RE:[cas-user] logout

[Chris Cheltenham]

Thanks Neil, I appreciate it.

From: Neil Sabol [mailto:nssa...@unm.edu]
Sent: Thursday, October 29, 2015 10:23 AM
To: cas-user@lists.jasig.org
Subject: RE:[cas-user] logout

Good morning Chris,

I've used something like the following for logout with phpCAS:

require_once 'CAS.php';
phpCAS::client(CAS_VERSION_2_0, 'your.cas.url', 443, 'yourcascontext');
phpCAS::setNoCasServerValidation();
phpCAS::logout();

You would substitute your own CAS values for your.cas.url and yourcascontext.

I hope it helps.

Thank you,
-Neil

From: Chris Cheltenham [mailto:cchelten...@swaintechs.com]
Sent: Thursday, October 29, 2015 6:26 AM
To: cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org>
Subject: [cas-user] logout

Hello Everyone,

Has anyone written php code for a logout button in my header.
I am not a web developer yet being asked to do so.

If any has that code to share I would very much appreciate it.

I have tried a number of things without luck googling.

After that I need to run a script to kill the apache session cookie created y 
mod_auth_cas.
But one thing at a time.



Thank You;

Chris Cheltenham
cchelten...@swaintechs.com<mailto:cchelten...@swaintechs.com>
SwainTechs
10 Walnut Grove Rd
Suite 110
Horsham, PA
19044

888-905-5767 / X407





--

You are currently subscribed to 
cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: 
nssa...@unm.edu<mailto:nssa...@unm.edu>

To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user



--

You are currently subscribed to 
cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: 
cchelten...@swaintechs.com<mailto:cchelten...@swaintechs.com>

To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] logout

[Alberto Cabello Sánchez]

On Thu, Oct 29, 2015 at 02:22:33PM +, Neil Sabol wrote:
> Good morning Chris,
> 
> I've used something like the following for logout with phpCAS:
> 
> require_once 'CAS.php';
> phpCAS::client(CAS_VERSION_2_0, 'your.cas.url', 443, 'yourcascontext');
> phpCAS::setNoCasServerValidation();
> phpCAS::logout();
> 
> You would substitute your own CAS values for your.cas.url and yourcascontext.

Will that log out from your application before redirecting
elsewhere? Or it is needed to do something like

session_destroy() ?



-- 
Alberto Cabello Sánchez
Universidad de Extremadura

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] logout

[Neil Sabol]

Hi Alberto and Chris,

No problem.

If you are using sessions in PHP (i.e. session_start() ), you would likely also 
need to call session_destroy(); before phpCAS::logout(). Alternatively, I've 
heard of others using $_SESSION= null; prior to calling phpCAS::logout to 
terminate the PHP application's session.

If your application's logout handler is on a different page (or you have a 
slightly different requirement, besides sending the user to the CAS logout page 
when he/she logs out), you can use 
phpCAS::logoutWithRedirectService("http://url.to.page.after.logout;)

Thanks for mentioning that detail and hope this helps,
-Neil


-Original Message-
From: Alberto Cabello Sánchez [mailto:albe...@unex.es] 
Sent: Friday, October 30, 2015 7:42 AM
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] logout

On Thu, Oct 29, 2015 at 02:22:33PM +, Neil Sabol wrote:
> Good morning Chris,
> 
> I've used something like the following for logout with phpCAS:
> 
> require_once 'CAS.php';
> phpCAS::client(CAS_VERSION_2_0, 'your.cas.url', 443, 
> 'yourcascontext'); phpCAS::setNoCasServerValidation();
> phpCAS::logout();
> 
> You would substitute your own CAS values for your.cas.url and yourcascontext.

Will that log out from your application before redirecting elsewhere? Or it is 
needed to do something like

session_destroy() ?



--
Alberto Cabello Sánchez
Universidad de Extremadura

--
You are currently subscribed to cas-user@lists.jasig.org as: nssa...@unm.edu To 
unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user


-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE:[cas-user] logout

[Neil Sabol]

Good morning Chris,

I've used something like the following for logout with phpCAS:

require_once 'CAS.php';
phpCAS::client(CAS_VERSION_2_0, 'your.cas.url', 443, 'yourcascontext');
phpCAS::setNoCasServerValidation();
phpCAS::logout();

You would substitute your own CAS values for your.cas.url and yourcascontext.

I hope it helps.

Thank you,
-Neil

From: Chris Cheltenham [mailto:cchelten...@swaintechs.com]
Sent: Thursday, October 29, 2015 6:26 AM
To: cas-user@lists.jasig.org
Subject: [cas-user] logout

Hello Everyone,

Has anyone written php code for a logout button in my header.
I am not a web developer yet being asked to do so.

If any has that code to share I would very much appreciate it.

I have tried a number of things without luck googling.

After that I need to run a script to kill the apache session cookie created y 
mod_auth_cas.
But one thing at a time.



Thank You;

Chris Cheltenham
cchelten...@swaintechs.com
SwainTechs
10 Walnut Grove Rd
Suite 110
Horsham, PA
19044

888-905-5767 / X407





--

You are currently subscribed to 
cas-user@lists.jasig.org as: 
nssa...@unm.edu

To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] logout redirect not use "service" but "TARGET" for .NET application?

[Zhou, Yan]

Never mind, I figured it out, we had someone wrote some code to customize that 
behavior.  Thanks, CAS does work as expected.

Yan

From: Misagh Moayyed [mailto:mmoay...@unicon.net]
Sent: Wednesday, September 30, 2015 1:53 AM
To: cas-user@lists.jasig.org
Subject: RE: [cas-user] logout redirect not use "service" but "TARGET" for .NET 
application?

I don't follow. Why or how is the .NET client sending your logout requests?

From: Zhou, Yan [mailto:yan.x.z...@questdiagnostics.com]
Sent: Tuesday, September 29, 2015 7:45 AM
To: cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org>
Subject: [cas-user] logout redirect not use "service" but "TARGET" for .NET 
application?

Hi there,

I am using Jasig CAS 3.x.  As user logout, we want them to go back to the login 
page (not staying in the CAS logout page).  I understand that I need to append 
"service=x" at the end of /cas/logout as a query parameter.  That works 
well for all our Java based client, which by default uses "service" for such 
parameter.

We have an issue with .NET application. It automatically adds "TARGET=x" 
(not "service").  So, CAS server does not know it meant a redirect after 
logout.  Is there any way to configure CAS to accept both "service" and 
"TARGET" for serviceParameterName?

Thanks,

Yan Zhou | Quest Diagnostics Incorporated | Lead Engineer, Healthcare IT 
Solutions | 4690 Parkway Drive | Mason, OH 45040 USA | phone +1 513-204-2613 | 
fax +1 513-229-5505 |  
yan.x.z...@questdiagnostics.com<mailto:yan.x.z...@questdiagnostics.com> | 
www.questdiagnostics.com<http://www.questdiagnostics.com>


__
The contents of this message, together with any attachments, are intended only 
for the use of the person(s) to which they are addressed and may contain 
confidential and/or privileged information. Further, any medical information 
herein is confidential and protected by law. It is unlawful for unauthorized 
persons to use, review, copy, disclose, or disseminate confidential medical 
information. If you are not the intended recipient, immediately advise the 
sender and delete this message and any attachments. Any distribution, or 
copying of this message, or any attachment, is prohibited.



--

You are currently subscribed to 
cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: 
mmoay...@unicon.net<mailto:mmoay...@unicon.net>

To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user



--

You are currently subscribed to 
cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: 
yan.x.z...@questdiagnostics.com<mailto:yan.x.z...@questdiagnostics.com>

To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

__
The contents of this message, together with any attachments, are intended only 
for the use of the person(s) to which they are addressed and may contain 
confidential and/or privileged information. Further, any medical information 
herein is confidential and protected by law. It is unlawful for unauthorized 
persons to use, review, copy, disclose, or disseminate confidential medical 
information. If you are not the intended recipient, immediately advise the 
sender and delete this message and any attachments. Any distribution, or 
copying of this message, or any attachment, is prohibited.

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] logout redirect not use "service" but "TARGET" for .NET application?

[Misagh Moayyed]

I don't follow. Why or how is the .NET client sending your logout
requests? 

 

From: Zhou, Yan [mailto:yan.x.z...@questdiagnostics.com] 
Sent: Tuesday, September 29, 2015 7:45 AM
To: cas-user@lists.jasig.org
Subject: [cas-user] logout redirect not use "service" but "TARGET" for
.NET application?

 

Hi there,

 

I am using Jasig CAS 3.x.  As user logout, we want them to go back to the
login page (not staying in the CAS logout page).  I understand that I need
to append "service=x" at the end of /cas/logout as a query parameter.
That works well for all our Java based client, which by default uses
"service" for such parameter.

 

We have an issue with .NET application. It automatically adds
"TARGET=x" (not "service").  So, CAS server does not know it meant a
redirect after logout.  Is there any way to configure CAS to accept both
"service" and "TARGET" for serviceParameterName?

 

Thanks,

 

Yan Zhou | Quest Diagnostics Incorporated | Lead Engineer, Healthcare IT
Solutions | 4690 Parkway Drive | Mason, OH 45040 USA | phone +1
513-204-2613 | fax +1 513-229-5505 |  yan.x.z...@questdiagnostics.com
  | www.questdiagnostics.com
 

 


__
The contents of this message, together with any attachments, are intended
only for the use of the person(s) to which they are addressed and may
contain confidential and/or privileged information. Further, any medical
information herein is confidential and protected by law. It is unlawful
for unauthorized persons to use, review, copy, disclose, or disseminate
confidential medical information. If you are not the intended recipient,
immediately advise the sender and delete this message and any attachments.
Any distribution, or copying of this message, or any attachment, is
prohibited.

