On Wed, Jun 22, 2011 at 9:48 PM, Mr. Howard Hill <[email protected]> wrote: > Hello CAS Team, > I am unable to logout of the CAS client, even if I invalidate the session > the user is still allowed to access the page. Could the cause of this be
Unlikely. The CAS SSO Session and the Application Session are independent. Invalidating the application session will not terminate the CAS SSO Session as well. Once the CAS Client validates the Service Ticket it is pretty much out of the picture. One doesn't "logout of the CAS client". Since you still have a CAS SSO Session, an attempt to access the application will result in a new ST granted. If you want to kill the CAS SSO Session you have to redirect to /cas/logout after application session validation. However a recommended practice is to instead provide a logout screen for the application with a link to kill the SSO Session that the user could choose or not. See: https://wiki.jasig.org/display/CASC/CAS+Client+for+Java+3.1 Best, Bill > > 1) The error below , however I am still able to login and access other > application in SSO > > Caused by: error.authentication.credentials.bad > at > org.jasig.cas.authentication.handler.BadCredentialsAuthenticationException.<clinit>(BadCredentialsAuthenticationException.java:25) > at > org.jasig.cas.authentication.AuthenticationManagerImpl.authenticateAndObtainPrincipal(AuthenticationManagerImpl.java:101) > at > org.jasig.cas.authentication.AbstractAuthenticationManager.authenticate_aroundBody0(AbstractAuthenticationManager.java:41) > at > org.jasig.cas.authentication.AbstractAuthenticationManager.authenticate_aroundBody1$advice(AbstractAuthenticationManager.java:44) > at > org.jasig.cas.authentication.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:1) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) > at java.lang.reflect.Method.invoke(Method.java:585) > at > org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:309) > > > 2) Do i need to be explicit and log out success to below > > <bean id="logoutFilter" > class="org.springframework.security.web.authentication.logout.LogoutFilter"> > <constructor-arg value="https://server:8443/cas/logout"/> > <constructor-arg> > <list> > <bean > class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"/> > </list> > </constructor-arg> > </bean> > > Thanks and Best Regards, > Mr. Howard Hill > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
