "GET /casClient2 HTTP/1.1" > 302 289 > > There are no any "POST" request received after the "GET" of log out > request... > > In CAS server, one thing I have changed is I use a customized > authentication handler to do authentication. I am not sure this will cause > the issue? Here is the part of deployerConfigContext.xml: > > <bean id="authenticationManager" > > class="org.jasig.cas.authentication.AuthenticationManagerImpl"> > <property name="credentialsToPrincipalResolvers"> > <list> > <bean > > > class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" > /> > <bean > > > class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" > /> > </list> > </property> > <property name="authenticationHandlers"> > <list> > <bean > class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" > p:httpClient-ref="httpClient" /> > <bean > > class="edu.utsw.ais.cas.authentication.UTSWSimpleAuthenticationHandler" /> > </list> > </property> > </bean> > > <bean id="userDetailsService" > class="edu.utsw.ais.cas.authentication.service.ServiceUserDetailsServiceImpl"> > > </bean> > > <bean id="attributeRepository" > > class="org.jasig.services.persondir.support.StubPersonAttributeDao"> > <property name="backingMap"> > <map> > <entry key="uid" value="uid" /> > <entry key="eduPersonAffiliation" > value="eduPersonAffiliation" /> > <entry key="groupMembership" > value="groupMembership" /> > </map> > </property> > </bean> > > > <bean id="serviceRegistryDao" > class="org.jasig.cas.services.JpaServiceRegistryDaoImpl" > p:entityManagerFactory-ref="entityManagerFactory" /> > > <bean id="entityManagerFactory" > class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean"> > <property name="dataSource" ref="dataSource"/> > <property name="jpaVendorAdapter"> > <bean > class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter"> > <property name="generateDdl" value="true"/> > <property name="showSql" value="true" /> > </bean> > </property> > <property name="jpaProperties"> > <props> > <prop > key="hibernate.dialect">org.hibernate.dialect.SQLServerDialect</prop> > <prop > key="hibernate.hbm2ddl.auto">update</prop> > </props> > </property> > </bean> > > <bean id="transactionManager" > class="org.springframework.orm.jpa.JpaTransactionManager"> > <property name="entityManagerFactory" > ref="entityManagerFactory"/> > </bean> > > <tx:annotation-driven transaction-manager="transactionManager"/> > > > <bean id="dataSource" > class="org.springframework.jdbc.datasource.DriverManagerDataSource" > > > <property name="driverClassName" > value="com.microsoft.sqlserver.jdbc.SQLServerDriver"/> > <property name="url" value="jdbc:sqlserver://dbserver.mydomain.org > ;databaseName=casdb"/> > <property name="username" value="cas"/> > <property name="password" value="cas"/> > > </bean> > > > > > > Seems like I've never been so close to creating our own functional CAS > server....Any suggestion is hightly appreciated....Thanks you very much. > > > > > >>> Bryan Wooten <[email protected]> 8/4/2010 12:04 PM >>> > Here is how to do it: > > https://wiki.jasig.org/display/CASC/Configuring+Single+Sign+Out > > Just add the listener and filter to your web.xml. > > It is working well for me. > > Bryan Wooten > > [email protected] > Work: 801.585.9323 > Cell: 801.414.3593 > > > -----Original Message----- > From: Jiangpeng Shi [mailto:[email protected]] > Sent: Wednesday, August 04, 2010 10:51 AM > To: [email protected] > Subject: [cas-user] a new single sign out question > > I asked a question about an issue that I couldn't logout from SSO by using > request.getSession().invalidate(), and acevedo gave me a very good > suggestion. He helped me solve my issue very well. But seems I am still > having some issues with Single sign out: How can I sign out all client apps > when I sign out from one of client apps? > My current case is: > I have 4 client app, which all using CAS and SSO. For each client app, I am > using following code in each client to log out: > > request.getSession().invalidate(); > response.sendRedirect("https://cas.mywork.org:7088/cas/logout?url=/myapp > "); > > For each client, the log out works well, but, seems I have to logout each > client one by one, which means I can't logout all client apps all together > by just signing out from one client application. Are there any way that we > can let user sign out from app and then sign out all other Single Sign On > client apps? > > Thanks a lot in advance. > > --Jiangpeng Shi > > > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