 
-- 
You are currently subscribed to cas-user@lists.jasig.org
  as: mmoay...@unicon.net
 
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] Logout not following service redirects

[Misagh Moayyed]

Your logout url should receive a service parameter and that service
needs to be authorized in your registry. That should make it work. 

 

From: Bryan Wooten [mailto:bryan.woo...@utah.edu] 
Sent: Thursday, July 23, 2015 8:13 AM
To: cas-user@lists.jasig.org
Subject: [cas-user] Logout not following service redirects

 

Running CAS 3.5.x and I have

 

cas.logout.followServiceRedirects=true

 

in my cas.properties. But it doesn't seem to work. Any ideas?

 

Bryan Wooten

Tel: (801)585-9323

Email: bryan.woo...@utah.edu mailto:bryan.woo...@utah.edu 

 



 

 
-- 
You are currently subscribed to cas-user@lists.jasig.org
mailto:cas-user@lists.jasig.org  as: mmoay...@unicon.net
mailto:mmoay...@unicon.net 
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] Logout using phpCAS

[Benjamin Cherian]

That's what I thought, but the documentation
(https://wiki.jasig.org/display/CASC/phpCAS+logout), says that the
logout() method will kill the current PHP session. So that assumes they
application does not need to call session_destroy(). But if they do call
session_destroy() before the phpCAS::logout(), will that cause any issues
with the logout? I'd test it out myself, but I don't have access to the
application, nor any current PHP applications to test with at the moment.





On 2/19/15, 9:57 AM, Waldbieser, Carl waldb...@lafayette.edu wrote:

Ben,

Likely, you also have some kind of PHP session for the application.

= Generally speaking, logging out of CAS SSO does *NOT* log you out of
any application sessions. =

So you might want to clear any normal PHP session prior to calling
`phpCAS::logout()`.

Thanks,
Carl Waldbieser
ITS System Programmer
Lafayette College

- Original Message -
From: Benjamin Cherian benjamin.cher...@villanova.edu
To: cas-user@lists.jasig.org
Sent: Thursday, February 19, 2015 9:28:51 AM
Subject: [cas-user] Logout using phpCAS

We have a vendor using phpCAS to implement SSO with our CAS server. They
created a custom login page to handle CAS. Login works fine, but logout
is currently an issue. Currently when we logout, phpCAS::logout() is
called and we are redirected to the CAS logout page. When I try to go to
any URL within the application, I'm not logged in. When I go to another
CAS enabled application, I am not logged in.

But when I go back to the custom CAS login page, I am logged back in
without being prompted for login credentials. No interaction occurs
between the application and the CAS servers, so it is all within the
client and the application at this point of re-entry.

Is this acceptable behavior for CAS, or is there something more that
needs to be done to be fully logged out of the application?

Thanks,
Ben

-- 
You are currently subscribed to cas-user@lists.jasig.org as:
waldb...@lafayette.edu
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as:
benjamin.cher...@villanova.edu
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user


-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] Logout using phpCAS

[Benjamin Cherian]

So terminating session did not work, but we found the problem and solution. It 
seems phpCAS sets a cookie with the ticket when you login. The vendor created 
the page 'login.php', and the cookie was session_for:login.php. Then on 
logout another cookie was set with the name session_for:logout.php. Removing 
the session_for:login.php cookie disabled the auto login to the login.php and 
prompted for CAS credentials.


-Ben

From: Mike Seiler michaelsei...@fuller.edumailto:michaelsei...@fuller.edu
Reply-To: cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org 
cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org
Date: Thursday, February 19, 2015 at 11:05 AM
To: cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org 
cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org
Subject: Re: [cas-user] Logout using phpCAS

Ben,

I have several PHP applications.  The only way that I've found to completely 
kill the local application session is to explicitly set the local PHP session 
to null and destroy it, then call the phpCAS::logout() method.  This ensures 
that any additional attempts to log in to the local application require 
authentication through CAS.

session_destroy() only kills a current session if one has started, so that 
means that you have the odd requirement of calling session_start() just to call 
session_destroy()

session_start();
session_destroy();
// If you really want to make sure it all dies
$_SESSION= null;
phpCAS::logout();

Mike

On Thu, Feb 19, 2015 at 7:56 AM, Waldbieser, Carl 
waldb...@lafayette.edumailto:waldb...@lafayette.edu wrote:
Ben,

I am not sure, as I don't have the code in front of me at the moment, but 
calling phpCAS::logout() essentially should stop the current execution and 
redirect you to the logout URL on your CAS server.  If you need to work around 
a bug, you could probably kill the local session and do the redirect directly 
in PHP.

Thanks,
Carl


- Original Message -
From: Benjamin Cherian 
benjamin.cher...@villanova.edumailto:benjamin.cher...@villanova.edu
To: cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org
Sent: Thursday, February 19, 2015 10:12:45 AM
Subject: Re: [cas-user] Logout using phpCAS

That's what I thought, but the documentation
(https://wiki.jasig.org/display/CASC/phpCAS+logout), says that the
logout() method will kill the current PHP session. So that assumes they
application does not need to call session_destroy(). But if they do call
session_destroy() before the phpCAS::logout(), will that cause any issues
with the logout? I'd test it out myself, but I don't have access to the
application, nor any current PHP applications to test with at the moment.





On 2/19/15, 9:57 AM, Waldbieser, Carl 
waldb...@lafayette.edumailto:waldb...@lafayette.edu wrote:

Ben,

Likely, you also have some kind of PHP session for the application.

= Generally speaking, logging out of CAS SSO does *NOT* log you out of
any application sessions. =

So you might want to clear any normal PHP session prior to calling
`phpCAS::logout()`.

Thanks,
Carl Waldbieser
ITS System Programmer
Lafayette College

- Original Message -
From: Benjamin Cherian 
benjamin.cher...@villanova.edumailto:benjamin.cher...@villanova.edu
To: cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org
Sent: Thursday, February 19, 2015 9:28:51 AM
Subject: [cas-user] Logout using phpCAS

We have a vendor using phpCAS to implement SSO with our CAS server. They
created a custom login page to handle CAS. Login works fine, but logout
is currently an issue. Currently when we logout, phpCAS::logout() is
called and we are redirected to the CAS logout page. When I try to go to
any URL within the application, I'm not logged in. When I go to another
CAS enabled application, I am not logged in.

But when I go back to the custom CAS login page, I am logged back in
without being prompted for login credentials. No interaction occurs
between the application and the CAS servers, so it is all within the
client and the application at this point of re-entry.

Is this acceptable behavior for CAS, or is there something more that
needs to be done to be fully logged out of the application?

Thanks,
Ben

--
You are currently subscribed to 
cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org as:
waldb...@lafayette.edumailto:waldb...@lafayette.edu
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user

--
You are currently subscribed to 
cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org as:
benjamin.cher...@villanova.edumailto:benjamin.cher...@villanova.edu
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user


--
You are currently subscribed to 
cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org as: 
waldb...@lafayette.edumailto:waldb...@lafayette.edu
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user


--
You are currently subscribed

Re: [cas-user] Logout using phpCAS

[Mike Seiler]

Ben,

I have several PHP applications.  The only way that I've found to
completely kill the local application session is to explicitly set the
local PHP session to null and destroy it, then call the phpCAS::logout()
method.  This ensures that any additional attempts to log in to the local
application require authentication through CAS.

session_destroy() only kills a current session if one has started, so that
means that you have the odd requirement of calling session_start() just to
call session_destroy()

session_start();
session_destroy();
// If you really want to make sure it all dies
$_SESSION= null;
phpCAS::logout();

Mike

On Thu, Feb 19, 2015 at 7:56 AM, Waldbieser, Carl waldb...@lafayette.edu
wrote:

 Ben,

 I am not sure, as I don't have the code in front of me at the moment, but
 calling phpCAS::logout() essentially should stop the current execution and
 redirect you to the logout URL on your CAS server.  If you need to work
 around a bug, you could probably kill the local session and do the redirect
 directly in PHP.

 Thanks,
 Carl


 - Original Message -
 From: Benjamin Cherian benjamin.cher...@villanova.edu
 To: cas-user@lists.jasig.org
 Sent: Thursday, February 19, 2015 10:12:45 AM
 Subject: Re: [cas-user] Logout using phpCAS

 That's what I thought, but the documentation
 (https://wiki.jasig.org/display/CASC/phpCAS+logout), says that the
 logout() method will kill the current PHP session. So that assumes they
 application does not need to call session_destroy(). But if they do call
 session_destroy() before the phpCAS::logout(), will that cause any issues
 with the logout? I'd test it out myself, but I don't have access to the
 application, nor any current PHP applications to test with at the moment.





 On 2/19/15, 9:57 AM, Waldbieser, Carl waldb...@lafayette.edu wrote:

 Ben,
 
 Likely, you also have some kind of PHP session for the application.
 
 = Generally speaking, logging out of CAS SSO does *NOT* log you out of
 any application sessions. =
 
 So you might want to clear any normal PHP session prior to calling
 `phpCAS::logout()`.
 
 Thanks,
 Carl Waldbieser
 ITS System Programmer
 Lafayette College
 
 - Original Message -
 From: Benjamin Cherian benjamin.cher...@villanova.edu
 To: cas-user@lists.jasig.org
 Sent: Thursday, February 19, 2015 9:28:51 AM
 Subject: [cas-user] Logout using phpCAS
 
 We have a vendor using phpCAS to implement SSO with our CAS server. They
 created a custom login page to handle CAS. Login works fine, but logout
 is currently an issue. Currently when we logout, phpCAS::logout() is
 called and we are redirected to the CAS logout page. When I try to go to
 any URL within the application, I'm not logged in. When I go to another
 CAS enabled application, I am not logged in.
 
