Hey Scott, This is really embarrassing....I checked twice and was pretty confident that my single log out filter is the first in the chain! But I didn't realize that the filter's mapping is not.... After I move the filter's mapping setting to the top, then everything works like magic....I spent a whole morning reading bunch of log files and try to find some clue but never thought check with the filter's mapping setting. Thank you so so much....I couldn't get this work without your help! And Bryan, thank you for the help, too.....
--Jiangpeng Shi >>> Scott Battaglia <[email protected]> 8/5/2010 11:16 AM >>> Your Single Log Out Filter has to be first in the chain if you want it to process log out requests. On Wed, Aug 4, 2010 at 6:03 PM, Jiangpeng Shi < [email protected]> wrote: > I think I'd better add some more details information about my case: > > Currently I am using CAS 3.3.5, the client is 3.1.10. All the CAS server > and client application are sitting in same server (weblogic), and all the > client apps are participant of SSO. The sign on process works very good for > all the client applications, and, I can also sign out client application if > I use request.getSession().invalidate(). Now the problem is that I couldn't > get single sign out work..... > > Here is my Client app's web.xml setting: > > > <listener> > > > <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> > </listener> > > > <filter> > <filter-name>CAS Single Sign Out Filter</filter-name> > > <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> > </filter> > > > > <filter> > <filter-name>CAS Authentication Filter</filter-name> > > > <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> > <init-param> > <param-name>casServerLoginUrl</param-name> > <param-value> > https://mydev.mydomain.org:7002/cas/login</param-value> > </init-param> > <init-param> > <param-name>serverName</param-name> > <param-value>https://mydev.mydomain.org:7002 > </param-value> > </init-param> > <init-param> > <param-name>renew</param-name> > <param-value>false</param-value> > </init-param> > <init-param> > <param-name>gateway</param-name> > <param-value>false</param-value> > </init-param> > </filter> > > <filter> > <filter-name>CAS Validation Filter</filter-name> > > > <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> > <init-param> > <param-name>casServerUrlPrefix</param-name> > <param-value>https://mydev.mydomain.org:7002/cas/ > </param-value> > </init-param> > <init-param> > <param-name>serverName</param-name> > <param-value>https://mydev.mydomain.org:7002 > </param-value> > </init-param> > > > </filter> > > <filter> > <filter-name>CAS HttpServletRequest Wrapper > Filter</filter-name> > > > <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> > </filter> > > <filter> > <filter-name>CAS Assertion Thread Local Filter</filter-name> > > > <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class> > </filter> > > > <filter-mapping> > <filter-name>CAS Authentication Filter</filter-name> > <url-pattern>/protected/*</url-pattern> > </filter-mapping> > > <filter-mapping> > <filter-name>CAS Validation Filter</filter-name> > <url-pattern>/*</url-pattern> > </filter-mapping> > > <filter-mapping> > <filter-name>CAS HttpServletRequest Wrapper > Filter</filter-name> > <url-pattern>/*</url-pattern> > </filter-mapping> > > <filter-mapping> > <filter-name>CAS Assertion Thread Local Filter</filter-name> > <url-pattern>/*</url-pattern> > </filter-mapping> > > <filter-mapping> > <filter-name>CAS Validation Filter</filter-name> > <url-pattern>/proxyCallback</url-pattern> > </filter-mapping> > > <filter-mapping> > <filter-name>CAS Single Sign Out Filter</filter-name> > <url-pattern>/*</url-pattern> > </filter-mapping> > > > Here is the argumentExtractorsConfiguration.xml: > > <beans xmlns="http://www.springframework.org/schema/beans"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xmlns:p="http://www.springframework.org/schema/p"; > xmlns:util="http://www.springframework.org/schema/util"; > xsi:schemaLocation="http://www.springframework.org/schema/beans > http://www.springframework.org/schema/beans/spring-beans-2.0.xsd > http://www.springframework.org/schema/util > http://www.springframework.org/schema/util/spring-util-2.0.xsd";> > <description> > Argument Extractors are what are used to translate HTTP > requests into requests of the appropriate protocol (i.e. CAS, SAML, SAML2, > OpenId, etc.). By default CAS and SAML are enabled. > </description> > <bean > id="casArgumentExtractor" > class="org.jasig.cas.web.support.CasArgumentExtractor" > p:httpClient-ref="httpClient" /> > > <bean id="samlArgumentExtractor" > class="org.jasig.cas.web.support.SamlArgumentExtractor" > p:httpClient-ref="httpClient" /> > > <util:list id="argumentExtractors"> > <ref bean="casArgumentExtractor" /> > <ref bean="samlArgumentExtractor" /> > </util:list> > </beans> > > > From Client application, I just simply add a link, which redirect to: > https://mydev.mydomain.org:7002/cas/logout?url=/casClient > > > After I click this logout link in client app, I do see CAS's log out > confirm page. Based on my understand, CAS server is supposed to send out > "POST" request to all registered applications, but seems it not happen.... > > I check cas.log in app server, which has no records about log out....or any > records about httpClient....Here is part of cas.log: > > 2010-08-04 16:51:15,958 INFO > [org.jasig.cas.authentication.AuthenticationManagerImpl] - > AuthenticationHandler: > edu.utsw.ais.cas.authentication.UTSWSimpleAuthenticationHandler successfully > authenticated the user which provided the following credentials: [username: > testUser] > 2010-08-04 16:51:16,005 INFO > [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket > [ST-1-uB5GQK0DlpPnJdZc57Ix-cas] for service [ > https://mydev.mydomain.org:7002/casClient2/protected/index.jsp] for user > [testUser] > ...... > > Then there are no any records about sending requst back to client app, not > even any info about "sign out".... > > > I also check access.log in my weblogic server, and here is record saved: > > > 129.112.115.6 - - [04/Aug/2010:16:09:51 -0500] "GET > /casClient2/protected/index.jsp?ticket=ST-16-HzmgD6XNY0O1eIrjCv5P-cas > HTTP/1.1" 302 327 > 129.112.115.6 - - [04/Aug/2010:16:09:51 -0500] "GET > /casClient2/protected/index.jsp HTTP/1.1" 200 1023 > 172.18.101.182 - - [04/Aug/2010:16:10:00 -0500] "POST > /casClient2/protected/index.jsp HTTP/1.1" 302 511 > 129.112.115.6 - - [04/Aug/2010:16:10:00 -0500] "GET > /cas/logout?url=/casClient2 HTTP/1.1" 200 1671 > 172.18.101.182 - - [04/Aug/2010:16:10:00 -0500] "GET > /cas/login?service=https%3A%2F%2Fmydev.mydomain.org%3A7002%2FcasClient2%2Fprotected%2Findex.jsp > HTTP/1.1" 200 3696 > 129.112.115.6 - - [04/Aug/2010:16:10:41 -0500] "GET /casClient2 HTTP/1.1" > 302 289 > > There are no any "POST" request received after the "GET" of log out > request... > > In CAS server, one thing I have changed is I use a customized > authentication handler to do authentication. I am not sure this will cause > the issue? Here is the part of deployerConfigContext.xml: > > <bean id="authenticationManager" > > class="org.jasig.cas.authentication.AuthenticationManagerImpl"> > <property name="credentialsToPrincipalResolvers"> > <list> > <bean > > > class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" > /> > <bean > > > class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" > /> > </list> > </property> > <property name="authenticationHandlers"> > <list> > <bean > class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" > p:httpClient-ref="httpClient" /> > <bean > > class="edu.utsw.ais.cas.authentication.UTSWSimpleAuthenticationHandler" /> > </list> > </property> > </bean> > > <bean id="userDetailsService" > class="edu.utsw.ais.cas.authentication.service.ServiceUserDetailsServiceImpl"> > > </bean> > > <bean id="attributeRepository" > > class="org.jasig.services.persondir.support.StubPersonAttributeDao"> > <property name="backingMap"> > <map> > <entry key="uid" value="uid" /> > <entry key="eduPersonAffiliation" > value="eduPersonAffiliation" /> > <entry key="groupMembership" > value="groupMembership" /> > </map> > </property> > </bean> > > > <bean id="serviceRegistryDao" > class="org.jasig.cas.services.JpaServiceRegistryDaoImpl" > p:entityManagerFactory-ref="entityManagerFactory" /> > > <bean id="entityManagerFactory" > class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean"> > <property name="dataSource" ref="dataSource"/> > <property name="jpaVendorAdapter"> > <bean > class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter"> > <property name="generateDdl" value="true"/> > <property name="showSql" value="true" /> > </bean> > </property> > <property name="jpaProperties"> > <props> > <prop > key="hibernate.dialect">org.hibernate.dialect.SQLServerDialect</prop> > <prop > key="hibernate.hbm2ddl.auto">update</prop> > </props> > </property> > </bean> > > <bean id="transactionManager" > class="org.springframework.orm.jpa.JpaTransactionManager"> > <property name="entityManagerFactory" > ref="entityManagerFactory"/> > </bean> > > <tx:annotation-driven transaction-manager="transactionManager"/> > > > <bean id="dataSource" > class="org.springframework.jdbc.datasource.DriverManagerDataSource" > > > <property name="driverClassName" > value="com.microsoft.sqlserver.jdbc.SQLServerDriver"/> > <property name="url" value="jdbc:sqlserver://dbserver.mydomain.org > ;databaseName=casdb"/> > <property name="username" value="cas"/> > <property name="password" value="cas"/> > > </bean> > > > > > > Seems like I've never been so close to creating our own functional CAS > server....Any suggestion is hightly appreciated....Thanks you very much. > > > > > >>> Bryan Wooten <[email protected]> 8/4/2010 12:04 PM >>> > Here is how to do it: > > https://wiki.jasig.org/display/CASC/Configuring+Single+Sign+Out > > Just add the listener and filter to your web.xml. > > It is working well for me. > > Bryan Wooten > > [email protected] > Work: 801.585.9323 > Cell: 801.414.3593 > > > -----Original Message----- > From: Jiangpeng Shi [mailto:[email protected]] > Sent: Wednesday, August 04, 2010 10:51 AM > To: [email protected] > Subject: [cas-user] a new single sign out question > > I asked a question about an issue that I couldn't logout from SSO by using > request.getSession().invalidate(), and acevedo gave me a very good > suggestion. He helped me solve my issue very well. But seems I am still > having some issues with Single sign out: How can I sign out all client apps > when I sign out from one of client apps? > My current case is: > I have 4 client app, which all using CAS and SSO. For each client app, I am > using following code in each client to log out: > > request.getSession().invalidate(); > response.sendRedirect("https://cas.mywork.org:7088/cas/logout?url=/myapp > "); > > For each client, the log out works well, but, seems I have to logout each > client one by one, which means I can't logout all client apps all together > by just signing out from one client application. Are there any way that we > can let user sign out from app and then sign out all other Single Sign On > client apps? > > Thanks a lot in advance. > > --Jiangpeng Shi > > > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
