Your filter, such as the one below, is only going to meddle with the CAS server session, not the application session. You'll need to make sure your arg extractors have set the property 'disableSingleSignOut' to false. Yes, the extractors are the ones that drive the logout callbacks. (Sending the logout request should be enabled by default in CAS, but it's good to double check your configuration once more)
Wiki page on registering services is available here: https://wiki.jasig.org/display/CASUM/Services+Management (This is probably not the cause since you can authenticate into the app fine through the client) Judging by your web.xml, your client configuration seems to be intact. Make sure the CAS server logs are set to at least the DEBUG level. Look for the following line "Sending logout request for: xyz" when you log out of CAS from your application. If you can produce that line, we'll need to look into the client app and see why it's not processing the incoming request. If you can't see that line, the problem lies with CAS Server configuration. This is the piece of code on the server side that should get executed and is responsible to send the logout request: https://github.com/Jasig/cas/blob/master/cas-server-core/src/main/java/org /jasig/cas/authentication/principal/AbstractWebApplicationService.java#L15 3 -Misagh From: Stein, Eric [mailto:[email protected]] Sent: Friday, December 28, 2012 1:19 PM To: [email protected] Subject: RE: [cas-user] CAS 3.5.1: Having trouble with Sign-Out Misagh, I stuck a filter in my cas server to intercept calls to /logout and call httpRequest.getSession().invalidate(); chain.doFilter(httpRequest, response); I'm still seeing the same issue. Did you have any other thoughts? Thanks, Eric Stein From: Misagh Moayyed [mailto:[email protected]] Sent: Friday, December 28, 2012 11:01 AM To: [email protected] Subject: RE: [cas-user] CAS 3.5.1: Having trouble with Sign-Out "session.invalidate()" in the manner that you have it is not going to destroy your session. Likely, that produces a JS error. I believe you'd have to carry that out through a little bit of Java code. 1. You link could submit the request to a LogOutServlet which destroys the session and redirects to /cas/logout. 2. You link could redirect to another jsp page which would include the bit <% session.invalidate(); %> in it and would then redirect to /cas/logout 3. You could potentially investigate the issue in CAS server logs to see what SLO callbacks aren't coming in, if CAS is configured to issue those, in which case you wouldn't need 1 or 2 and a simple redirect to /cas/logout would suffice. HTH. -Misagh From: Stein, Eric [mailto:[email protected]] Sent: Friday, December 28, 2012 8:16 AM To: [email protected] Subject: RE: [cas-user] CAS 3.5.1: Having trouble with Sign-Out I didn't see anything relevant, but maybe somebody else can? I included a clean log sample that includes: 0. Start up tomcat with CAS and hello-world running. 1. Visit hello-world - intercepted and authentication via CAS first. 2. Click this link on index.jsp: <a href="/authentication/logout" onClick="session.invalidate()">Log out</a> 3. visit hello-world - *not* intercepted. My browser was Firefox 17.0.1. /authentication is my CAS overlay. Thanks so much for your time! Eric Stein From: Scott Battaglia [mailto:[email protected]] Sent: Friday, December 28, 2012 9:36 AM To: [email protected] Subject: RE: [cas-user] CAS 3.5.1: Having trouble with Sign-Out Were there any other messages in the logs? On Dec 28, 2012 9:24 AM, "Stein, Eric" <[email protected]> wrote: Ok, that makes sense. Thanks for explaining that, Scott. Eric Stein From: Scott Battaglia [mailto:[email protected]] Sent: Friday, December 28, 2012 12:23 AM To: [email protected] Subject: Re: [cas-user] CAS 3.5.1: Having trouble with Sign-Out That message gets written out (at trace level) whenever a URI does not have the logout request or an authentication token (so basically every page besides the logout request and the initial redirect back from CAS). On Wed, Dec 26, 2012 at 5:24 PM, Stein, Eric <[email protected]> wrote: I've got Tomcat 7.0.25 running with CAS 3.5.1 and a trivial java webapp with one JSP. I added a link from the page to /cas/logout. When I follow the link, CAS tells me I've logged out successfully, but I can navigate back to the page without needing to authenticate again. It looks like tickets are still being granted. I'm also seeing this line in my client webapp: 17:10:01.946 [http-bio-8080-exec-12] TRACE o.j.c.c.session.SingleSignOutFilter - Ignoring URI /hello-world/ Does anyone have any thoughts on what I might be doing wrong? Is there any documentation on sign out/single sign out that I'm missing? Thanks, Eric Stein -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