 But when I go back to the custom CAS login page, I am logged back in
 without being prompted for login credentials. No interaction occurs
 between the application and the CAS servers, so it is all within the
 client and the application at this point of re-entry.
 
 Is this acceptable behavior for CAS, or is there something more that
 needs to be done to be fully logged out of the application?
 
 Thanks,
 Ben
 
 --
 You are currently subscribed to cas-user@lists.jasig.org as:
 waldb...@lafayette.edu
 To unsubscribe, change settings or access archives, see
 http://www.ja-sig.org/wiki/display/JSG/cas-user
 
 --
 You are currently subscribed to cas-user@lists.jasig.org as:
 benjamin.cher...@villanova.edu
 To unsubscribe, change settings or access archives, see
 http://www.ja-sig.org/wiki/display/JSG/cas-user


 --
 You are currently subscribed to cas-user@lists.jasig.org as:
 waldb...@lafayette.edu
 To unsubscribe, change settings or access archives, see
 http://www.ja-sig.org/wiki/display/JSG/cas-user


 --
 You are currently subscribed to cas-user@lists.jasig.org as:
 michaelsei...@fuller.edu
 To unsubscribe, change settings or access archives, see
 http://www.ja-sig.org/wiki/display/JSG/cas-user




-- 
*Michael Seiler*
--
Systems Integration Engineer
Fuller Theological Seminary
Phone: (970) 306-6105
michaelsei...@fuller.edu

*Please NOTE:*
I respond to email at 8 AM, 1PM, and at 4:30PM.  If you need more immediate
help, please contact TSS (626.584.5675) and they can route the issue to the
appropriate person.  If this is a business process life or death emergency,
you may call me at the above number.

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] Logout using phpCAS

[Waldbieser, Carl]

Ben,

I am not sure, as I don't have the code in front of me at the moment, but 
calling phpCAS::logout() essentially should stop the current execution and 
redirect you to the logout URL on your CAS server.  If you need to work around 
a bug, you could probably kill the local session and do the redirect directly 
in PHP.

Thanks,
Carl


- Original Message -
From: Benjamin Cherian benjamin.cher...@villanova.edu
To: cas-user@lists.jasig.org
Sent: Thursday, February 19, 2015 10:12:45 AM
Subject: Re: [cas-user] Logout using phpCAS

That's what I thought, but the documentation
(https://wiki.jasig.org/display/CASC/phpCAS+logout), says that the
logout() method will kill the current PHP session. So that assumes they
application does not need to call session_destroy(). But if they do call
session_destroy() before the phpCAS::logout(), will that cause any issues
with the logout? I'd test it out myself, but I don't have access to the
application, nor any current PHP applications to test with at the moment.





On 2/19/15, 9:57 AM, Waldbieser, Carl waldb...@lafayette.edu wrote:

Ben,

Likely, you also have some kind of PHP session for the application.

= Generally speaking, logging out of CAS SSO does *NOT* log you out of
any application sessions. =

So you might want to clear any normal PHP session prior to calling
`phpCAS::logout()`.

Thanks,
Carl Waldbieser
ITS System Programmer
Lafayette College

- Original Message -
From: Benjamin Cherian benjamin.cher...@villanova.edu
To: cas-user@lists.jasig.org
Sent: Thursday, February 19, 2015 9:28:51 AM
Subject: [cas-user] Logout using phpCAS

We have a vendor using phpCAS to implement SSO with our CAS server. They
created a custom login page to handle CAS. Login works fine, but logout
is currently an issue. Currently when we logout, phpCAS::logout() is
called and we are redirected to the CAS logout page. When I try to go to
any URL within the application, I'm not logged in. When I go to another
CAS enabled application, I am not logged in.

But when I go back to the custom CAS login page, I am logged back in
without being prompted for login credentials. No interaction occurs
between the application and the CAS servers, so it is all within the
client and the application at this point of re-entry.

Is this acceptable behavior for CAS, or is there something more that
needs to be done to be fully logged out of the application?

Thanks,
Ben

-- 
You are currently subscribed to cas-user@lists.jasig.org as:
waldb...@lafayette.edu
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as:
benjamin.cher...@villanova.edu
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user


-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
waldb...@lafayette.edu
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user


-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] Logout using phpCAS

[Waldbieser, Carl]

Ben,

Likely, you also have some kind of PHP session for the application.

= Generally speaking, logging out of CAS SSO does *NOT* log you out of any 
application sessions. =

So you might want to clear any normal PHP session prior to calling 
`phpCAS::logout()`.

Thanks,
Carl Waldbieser
ITS System Programmer
Lafayette College

- Original Message -
From: Benjamin Cherian benjamin.cher...@villanova.edu
To: cas-user@lists.jasig.org
Sent: Thursday, February 19, 2015 9:28:51 AM
Subject: [cas-user] Logout using phpCAS

We have a vendor using phpCAS to implement SSO with our CAS server. They 
created a custom login page to handle CAS. Login works fine, but logout is 
currently an issue. Currently when we logout, phpCAS::logout() is called and we 
are redirected to the CAS logout page. When I try to go to any URL within the 
application, I'm not logged in. When I go to another CAS enabled application, I 
am not logged in.

But when I go back to the custom CAS login page, I am logged back in without 
being prompted for login credentials. No interaction occurs between the 
application and the CAS servers, so it is all within the client and the 
application at this point of re-entry.

Is this acceptable behavior for CAS, or is there something more that needs to 
be done to be fully logged out of the application?

Thanks,
Ben

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
waldb...@lafayette.edu
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] Logout view not following server url redirects

[Marvin Addison]

 My 3.5.2 CAS server is not following redirects on logout.

Do you have some evidence to share? Not much changed on HttpClient between
3.4.12 and 3.5.2 [1], other than adding the followServiceRedirects flag
which previously defaulted to true. Turn up org.jasig.cas.util to DEBUG and
see if you get any hints.

M

[1]
https://github.com/Jasig/cas/commit/01c3e87fe2697a06c3efc94d606e1311633bb396

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] Logout view not following server url redirects

[Bryan Wooten]

I finally figured it out.

It is behaving as designed:

https://issues.jasig.org/browse/CAS-1190

My users were redirecting to a URL not in the service mangager. I add their URL 
and now it is working.

-Bryan

From: Marvin Addison [mailto:marvin.addi...@gmail.com]
Sent: Tuesday, February 17, 2015 10:00 AM
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] Logout view not following server url redirects

My 3.5.2 CAS server is not following redirects on logout.
Do you have some evidence to share? Not much changed on HttpClient between 
3.4.12 and 3.5.2 [1], other than adding the followServiceRedirects flag which 
previously defaulted to true. Turn up org.jasig.cas.util to DEBUG and see if 
you get any hints.

M

[1] https://github.com/Jasig/cas/commit/01c3e87fe2697a06c3efc94d606e1311633bb396




--

You are currently subscribed to 
cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org as: 
bwoo...@acs.utah.edumailto:bwoo...@acs.utah.edu

To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] Logout redirects

[Misagh Moayyed]

Overlay this file in your configuration, and set true to false:

https://github.com/Jasig/cas/blob/4.0.x/cas-server-core/src/main/java/org/
jasig/cas/logout/LogoutManagerImpl.java#L144

 

Later versions of CAS will have an option to configure this via a
property. This will allow messages to be sent in a synchronized fashion. 

 

From: richard.wise...@bt.com [mailto:richard.wise...@bt.com] 
Sent: Friday, July 25, 2014 1:43 AM
To: cas-user@lists.jasig.org
Subject: [cas-user] Logout redirects

 

Hi,

 

Can I specify a delay before a logout redirect takes place?  I couldn't
see anything in the configuration of my server.

 

The reason I ask is that it redirects to the service URL apparently before
CAS has had a chance to post the logout XML to the application, so when
the redirect completes and the application renders its page, it still
believes it's logged in.

 

Thanks,

 

Richard

 

 

 

 
-- 
You are currently subscribed to cas-user@lists.jasig.org
mailto:cas-user@lists.jasig.org  as: mmoay...@unicon.net
mailto:mmoay...@unicon.net 
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] logout redirect

[David Kane]

Hi

Thanks for your replies.  I tried both options, but as the logout parameter
on the application (Luminis) uses url rather than service, it doesn't work.
 It looks like I will have to amend the casLogoutView.jsp, which is what
Ellucian have done with the bundled version of CAS.

Regards
David



On 19 May 2014 16:52, Michael Wechner michael.wech...@wyona.com wrote:

  I am not sure about other possibilites, but it works for me when changing

 webapps/cas-server-webapp-3.5.2/WEB-INF/cas-servlet.xml

 by setting the attribute followServiceRedirects to true

 HTH

 Michael

 Am 19.05.14 17:48, schrieb Misagh Moayyed:

 and leave cas-servlet.xml untouched or is it telling me I need to modify
 cas-servlet.xml and not cas.properties?



 Leave cas-servlet.xml alone, and only change cas.properties.



