Misagh, Thanks, that's really helpful. It sounds like 3 is the most correct option, no? It's certainly cleaner than 1 or 2.
I set the cas log to trace and reran the same test as before. I'm not really sure what I'm looking for, though. It looks like neither CasArgumentExtractor nor SamlArgumentExtractor are finding a service. I imagine those services drive the callbacks? What did I forget to configure? From the documentation I read, it looked like if you're using SAML that the callbacks happen automatically. When a CAS session ends, it will callback to each of the services that are registered with the system and send a POST request with the following: https://wiki.jasig.org/display/CASUM/Single+Sign+Out I guess I figured that configuration was done by CAS runtime, not by me at compile time. Is there a wiki page for how I register services? Thanks, Eric Stein From: Misagh Moayyed [mailto:[email protected]] Sent: Friday, December 28, 2012 11:01 AM To: [email protected] Subject: RE: [cas-user] CAS 3.5.1: Having trouble with Sign-Out "session.invalidate()" in the manner that you have it is not going to destroy your session. Likely, that produces a JS error. I believe you'd have to carry that out through a little bit of Java code. 1. You link could submit the request to a LogOutServlet which destroys the session and redirects to /cas/logout. 2. You link could redirect to another jsp page which would include the bit <% session.invalidate(); %> in it and would then redirect to /cas/logout 3. You could potentially investigate the issue in CAS server logs to see what SLO callbacks aren't coming in, if CAS is configured to issue those, in which case you wouldn't need 1 or 2 and a simple redirect to /cas/logout would suffice. HTH. -Misagh From: Stein, Eric [mailto:[email protected]] Sent: Friday, December 28, 2012 8:16 AM To: [email protected] Subject: RE: [cas-user] CAS 3.5.1: Having trouble with Sign-Out I didn't see anything relevant, but maybe somebody else can? I included a clean log sample that includes: 0. Start up tomcat with CAS and hello-world running. 1. Visit hello-world - intercepted and authentication via CAS first. 2. Click this link on index.jsp: <a href="/authentication/logout" onClick="session.invalidate()">Log out</a> 3. visit hello-world - *not* intercepted. My browser was Firefox 17.0.1. /authentication is my CAS overlay. Thanks so much for your time! Eric Stein From: Scott Battaglia [mailto:[email protected]] Sent: Friday, December 28, 2012 9:36 AM To: [email protected] Subject: RE: [cas-user] CAS 3.5.1: Having trouble with Sign-Out Were there any other messages in the logs? On Dec 28, 2012 9:24 AM, "Stein, Eric" <[email protected]> wrote: Ok, that makes sense. Thanks for explaining that, Scott. Eric Stein From: Scott Battaglia [mailto:[email protected]] Sent: Friday, December 28, 2012 12:23 AM To: [email protected] Subject: Re: [cas-user] CAS 3.5.1: Having trouble with Sign-Out That message gets written out (at trace level) whenever a URI does not have the logout request or an authentication token (so basically every page besides the logout request and the initial redirect back from CAS). On Wed, Dec 26, 2012 at 5:24 PM, Stein, Eric <[email protected]> wrote: I've got Tomcat 7.0.25 running with CAS 3.5.1 and a trivial java webapp with one JSP. I added a link from the page to /cas/logout. When I follow the link, CAS tells me I've logged out successfully, but I can navigate back to the page without needing to authenticate again. It looks like tickets are still being granted. I'm also seeing this line in my client webapp: 17:10:01.946 [http-bio-8080-exec-12] TRACE o.j.c.c.session.SingleSignOutFilter - Ignoring URI /hello-world/ Does anyone have any thoughts on what I might be doing wrong? Is there any documentation on sign out/single sign out that I'm missing? Thanks, Eric Stein -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
