Hi, On Apr 18, 2012, at 11:53 AM, [email protected] wrote:
> Marvin, > > I don't understand what do you mean by "agent". He's talking about the HTTP user agent[1]. This might be the user's browser or the HTTP client you're using in your code. > And how do I "perform a GET on that resource" (that resource meaning > remoteCAS?)? In an HTTP-based system, a resource is a logical entity identified by a URI. In this case, Marvin's talking about the /logout endpoint. > > I was thinking may be I can call the remote logout url inside the > LogoutController. but then I got confused: how does CAS know which sets of > TGT and cookies to remove? My understanding is that there exits one set from > the localCAS server, and a second set from the remoteCAS server. > > I was thinking the flow of events in this order: > 1. User logs in to the localCAS > 2. user accesses a service protected by the remoteCAS > 3. remoteCAS trusts localCAS, so a TGT and cookie are sent to the users > browser > 4. user does his/her stuff, time to call it a day.. > 5. user clicks logout button of localCAS > 6. Inside LogoutController class, TGT and cookie from the remoteCAS is found > and removed before finding and removing the localCAS server generated cookies. > > So I am stuck at #5, the first half. localCAS never has access to remoteCAS's TGT. It is stored in a cookie that the user's browser will only send to remoteCAS. This mandatory in the CAS protocol. The only way for localCAS to request that remoteCAS log out the user is for localCAS to redirect the user to remoteCAS/logout. Depending on the server providing remoteCAS, it may be possible to have remoteCAS redirect the user elsewhere (e.g., back to localCAS) after logging her out, making the process transparent. In Jasig CAS, you can pass the "service" parameter to /logout to specify a page that the user should be sent to after logging out. Rhett [1]: http://en.wikipedia.org/wiki/User_agent > > Thanks. > > > --- On Wed, 2012/4/18, Marvin S. Addison <[email protected]> wrote: > > > Looks like calling the /logout process like: > > https://remoteCAS/logout > > > > won't do the job! Will it? > > Depends on the agent that goes there. If your agent is localCAS, then it > will not work since it doesn't have the TGT to be invalided; however, > everything will work as you hope if the user performs a GET on that resource > in his/her browser. > > M > > -- You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
