I am seeing some unexpected behavior with the logout service parameter. I have tested this on both JSF and simple servlet / JSP applications. They both fail in a similar fashion.
I have an application (let's call in App1) with a logout link. This application is configured to listen for single sign out requests. When my logout link is this: https://cas.server.edu/cas/logout?service=https://my.edu/App1 the process fails. After clicking the link I would expect to see the CAS login page with a service parameter set to my.edu/App1. Instead I get a error like this: java.lang.IllegalStateException: PWC2778: getAttribute: Session already invalidated. However if the logout link is this: https://cas.server.edu/cas/logout?service=https://cas.server.edu/cas/login?service=https://my.edu/App1 I get the behavior I expected. And if the logout link is like this: https://cas.server.edu/cas/logout?service=https://my.edu/SomeOtherApp, I am successfully redirected to the other application (and since it is CASified I get the CAS login page with service set to SomeOtherApp. This is also expected. I guess I just don't understand why having the logout service set to the same application that I logged into doesn't work correctly. I am sure I am missing some piece of knowledge about request processing in web applications or the CAS sign out filter. Any ideas? Thanks, Bryan -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