 From: David Kane [mailto:david.a.k...@ucd.ie david.a.k...@ucd.ie]
 Sent: Monday, May 19, 2014 8:45 AM
 To: cas-user@lists.jasig.org
 Subject: [cas-user] logout redirect



 Hi



 I am trying to set up logout redirect in CAS 3.5.2, I see that I can change
 the following line in cas-servlet.xml:



 p:followServiceRedirects=${cas.logout.followServiceRedirects:false}/



 to



 p:followServiceRedirects=true/




 However, there is a section in the cas.properties file as follows:



 ##

 # CAS Logout Behavior

 # WEB-INF/cas-servlet.xml

 #

 # Specify whether CAS should redirect to the specifyed service parameter on
 /logout requests

 # cas.logout.followServiceRedirects=false



 does this mean I can change this to



 ##

 # CAS Logout Behavior

 # WEB-INF/cas-servlet.xml

 #

 # Specify whether CAS should redirect to the specifyed service parameter on
 /logout requests

 cas.logout.followServiceRedirects=true



 and leave cas-servlet.xml untouched or is it telling me I need to modify
 cas-servlet.xml and not cas.properties?



 I would prefer to do this in cas.properties if possible, in order to reduce
 the number of files I have to modify.



 Thanks

 David




 --
 You are currently subscribed to cas-user@lists.jasig.org as: 
 david.a.k...@ucd.ie
 To unsubscribe, change settings or access archives, see 
 http://www.ja-sig.org/wiki/display/JSG/cas-user



-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] logout redirect

[Misagh Moayyed]

and leave cas-servlet.xml untouched or is it telling me I need to modify 
cas-servlet.xml and not cas.properties?



Leave cas-servlet.xml alone, and only change cas.properties.



From: David Kane [mailto:david.a.k...@ucd.ie]
Sent: Monday, May 19, 2014 8:45 AM
To: cas-user@lists.jasig.org
Subject: [cas-user] logout redirect



Hi



I am trying to set up logout redirect in CAS 3.5.2, I see that I can change 
the following line in cas-servlet.xml:



p:followServiceRedirects=${cas.logout.followServiceRedirects:false}/



to



p:followServiceRedirects=true/




However, there is a section in the cas.properties file as follows:



##

# CAS Logout Behavior

# WEB-INF/cas-servlet.xml

#

# Specify whether CAS should redirect to the specifyed service parameter on 
/logout requests

# cas.logout.followServiceRedirects=false



does this mean I can change this to



##

# CAS Logout Behavior

# WEB-INF/cas-servlet.xml

#

# Specify whether CAS should redirect to the specifyed service parameter on 
/logout requests

cas.logout.followServiceRedirects=true



and leave cas-servlet.xml untouched or is it telling me I need to modify 
cas-servlet.xml and not cas.properties?



I would prefer to do this in cas.properties if possible, in order to reduce 
the number of files I have to modify.



Thanks

David


-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
mmoay...@unicon.net
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] logout redirect

[Michael Wechner]

I am not sure about other possibilites, but it works for me when changing

|webapps/cas-server-webapp-3.5.2/WEB-INF/cas-servlet.xml

by setting |the attribute |followServiceRedirects| to |true|

HTH

Michael

Am 19.05.14 17:48, schrieb Misagh Moayyed:
 and leave cas-servlet.xml untouched or is it telling me I need to modify 
 cas-servlet.xml and not cas.properties?



 Leave cas-servlet.xml alone, and only change cas.properties.



 From: David Kane [mailto:david.a.k...@ucd.ie]
 Sent: Monday, May 19, 2014 8:45 AM
 To: cas-user@lists.jasig.org
 Subject: [cas-user] logout redirect



 Hi



 I am trying to set up logout redirect in CAS 3.5.2, I see that I can change 
 the following line in cas-servlet.xml:



 p:followServiceRedirects=${cas.logout.followServiceRedirects:false}/



 to



 p:followServiceRedirects=true/




 However, there is a section in the cas.properties file as follows:



 ##

 # CAS Logout Behavior

 # WEB-INF/cas-servlet.xml

 #

 # Specify whether CAS should redirect to the specifyed service parameter on 
 /logout requests

 # cas.logout.followServiceRedirects=false



 does this mean I can change this to



 ##

 # CAS Logout Behavior

 # WEB-INF/cas-servlet.xml

 #

 # Specify whether CAS should redirect to the specifyed service parameter on 
 /logout requests

 cas.logout.followServiceRedirects=true



 and leave cas-servlet.xml untouched or is it telling me I need to modify 
 cas-servlet.xml and not cas.properties?



 I would prefer to do this in cas.properties if possible, in order to reduce 
 the number of files I have to modify.



 Thanks

 David




-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE:[cas-user] Logout with mod_auth_cas not working

[Steppacher Ralf]

Anyone any hints on where it might go wrong?

Thanks!
Ralf


From: Steppacher Ralf [ralf.steppac...@derivativepartners.com]
Sent: Wednesday, October 09, 2013 16:42
To: cas-user@lists.jasig.org
Subject: [cas-user] Logout with mod_auth_cas not working

Hello CAS users,

I am having troubles getting logout with mod_auth_cas to work. I know the 
documentation in https://github.com/Jasig/mod_auth_cas says that it is an 
experimental feature...
I am using the head version of the master branch as of end of August.

When I call the CAS logout URL I receive the log output below from mod_aut_cas. 
All statements are printed twice. Also, it seems to look at the contents of the 
POST twice. On the first go it reads the l of logoutRequest, on the second 
go it reads the rest of the string, which contains the SAML logout request. 
Could this be a configuration issue that makes mod_auth_cas behave in such a 
way?

Apache log for a single request to https://dev.local.fe2/cas/logout:

[Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(1954): [client 127.0.0.1] 
Entering cas_authenticate()
[Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(578): [client 127.0.0.1] CAS 
Service 'https%3a%2f%2fdev.local.fe2%2f'
[Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(526): [client 127.0.0.1] 
entering getCASLoginURL()
[Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(503): [client 127.0.0.1] 
entering getCASGateway()
[Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(593): [client 127.0.0.1] 
entering redirectRequest()
[Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(605): [client 127.0.0.1] 
Adding outgoing header: Location: 
https://dev.local.fe2/cas/login?service=https%3a%2f%2fdev.local.fe2%2f
[Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(1954): [client 127.0.0.1] 
Entering cas_authenticate()
[Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(578): [client 127.0.0.1] CAS 
Service 'https%3a%2f%2fdev.local.fe2%2f'
[Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(526): [client 127.0.0.1] 
entering getCASLoginURL()
[Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(503): [client 127.0.0.1] 
entering getCASGateway()
[Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(593): [client 127.0.0.1] 
entering redirectRequest()
[Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(605): [client 127.0.0.1] 
Adding outgoing header: Location: 
https://dev.local.fe2/cas/login?service=https%3a%2f%2fdev.local.fe2%2f
[Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(2558): read 1 bytes (l) from 
incoming buckets\n
[Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(2558): read 1 bytes (l) from 
incoming buckets\n
[Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(2558): read 486 bytes 
(ogoutRequest=%3Csamlp%3ALogoutRequest+xmlns%3Asamlp%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aprotocol%22+ID%3D%22LR-6-JKcjM93PFyxcn5sk2GHmydOmyn7DaTyxbyj%22+Version%3D%222.0%22+IssueInstant%3D%222013-10-09T15%3A13%3A41Z%22%3E%3Csaml%3ANameID+xmlns%3Asaml%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aassertion%22%3E%40NOT_USED%40%3C%2Fsaml%3ANameID%3E%3Csamlp%3ASessionIndex%3EST-37-GYLVQn1Ly3mDVH17Obk6-steppra1-linux-mint%3C%2Fsamlp%3ASessionIndex%3E%3C%2Fsamlp%3ALogoutRequest%3E)
 from incoming buckets\n
[Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(2558): read 486 bytes 
(ogoutRequest=%3Csamlp%3ALogoutRequest+xmlns%3Asamlp%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aprotocol%22+ID%3D%22LR-5-fUVEWneUCA79uuTcXJZRrOj1KoQwx91ucZA%22+Version%3D%222.0%22+IssueInstant%3D%222013-10-09T15%3A13%3A41Z%22%3E%3Csaml%3ANameID+xmlns%3Asaml%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aassertion%22%3E%40NOT_USED%40%3C%2Fsaml%3ANameID%3E%3Csamlp%3ASessionIndex%3EST-38-pZ0MOWzzXqZEC266GxXp-steppra1-linux-mint%3C%2Fsamlp%3ASessionIndex%3E%3C%2Fsamlp%3ALogoutRequest%3E)
 from incoming buckets\n
[Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(2538): unable to retrieve 
bucket brigade: This function has not been implemented on this platform
[Wed Oct 09 15:13:41 2013] [debug] mod_auth_cas.c(2538): unable to retrieve 
bucket brigade: This function has not been implemented on this platform


mod_aut_cas configuration:

CASCookiePath /var/cache/apache2/mod_auth_cas/
CASValidateServer Off
CASDebug On
CASAllowWildcardCert On
CASLoginURL https://dev.local.fe2/cas/login
CASValidateURL https://dev.local.fe2/cas/samlValidate
CASValidateSAML On
CASSSOEnabled On

ProxyPass /cas https://steppra1-linux-mint:8443/cas
ProxyPassReverse /cas https://steppra1-linux-mint:8443/cas
ProxyPassReverseCookieDomain steppra1-linux-mint dev.local.fe2
ProxyPassReverseCookiePath /cas /

Location /
Authtype CAS
CASScope .
CASAuthNHeader on
CASScrubRequestHeaders On
Require valid-user
/Location

Location /cas
Satisfy Any
/Location



Any help is greatly appreciated!

Ralf

--
You are currently subscribed to cas-user@lists.jasig.org as: 
ralf.steppac...@derivativepartners.com
To 

re:[cas-user] logout error message

[jleleu]

Hi,

When you call the CAS logout (/cas/logout url), the CAS server will call all 
the application service urls with a logout request.

