Looks like calling the /logout process like: https://remoteCAS/logout won't do the job! Will it? I need to destroy the TGT, cookies, some other things?... associated with the remoteCAS, but stored in the local browser. (This is different set than the ones I have from my localCAS server.. but these ones will be taken care by the LogOutController very nicely without doing anything!) Now this is the code from LogOutController: //----------------------------------- final String ticketGrantingTicketId = this.ticketGrantingTicketCookieGenerator.retrieveCookieValue(request); if (ticketGrantingTicketId != null) { this.centralAuthenticationService .destroyTicketGrantingTicket(ticketGrantingTicketId); this.ticketGrantingTicketCookieGenerator.removeCookie(response); this.warnCookieGenerator.removeCookie(response); } //--------------------------------------- I need to write simiar codes to retrieve and destroy TGT and Cookies which are sent by the remoteCAS. When the TGT and Cookies are sent to the browser by the (remote)CAS, is there any information that I can exploit for this purpose? I will look it myself if only I knew which file is resposible for creating such info in the first place. Scott (Creator of the LogOutController class) /Marvin/other CAS gurus, will you please comment? Thanks!
--- On Tue, 2012/4/17, [email protected] <[email protected]> wrote: Hi all, I found that org.jasig.cas.web.LogoutController is called when I enter the logout URL (/logout) Here, I want to send the logout command to the remote CAS. But then the remote CAS will probably ask "who is calling" and the local CAS will have to supply my username... As of now I don't know how I can send a command in the form of a URL string inside java. Or should I write that "log me out" request inside the cas-servlet.xml? Is it the right direction? Any pitfalls? I also need to make sure that only the particular user from a particular parentCAS is logged out from the remote CAS, and also only in the case that the user has a valid CAS session with the parentCAS. If the same user has logged in to the remote CAS independently (that is, before logging in to the local/parentCAS), that remote session cannot be logged out from the local/parentCAS. Please share your thoughts. Thanks. --o0o-- --- On Mon, 2012/4/16, [email protected] <[email protected]> wrote: Hi all, I want a remote CAS log me out (on the remote CAS server) when I log out from my local CAS. The story is that the remote CAS trusts my local CAS, so I have been successfully authenticated by a remote CAS based on my authenticated status at a home (local) CAS. Now what I want to do is when I log out from my local CAS, in addition to logging me out here, I want to send some message to the trusting remote CAS server to end my authenticated status there. Something like: https://localCAS/logout&https://remoteCAS/logout I thought the following sequence of events: 1. I am logged out successfully from my local CAS 2. A request to log me out is sent to the remote CAS 3. the remote CAS asks my CAS: is he (really) logged out? 4. my CAS server says: user is logged in no more (but does not tell who "user" is) 5. then the remote CAS logs me out Trouble: Some work has been done to get a locally authenticated user trusted by the remote CAS with the help of a convenient user registry on the remote end. A successful authentication at the local CAS provides the remote CAS a username and we used that username and a previously stored "id" to authenticate that user. But in the case of logging out, in #3 above, the remote CAS will NOT receive any username (because the user will have already logged out), so a database search to check authenticity would not be possible. The remoteCAS cannot and should not trust if somebody just says "logout thisUser", right? Can someone give me some pointers? I will read documents (if there are any!), but it would be better to start with something in mind rather than with nothing. Someone may have had similar use case and/or have some idea, even if not fully implemented/explored. I just thought while writing this message: would it be possible to send a remote logout request first, wait for the remote CAS to make inquiries, and wait a few seconds, and proceed to log out from the local server? At least until I hear some comments, I want to search in this direction. Cheers. --o0o-- -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user-- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
