Just a note that we had two features: actual redirect which is still supported but disabled by default and the display of a url on the logout view which was completely removed. On Jun 8, 2011 7:31 AM, "Rhett Sutphin" <[email protected]> wrote: > Hi Marvin, > > On Jun 8, 2011, at 8:01 AM, Marvin Addison wrote: > >>> is there a way for CAS to redirect after a successful logout? >> >> You can get this to work, but it's not supported by default. >> >>> I noticed that some apps (e.g. moodle) send a URL parameter with a return address. >> >> That's correct. You can configure your clients to send a url >> parameter to the /cas/logout URI and CAS can act upon it. You could >> configure the logout JSP of CAS to examine the url parameter and issue >> a redirect instead of displaying a link. Note we removed this >> functionality in the recent past do to security concerns. You should >> consider in your solution that the url parameter could be abused to >> issue redirects to untrusted resources. > > Do you have a link to a ticket or discussion about this? I'm curious what vulnerability is introduced by having CAS issue this untrusted redirect. > > Thanks, > Rhett > >> >> M >> >> -- >> You are currently subscribed to [email protected] as: [email protected] >> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user > > > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user >
-- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