It seems that you don't have the SSL certificate for an application in your CAS 
server, which prevents the logout request to be send to the application.

Take a look at : 
https://wiki.jasig.org/display/CASUM/SSL+Troubleshooting+and+Reference+Guide.

Best regards,
Jérôme
-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] Logout with CAS\logout needs closing browser window

[MrCrowley]

Thanks, I've added the listener and checked de filter-mapping order in the 
web.xml and now It's all set fine.
By the way the troubled app is JForum, which appens to mantain in session the 
user, so I've had to modify It's logout process and than redirect to CAS logout 
page.
Doing this way I can fully logout without closing the browser.
There's still one question I don't understand: Jforum mantains session info 
about the user ,but if I invalidate cas-session and ticket via CAS Logout page, 
the resource being protected by  Cas Filter (Jforum context in this case) must 
not be accessible right? Or I'm missing something?



 Da: jleleu lel...@gmail.com
A: cas-user@lists.jasig.org 
Inviato: Martedì 11 Settembre 2012 20:44
Oggetto: re:[cas-user] Logout with CAS\logout needs closing browser window
 
Hi,

I think that you also need to add the SingleSignOutHttpSessionListener in your 
web.xml : https://wiki.jasig.org/display/CASC/Configuring+Single+Sign+Out.
Best regards,
Jérôme

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
mrcrowley...@yahoo.it
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user
-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] /logout 101

[s400t]

Thank you, Marvin.
 

--- On Sat, 2012/9/1, Marvin Addison marvin.addi...@gmail.com wrote:

On Fri, Aug 31, 2012 at 4:31 AM, s4...@yahoo.co.jp wrote:

 I read that when I issue /logout command, it destroys the TGC that has
 been stored by the CAS server upon establishment of a SSO session.  I assume
 the TGC is stored on the client side. But I also see that in CAS server
 logs, something is happening.. basically ticket TGT-XXX.. is being
 removed.

 I am trying to explore a possibility where only removing local TGC would
 log me out from an SSO regime.

Destroying the session cookie will effective log you out of CAS.

 But I don't know what happens that server
 side TGT-XXX?  Would the ticket registry just grow and grow for each new SSO
 session?

Yes, until the orphaned ticket is purged either by cache expiration
(cached-based ticket registries) or periodic ticket registry cleaning
(driven by Quartz scheduled task.)

 how would the remote CAS server know if a user has deleted his or her TGC on
 the client side?

Not possible.

M

-- 
You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] /logout 101

[s400t]

Marvin, Scott
Would you please comment on it?

--- On Fri, 2012/8/31, s4...@yahoo.co.jp s4...@yahoo.co.jp wrote:

I read that when I issue /logout command, it destroys the TGC that has been 
stored by the CAS server upon establishment of a SSO session.  I assume the TGC 
is stored on the client side. But I also see that in CAS server logs, 
something is happening.. basically ticket TGT-XXX.. is being removed.

I am trying to explore a possibility where only removing local TGC would log me 
out from an SSO regime. But I don't know what happens that server side TGT-XXX? 
 Would the ticket registry just grow and grow for each new SSO session? Even if 
there is a kind of garbage collection of ticket registries, how would the 
remote CAS server know if a user has deleted his or her TGC on the client side? 

My conclusion is that one needs to communicate with the server for the TGC 
removal, just removing the TGC on the clint side is not enough. Is it
 correct?

Hope someone can demystify the logout process or point to some URLs.

Thanks.
 
-- 
You are currently subscribed to cas-user@lists.jasig.org as: s4...@yahoo.co.jp
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user
-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] /logout 101

[Marvin Addison]

On Fri, Aug 31, 2012 at 4:31 AM, s4...@yahoo.co.jp wrote:

 I read that when I issue /logout command, it destroys the TGC that has
 been stored by the CAS server upon establishment of a SSO session.  I assume
 the TGC is stored on the client side. But I also see that in CAS server
 logs, something is happening.. basically ticket TGT-XXX.. is being
 removed.

 I am trying to explore a possibility where only removing local TGC would
 log me out from an SSO regime.

Destroying the session cookie will effective log you out of CAS.

 But I don't know what happens that server
 side TGT-XXX?  Would the ticket registry just grow and grow for each new SSO
 session?

Yes, until the orphaned ticket is purged either by cache expiration
(cached-based ticket registries) or periodic ticket registry cleaning
(driven by Quartz scheduled task.)

 how would the remote CAS server know if a user has deleted his or her TGC on
 the client side?

Not possible.

M

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] /logout service parameter

[William G. Thompson, Jr.]

Hi Jonathan,

I'm interested in bringing the cas protocol spec up to date with the
current implementation and community expectations.Perhaps this
would make a good BOF session at the Jasig/Sakai conference in June.

Bill




On Mon, Apr 23, 2012 at 2:38 PM, Jonathan Windle
jonathan.win...@bellevuecollege.edu wrote:
 Thanks Scott.

 I've done a little more digging since my last e-mail and it appears the
 reason rubycas-client uses destination is because rubycas-server uses
 destination instead of service for redirect on logout.

 Oddly enough rubycas-client used service for redirect on logout before
 v2.1.0. For some reason in late 2009 they decided to switch it to
 destination to better match the behaviour of other CAS clients.
 http://rubycas-client.googlecode.com/svn/trunk/rubycas-client/History.txt

 It seems to me that redirect on logout is a feature that for the most part
 is being widely supported in one form or another. Because it is not
 specified in the CAS protocol there has been feature fragmentation at least
 in the case of RubyCAS.

 It might be more trouble than it's worth but it seems reasonable to me for
 the CAS protocol specification to be updated so that it includes service
 as an optionally supported parameter for /logout so when developers
 implement this feature it is done consistently.

 Any thoughts?

 Jonathan

 
 From: Scott Battaglia [scott.battag...@gmail.com]
 Sent: Sunday, April 22, 2012 14:36
 To: cas-user@lists.jasig.org
 Subject: Re: [cas-user] /logout service parameter

 Its not an official part of the CAS protocol. It was included as service
 when CAS3 was written (6 years ago) because it was a common extension.  I
 can't speak for why RubyCAS-client chose to use destination and not
 service.

 Cheers,
 Scott

 On Mon, Apr 16, 2012 at 2:37 PM, Jonathan Windle
 jonathan.win...@bellevuecollege.edu wrote:

 Hello,

 I'm looking for information about how official and widely the service
 parameter is used with /logout. We enable this feature in our CAS
 implementation by setting the followServiceRedirects property to true for
 the LogoutController defined in cas-servlet.xml (http://goo.gl/JLz9c). Up
 until this point I have found this feature to be pretty well supported by
 most CAS clients and plug-ins that we have implemented.

 Currently we are implementing the Canvas LMS by Instructure and it being a
 Ruby on Rails product they use RubyCAS-Client to support CAS.

 The problem we are having is that RubyCAS-Client returns the redirect url
 to /logout in a destination parameter not as a service parameter (Look under
 Defining a 'logout' action at https://github.com/rubycas/rubycas-client).

 So at this point I'm kind of wondering why the CAS specification
 (http://www.jasig.org/cas/protocol) doesn't define a parameter for redirect
 on logout and why RubyCAS-Client seems to think that the parameter name
 should be destination vs service.

 I would also be interested in knowing what's involved in making /logout
 understand what to do with the destination parameter.

 Thanks,
 Jonathan
 --
 You are currently subscribed to cas-user@lists.jasig.org as:
 scott.battag...@gmail.com
 To unsubscribe, change settings or access archives, see
 http://www.ja-sig.org/wiki/display/JSG/cas-user


 --
 You are currently subscribed to cas-user@lists.jasig.org as:
 jonathan.win...@bellevuecollege.edu

 To unsubscribe, change settings or access archives, see
 http://www.ja-sig.org/wiki/display/JSG/cas-user

 --
 You are currently subscribed to cas-user@lists.jasig.org as:
 wgt...@gmail.com
 To unsubscribe, change settings or access archives, see
 http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] /logout service parameter

[Jonathan Windle]

Thanks Scott.

I've done a little more digging since my last e-mail and it appears the reason 
rubycas-client uses destination is because rubycas-server uses destination 
instead of service for redirect on logout.

Oddly enough rubycas-client used service for redirect on logout before 
v2.1.0. For some reason in late 2009 they decided to switch it to destination 
to better match the behaviour of other CAS clients. 
http://rubycas-client.googlecode.com/svn/trunk/rubycas-client/History.txt

It seems to me that redirect on logout is a feature that for the most part is 
being widely supported in one form or another. Because it is not specified in 
the CAS protocol there has been feature fragmentation at least in the case of 
RubyCAS.

It might be more trouble than it's worth but it seems reasonable to me for the 
CAS protocol specification to be updated so that it includes service as an 
optionally supported parameter for /logout so when developers implement this 
feature it is done consistently.

Any thoughts?

Jonathan


From: Scott Battaglia [scott.battag...@gmail.com]
Sent: Sunday, April 22, 2012 14:36
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] /logout service parameter

Its not an official part of the CAS protocol. It was included as service when 
CAS3 was written (6 years ago) because it was a common extension.  I can't 
speak for why RubyCAS-client chose to use destination and not service.

Cheers,
Scott

On Mon, Apr 16, 2012 at 2:37 PM, Jonathan Windle 
jonathan.win...@bellevuecollege.edumailto:jonathan.win...@bellevuecollege.edu
 wrote:
Hello,

I'm looking for information about how official and widely the service 
parameter is used with /logout. We enable this feature in our CAS 
implementation by setting the followServiceRedirects property to true for the 
LogoutController defined in cas-servlet.xml (http://goo.gl/JLz9c). Up until 
this point I have found this feature to be pretty well supported by most CAS 
clients and plug-ins that we have implemented.

Currently we are implementing the Canvas LMS by Instructure and it being a Ruby 
on Rails product they use RubyCAS-Client to support CAS.

The problem we are having is that RubyCAS-Client returns the redirect url to 
/logout in a destination parameter not as a service parameter (Look under 
Defining a 'logout' action at https://github.com/rubycas/rubycas-client).

So at this point I'm kind of wondering why the CAS specification 
(http://www.jasig.org/cas/protocol) doesn't define a parameter for redirect on 
logout and why RubyCAS-Client seems to think that the parameter name should be 
destination vs service.

I would also be interested in knowing what's involved in making /logout 
understand what to do with the destination parameter.

Thanks,
Jonathan
--
You are currently subscribed to 
cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org as: 
scott.battag...@gmail.commailto:scott.battag...@gmail.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user



--
You are currently subscribed to cas-user@lists.jasig.org as: 
jonathan.win...@bellevuecollege.edu
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] /logout service parameter

[Scott Battaglia]

Its not an official part of the CAS protocol. It was included as service
when CAS3 was written (6 years ago) because it was a common extension.  I
can't speak for why RubyCAS-client chose to use destination and not
service.

Cheers,
Scott

On Mon, Apr 16, 2012 at 2:37 PM, Jonathan Windle 
jonathan.win...@bellevuecollege.edu wrote:

 Hello,

 I'm looking for information about how official and widely the service
 parameter is used with /logout. We enable this feature in our CAS
 implementation by setting the followServiceRedirects property to true for
 the LogoutController defined in cas-servlet.xml (http://goo.gl/JLz9c). Up
 until this point I have found this feature to be pretty well supported by
 most CAS clients and plug-ins that we have implemented.

 Currently we are implementing the Canvas LMS by Instructure and it being a
 Ruby on Rails product they use RubyCAS-Client to support CAS.

 The problem we are having is that RubyCAS-Client returns the redirect url
 to /logout in a destination parameter not as a service parameter (Look
 under Defining a 'logout' action at
 https://github.com/rubycas/rubycas-client).

 So at this point I'm kind of wondering why the CAS specification (
 http://www.jasig.org/cas/protocol) doesn't define a parameter for
 redirect on logout and why RubyCAS-Client seems to think that the parameter
 name should be destination vs service.

 I would also be interested in knowing what's involved in making /logout
 understand what to do with the destination parameter.

 Thanks,
 Jonathan
 --
 You are currently subscribed to cas-user@lists.jasig.org as:
 scott.battag...@gmail.com
 To unsubscribe, change settings or access archives, see
 http://www.ja-sig.org/wiki/display/JSG/cas-user



-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] logout of CASified Zimbra web application does not work

[Philippe MARASSE]

Folks,

We've CASsified Zimbra since 6.x and logout works without problems. As 
andrew said in 2), When a user log out from zimbra, a simple html logout 
page is displayed : this page is not on the same virtual host as zimbra 
and I've verified that all zimbra related cookies got destroyed. This 
logout page explain that the application is logged out but SSO session 
is still alive. Despite of that, some users does not understand why they 
can return to zimbra without authentication (in fact, authentication is 
transparent through CAS)... I'm afraid that SSO concept is not always 
well understood.


Rgds.

Le 03/01/2012 19:14, Andrew Petro a écrit :

Jon,

Merely changing a logout link in the UI to point to the CAS server logout URL 
is, as you've discovered, insufficient where CAS's single logout callbacks 
aren't implemented.

Rather, a Zimbra logout link should address a Zimbra server endpoint which 
terminates the application-local session.  And then it should do something 
else, such as
1) redirect to https://yourCasServerFQDN/cas/logout to end the CAS session and 
have CAS display its SSO session ended message, or
2) Display a page explaining to the user that the Zimbra-local session has been 
terminated but that the single sign-on session continues, and inviting the user 
to click a link to also log out of CAS

Either of these options could be implemented in a trivial JSP.

Which of those options to pick depends mostly on what user expectations you've set, by the 
presentation of the logout link in the UI (was it log out of Zimbra or was it log 
out of CAS?) and by the way other logout links work in applications in your environment.

Kind regards,

Andrew



On Jan 3, 2012, at 11:14 AM, Jon Detert wrote:


I have Zimbra 'ZCS' version 7.1.3 CASified with CAS Server v3.4.11 via these 
directions:

https://wiki.jasig.org/display/CAS/CASifying+Zimbra+6.0

Authentication and 'single sign-on' works great.

However, zimbra users can not logout of zimbra the 'normal' way:

0) the zimbra web app has a 'Logout' link.  The CASificiation procedure has you 
redefine the URL for that link to https://yourCasServerFQDN/cas/logout

1) when a user clicks the zimbra 'Logout' link, they are taken to the correct 
CAS logout URL

2) if the user then returns to zimbra, they are allowed in without 
re-authentication.

I.e. the zimbra webapp's logout link doesn't really work.  To really log out, 
the user must either:
a) close the web browser entirely (meaning all windows and/or tabs), or
b) clear the browser's history,cache,and credentials, or
c) delete the browser's ZM_AUTH_TOKEN and JSESSIONID cookies

The CAS client I'm using with Zimbra is version 3.1.8.

Any idea how I can make it possible for a zimbra user to logout by clicking a 
link?

Thanks,

Jon

--
You are currently subscribed to cas-user@lists.jasig.org as: ape...@unicon.net
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user





--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] logout of CASified Zimbra web application does not work

[Andrew Petro]

Jon,

Merely changing a logout link in the UI to point to the CAS server logout URL 
is, as you've discovered, insufficient where CAS's single logout callbacks 
aren't implemented.

Rather, a Zimbra logout link should address a Zimbra server endpoint which 
terminates the application-local session.  And then it should do something 
else, such as
1) redirect to https://yourCasServerFQDN/cas/logout to end the CAS session and 
have CAS display its SSO session ended message, or
2) Display a page explaining to the user that the Zimbra-local session has been 
terminated but that the single sign-on session continues, and inviting the user 
to click a link to also log out of CAS

Either of these options could be implemented in a trivial JSP.

Which of those options to pick depends mostly on what user expectations you've 
set, by the presentation of the logout link in the UI (was it log out of 
Zimbra or was it log out of CAS?) and by the way other logout links work in 
applications in your environment.

Kind regards,

Andrew



On Jan 3, 2012, at 11:14 AM, Jon Detert wrote:

 I have Zimbra 'ZCS' version 7.1.3 CASified with CAS Server v3.4.11 via these 
 directions:
 
 https://wiki.jasig.org/display/CAS/CASifying+Zimbra+6.0
 
 Authentication and 'single sign-on' works great.
 
 However, zimbra users can not logout of zimbra the 'normal' way:
 
 0) the zimbra web app has a 'Logout' link.  The CASificiation procedure has 
 you redefine the URL for that link to https://yourCasServerFQDN/cas/logout
 
 1) when a user clicks the zimbra 'Logout' link, they are taken to the correct 
 CAS logout URL
 
 2) if the user then returns to zimbra, they are allowed in without 
 re-authentication.
 
 I.e. the zimbra webapp's logout link doesn't really work.  To really log out, 
 the user must either:
 a) close the web browser entirely (meaning all windows and/or tabs), or
 b) clear the browser's history,cache,and credentials, or
 c) delete the browser's ZM_AUTH_TOKEN and JSESSIONID cookies
 
 The CAS client I'm using with Zimbra is version 3.1.8.
 
 Any idea how I can make it possible for a zimbra user to logout by clicking a 
 link?
 
 Thanks,
 
 Jon
 
 -- 
 You are currently subscribed to cas-user@lists.jasig.org as: ape...@unicon.net
 To unsubscribe, change settings or access archives, see 
 http://www.ja-sig.org/wiki/display/JSG/cas-user


-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] logout to multiple apps from the main window

[Marvin Addison]

 is there a way to logout to all casified apps in the
 pop up windows once I logout to the main window?

Not sure what windows have to do with anything.  They should all tie
back to a single CAS SSO session that maps to a single CASTGC cookie
on the client.  So the normal single sign-out considerations would
apply to your case.  See
https://wiki.jasig.org/display/CASUM/Single+Sign+Out for more
information.

M

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] logout to multiple apps from the main window

[JOLI A PATINO]

Hi! I have my main window that is login
to CAS. From the main window, I have pop up windows that has links to different
casified applications.

My question is that, is there a way
to logout to all casified apps in the pop up windows once I logout to the
main window?

Thanks in advance.

-- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.comTo unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] logout page redirect

[Vipin Jain]

Which module of CAS you are using?

On May 12, 2011, at 1:38 PM, Jorge Infante Osorio jorg...@uci.cu wrote:

 Hi all.
 
 It´s possible that the logout action in all my applications protected by
 CAS, after send me to the logout page of CAS automatically redirect me to
 another page, for example the login page of CAS or another else page.
 
 We don’t want to see the logout page of CAS in the final solution.
 
 Thanks, 
 Ing. Jorge Infante Osorio.
 J´Dpto Soluciones SOA.
 CDAE.
 UCI
 
 
 
 -- 
 You are currently subscribed to cas-user@lists.jasig.org as: 
 vjsat...@gmail.com
 To unsubscribe, change settings or access archives, see 
 http://www.ja-sig.org/wiki/display/JSG/cas-user
 

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] logout page redirect

[Jorge Infante Osorio]

I´m using CAS for Liferay and a PHP application with phpCAS.

Jorge.
Ing. Jorge Infante Osorio.
J´Dpto Soluciones SOA.
CDAE.
UCI

-Mensaje original-
De: Vipin Jain [mailto:vjsat...@gmail.com] 
Enviado el: jueves, 12 de mayo de 2011 13:56
Para: cas-user@lists.jasig.org
Asunto: Re: [cas-user] logout page redirect

Which module of CAS you are using?

On May 12, 2011, at 1:38 PM, Jorge Infante Osorio jorg...@uci.cu wrote:

 Hi all.
 
 It´s possible that the logout action in all my applications protected 
 by CAS, after send me to the logout page of CAS automatically redirect 
 me to another page, for example the login page of CAS or another else page.
 
 We don’t want to see the logout page of CAS in the final solution.
 
 Thanks,
 Ing. Jorge Infante Osorio.
 J´Dpto Soluciones SOA.
 CDAE.
 UCI
 
 
 
 --
 You are currently subscribed to cas-user@lists.jasig.org as: 
 vjsat...@gmail.com To unsubscribe, change settings or access archives, 
 see http://www.ja-sig.org/wiki/display/JSG/cas-user
 

--
You are currently subscribed to cas-user@lists.jasig.org as: jorg...@uci.cu To 
unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user



-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] logout exception javax.net.ssl.SSLHandshakeException

[Giuseppe Sollazzo]

Hi Scott,
I'm not sure I actually understand what you mean. In my example, there 
was no url to call back, as I was trying invoking the logout entrypoint 
directly from the browser. The same however happens when I do logout 
from an application (hence providing a callback url). I haven't said it 
doesn't work: it logs out, it always did, but I can see from the server 
logs that I get that exception and was trying to discover what's going on.
I'm probably missing something in here wrt cas/certificate issues, but I 
can't find extensive documentation on this. Could you please give me 
pointers to CAS documentation?

Thanks,
Giuseppe

Scott Battaglia wrote:
On Wed, Jan 20, 2010 at 9:21 AM, Giuseppe Sollazzo 
gsoll...@sgul.ac.uk mailto:gsoll...@sgul.ac.uk wrote:


Maybe I'm missing something here so forgive my possibly stupid
issue :-)

I'm actually calling the logout entrypoint directly from the
browser, to test it, entering
https://myserver/cas-server-webapp-3.3.3/logout. There's no
application involved. Isn't it supposed to work anyway?


Who ever said it didn't work?  Part of the process is calling BACK to 
your applications programmatically to let them know the session 
ended.  CAS doesn't trust the application endpoint when its trying to 
call back (i.e. you're using a self-signed certificate).


 



Giuseppe

Scott Battaglia wrote:

What you're seeing is CAS trying to call back to your services
to let them know that the CAS session ended.  One of the
endpoints for your applications has a certificate that
disagrees with CAS :-)



On Wed, Jan 20, 2010 at 6:07 AM, Giuseppe Sollazzo
gsoll...@sgul.ac.uk mailto:gsoll...@sgul.ac.uk
mailto:gsoll...@sgul.ac.uk mailto:gsoll...@sgul.ac.uk wrote:

   Hi everyone,
   I've got a seemingly working install of CAS on Moodle now,
after
   solving some issues with phpCAS.
   Nonetheless I get an exception when using logout from CAS,
   invoking https://myserver/cas-server-webapp-3.3.3/logout

   I guess this is related to using
phpCAS::setNoCasServerValidation()?

   Thanks,
   Giuseppe

   2010-01-20 10:55:49,626 ERROR [org.jasig.cas.util.HttpClient] -
   javax.net.ssl.SSLHandshakeException:
   sun.security.validator.ValidatorException: PKIX path validation
   failed: java.security.cert.CertPathValidatorException: basic
   constraints check failed: pathLenConstraint violated - this
cert
   must be the last cert in the certification path
   javax.net.ssl.SSLHandshakeException:
   sun.security.validator.ValidatorException: PKIX path validation
   failed: java.security.cert.CertPathValidatorException: basic
   constraints check failed: pathLenConstraint violated - this
cert
   must be the last cert in the certification path
 at
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown
   Source)
 at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
 at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
 at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
 at
 
 com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown

   Source)
 at
 
 com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown

   Source)
 at
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown
   Source)
 at
 
 com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown

Source)
 at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown
   Source)
 at
 
 com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown

   Source)
 at
 
 com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown

   Source)
 at
 
 com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown

   Source)
 at
sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown
   Source)
 at
 
 sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown

   Source)
 at
 
 sun.net.www.protocol.http.HttpURLConnection.followRedirect(Unknown

   Source)
 at
 
 sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown

   Source)
 at
 
 sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown

   Source)
 at
 
 

Re: [cas-user] logout exception javax.net.ssl.SSLHandshakeException

[Scott Battaglia]

On Thu, Jan 21, 2010 at 4:43 AM, Giuseppe Sollazzo gsoll...@sgul.ac.ukwrote:

 Hi Scott,
 I'm not sure I actually understand what you mean. In my example, there was
 no url to call back, as I was trying invoking the logout entrypoint directly
 from the browser.


Yes, and as I've said the logout process calls back to your applications
programmatically to let them know that the session has ended.  It happens on
the server side.  Its single sign out.



 The same however happens when I do logout from an application (hence
 providing a callback url). I haven't said it doesn't work: it logs out, it
 always did, but I can see from the server logs that I get that exception and
 was trying to discover what's going on.


That callback is different than what I am talking about.  The error you are
seeing is because CAS is trying to notify the application that the session
ended and CAS does not trust the certificate of the application its trying
to notify.  It does this notification via back channels.





 I'm probably missing something in here wrt cas/certificate issues, but I
 can't find extensive documentation on this. Could you please give me
 pointers to CAS documentation?
 Thanks,
 Giuseppe

 Scott Battaglia wrote:

 On Wed, Jan 20, 2010 at 9:21 AM, Giuseppe Sollazzo 
 gsoll...@sgul.ac.ukmailto:
 gsoll...@sgul.ac.uk wrote:

Maybe I'm missing something here so forgive my possibly stupid
issue :-)

I'm actually calling the logout entrypoint directly from the
browser, to test it, entering
https://myserver/cas-server-webapp-3.3.3/logout. There's no
application involved. Isn't it supposed to work anyway?


 Who ever said it didn't work?  Part of the process is calling BACK to your
 applications programmatically to let them know the session ended.  CAS
 doesn't trust the application endpoint when its trying to call back (i.e.
 you're using a self-signed certificate).



Giuseppe

Scott Battaglia wrote:

What you're seeing is CAS trying to call back to your services
to let them know that the CAS session ended.  One of the
endpoints for your applications has a certificate that
disagrees with CAS :-)



On Wed, Jan 20, 2010 at 6:07 AM, Giuseppe Sollazzo
gsoll...@sgul.ac.uk mailto:gsoll...@sgul.ac.uk
mailto:gsoll...@sgul.ac.uk mailto:gsoll...@sgul.ac.uk wrote:

   Hi everyone,
   I've got a seemingly working install of CAS on Moodle now,
after
   solving some issues with phpCAS.
   Nonetheless I get an exception when using logout from CAS,
   invoking https://myserver/cas-server-webapp-3.3.3/logout

   I guess this is related to using
phpCAS::setNoCasServerValidation()?

   Thanks,
   Giuseppe

   2010-01-20 10:55:49,626 ERROR [org.jasig.cas.util.HttpClient] -
   javax.net.ssl.SSLHandshakeException:
   sun.security.validator.ValidatorException: PKIX path validation
   failed: java.security.cert.CertPathValidatorException: basic
   constraints check failed: pathLenConstraint violated - this
cert
   must be the last cert in the certification path
   javax.net.ssl.SSLHandshakeException:
   sun.security.validator.ValidatorException: PKIX path validation
   failed: java.security.cert.CertPathValidatorException: basic
   constraints check failed: pathLenConstraint violated - this
cert
   must be the last cert in the certification path
 at
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown
   Source)
 at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
 at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
 at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
 at

 com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown
   Source)
 at

 com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown
   Source)
 at
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown
   Source)
 at

 com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown
Source)
 at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown
   Source)
 at

 com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown
   Source)
 at

 com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
   Source)
 at

 com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
   Source)
 at
sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown
   Source)
 at

 sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown
   Source)
 at

 

Re: [cas-user] logout exception javax.net.ssl.SSLHandshakeException

[Giuseppe Sollazzo]

Thanks, I'll give it a look.

G

Scott Battaglia wrote:
On Thu, Jan 21, 2010 at 4:43 AM, Giuseppe Sollazzo 
gsoll...@sgul.ac.uk mailto:gsoll...@sgul.ac.uk wrote:


Hi Scott,
I'm not sure I actually understand what you mean. In my example,
there was no url to call back, as I was trying invoking the logout
entrypoint directly from the browser.


Yes, and as I've said the logout process calls back to your 
applications programmatically to let them know that the session has 
ended.  It happens on the server side.  Its single sign out.


 


The same however happens when I do logout from an application
(hence providing a callback url). I haven't said it doesn't work:
it logs out, it always did, but I can see from the server logs
that I get that exception and was trying to discover what's going on.


That callback is different than what I am talking about.  The error 
you are seeing is because CAS is trying to notify the application that 
the session ended and CAS does not trust the certificate of the 
application its trying to notify.  It does this notification via back 
channels.




 


I'm probably missing something in here wrt cas/certificate issues,
but I can't find extensive documentation on this. Could you please
give me pointers to CAS documentation?
Thanks,
Giuseppe

Scott Battaglia wrote:

On Wed, Jan 20, 2010 at 9:21 AM, Giuseppe Sollazzo
gsoll...@sgul.ac.uk mailto:gsoll...@sgul.ac.uk
mailto:gsoll...@sgul.ac.uk mailto:gsoll...@sgul.ac.uk wrote:

   Maybe I'm missing something here so forgive my possibly stupid
   issue :-)

   I'm actually calling the logout entrypoint directly from the
   browser, to test it, entering
   https://myserver/cas-server-webapp-3.3.3/logout. There's no
   application involved. Isn't it supposed to work anyway?


Who ever said it didn't work?  Part of the process is calling
BACK to your applications programmatically to let them know
the session ended.  CAS doesn't trust the application endpoint
when its trying to call back (i.e. you're using a self-signed
certificate).

 


   Giuseppe

   Scott Battaglia wrote:

   What you're seeing is CAS trying to call back to your
services
   to let them know that the CAS session ended.  One of the
   endpoints for your applications has a certificate that
   disagrees with CAS :-)



   On Wed, Jan 20, 2010 at 6:07 AM, Giuseppe Sollazzo
   gsoll...@sgul.ac.uk mailto:gsoll...@sgul.ac.uk
mailto:gsoll...@sgul.ac.uk mailto:gsoll...@sgul.ac.uk
   mailto:gsoll...@sgul.ac.uk
mailto:gsoll...@sgul.ac.uk mailto:gsoll...@sgul.ac.uk
mailto:gsoll...@sgul.ac.uk wrote:

  Hi everyone,
  I've got a seemingly working install of CAS on
Moodle now,
   after
  solving some issues with phpCAS.
  Nonetheless I get an exception when using logout
from CAS,
  invoking https://myserver/cas-server-webapp-3.3.3/logout

  I guess this is related to using
   phpCAS::setNoCasServerValidation()?

  Thanks,
  Giuseppe

  2010-01-20 10:55:49,626 ERROR
[org.jasig.cas.util.HttpClient] -
  javax.net.ssl.SSLHandshakeException:
  sun.security.validator.ValidatorException: PKIX path
validation
  failed:
java.security.cert.CertPathValidatorException: basic
  constraints check failed: pathLenConstraint violated
- this
   cert
  must be the last cert in the certification path
  javax.net.ssl.SSLHandshakeException:
  sun.security.validator.ValidatorException: PKIX path
validation
  failed:
java.security.cert.CertPathValidatorException: basic
  constraints check failed: pathLenConstraint violated
- this
   cert
  must be the last cert in the certification path
at
   com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown
  Source)
at
 
 com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)

at
   com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown
Source)
at
   com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown
Source)
at
   
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown

  Source)
at
   

Re: [cas-user] logout exception javax.net.ssl.SSLHandshakeException

[Scott Battaglia]

What you're seeing is CAS trying to call back to your services to let them
know that the CAS session ended.  One of the endpoints for your applications
has a certificate that disagrees with CAS :-)



On Wed, Jan 20, 2010 at 6:07 AM, Giuseppe Sollazzo gsoll...@sgul.ac.ukwrote:

 Hi everyone,
 I've got a seemingly working install of CAS on Moodle now, after solving
 some issues with phpCAS.
 Nonetheless I get an exception when using logout from CAS, invoking
 https://myserver/cas-server-webapp-3.3.3/logout

 I guess this is related to using phpCAS::setNoCasServerValidation()?

 Thanks,
 Giuseppe

 2010-01-20 10:55:49,626 ERROR [org.jasig.cas.util.HttpClient] -
 javax.net.ssl.SSLHandshakeException:
 sun.security.validator.ValidatorException: PKIX path validation failed:
 java.security.cert.CertPathValidatorException: basic constraints check
 failed: pathLenConstraint violated - this cert must be the last cert in the
 certification path
 javax.net.ssl.SSLHandshakeException:
 sun.security.validator.ValidatorException: PKIX path validation failed:
 java.security.cert.CertPathValidatorException: basic constraints check
 failed: pathLenConstraint violated - this cert must be the last cert in the
 certification path
   at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
   at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
   at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
   at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
   at
 com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown
 Source)
   at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown
 Source)
   at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
   at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
   at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
   at
 com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown
 Source)
   at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
 Source)
   at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
 Source)
   at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
   at
 sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown
 Source)
   at sun.net.www.protocol.http.HttpURLConnection.followRedirect(Unknown
 Source)
   at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown
 Source)
   at
 sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown
 Source)
   at org.jasig.cas.util.HttpClient$MessageSender.call(HttpClient.java:200)
   at org.jasig.cas.util.HttpClient$MessageSender.call(HttpClient.java:160)
   at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
   at java.util.concurrent.FutureTask.run(Unknown Source)
   at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
   at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
   at java.lang.Thread.run(Unknown Source)
 Caused by: sun.security.validator.ValidatorException: PKIX path validation
 failed: java.security.cert.CertPathValidatorException: basic constraints
 check failed: pathLenConstraint violated - this cert must be the last cert
 in the certification path
   at sun.security.validator.PKIXValidator.doValidate(Unknown Source)
   at sun.security.validator.PKIXValidator.doValidate(Unknown Source)
   at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
   at sun.security.validator.Validator.validate(Unknown Source)
   at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown
 Source)
   at
 com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown
 Source)
   at
 com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown
 Source)
   ... 20 more
 Caused by: java.security.cert.CertPathValidatorException: basic constraints
 check failed: pathLenConstraint violated - this cert must be the last cert
 in the certification path
   at
 sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(Unknown
 Source)
   at
 sun.security.provider.certpath.PKIXCertPathValidator.doValidate(Unknown
 Source)
   at
 sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(Unknown
 Source)
   at java.security.cert.CertPathValidator.validate(Unknown Source)
   ... 27 more

 --
 Giuseppe Sollazzo
 Systems Developer / Administrator

 Computing Services
 St. George's, University of London


 --
 You are currently subscribed to cas-user@lists.jasig.org as:
 scott.battag...@gmail.com
 To unsubscribe, change settings or access archives, see
 http://www.ja-sig.org/wiki/display/JSG/cas-user


-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] logout exception javax.net.ssl.SSLHandshakeException

[Giuseppe Sollazzo]

Maybe I'm missing something here so forgive my possibly stupid issue :-)

I'm actually calling the logout entrypoint directly from the browser, to 
test it, entering https://myserver/cas-server-webapp-3.3.3/logout. 
There's no application involved. Isn't it supposed to work anyway?


Giuseppe

Scott Battaglia wrote:
What you're seeing is CAS trying to call back to your services to let 
them know that the CAS session ended.  One of the endpoints for your 
applications has a certificate that disagrees with CAS :-)




On Wed, Jan 20, 2010 at 6:07 AM, Giuseppe Sollazzo 
gsoll...@sgul.ac.uk mailto:gsoll...@sgul.ac.uk wrote:


Hi everyone,
I've got a seemingly working install of CAS on Moodle now, after
solving some issues with phpCAS.
Nonetheless I get an exception when using logout from CAS,
invoking https://myserver/cas-server-webapp-3.3.3/logout

I guess this is related to using phpCAS::setNoCasServerValidation()?

Thanks,
Giuseppe

2010-01-20 10:55:49,626 ERROR [org.jasig.cas.util.HttpClient] -
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path validation
failed: java.security.cert.CertPathValidatorException: basic
constraints check failed: pathLenConstraint violated - this cert
must be the last cert in the certification path
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path validation
failed: java.security.cert.CertPathValidatorException: basic
constraints check failed: pathLenConstraint violated - this cert
must be the last cert in the certification path
  at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown
Source)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
  at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
  at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
  at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown
Source)
  at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown
Source)
  at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown
Source)
  at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown
Source)
  at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown
Source)
  at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
Source)
  at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
Source)
  at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown
Source)
  at

sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown
Source)
  at
sun.net.www.protocol.http.HttpURLConnection.followRedirect(Unknown
Source)
  at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown
Source)
  at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown
Source)
  at
org.jasig.cas.util.HttpClient$MessageSender.call(HttpClient.java:200)
  at
org.jasig.cas.util.HttpClient$MessageSender.call(HttpClient.java:160)
  at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
  at java.util.concurrent.FutureTask.run(Unknown Source)
  at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
  at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
Source)
  at java.lang.Thread.run(Unknown Source)
Caused by: sun.security.validator.ValidatorException: PKIX path
validation failed: java.security.cert.CertPathValidatorException:
basic constraints check failed: pathLenConstraint violated - this
cert must be the last cert in the certification path
  at sun.security.validator.PKIXValidator.doValidate(Unknown Source)
  at sun.security.validator.PKIXValidator.doValidate(Unknown Source)
  at sun.security.validator.PKIXValidator.engineValidate(Unknown
Source)
  at sun.security.validator.Validator.validate(Unknown Source)
  at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown
Source)
  at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown
Source)
  at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown
Source)
  ... 20 more
Caused by: java.security.cert.CertPathValidatorException: basic
constraints check failed: pathLenConstraint violated - this cert
must be the last cert in the certification path
  at
sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(Unknown
Source)
  at
sun.security.provider.certpath.PKIXCertPathValidator.doValidate(Unknown
Source)
  at
sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(Unknown
Source)

Re: [cas-user] logout exception javax.net.ssl.SSLHandshakeException

[Scott Battaglia]

On Wed, Jan 20, 2010 at 9:21 AM, Giuseppe Sollazzo gsoll...@sgul.ac.ukwrote:

 Maybe I'm missing something here so forgive my possibly stupid issue :-)

 I'm actually calling the logout entrypoint directly from the browser, to
 test it, entering https://myserver/cas-server-webapp-3.3.3/logout. There's
 no application involved. Isn't it supposed to work anyway?


Who ever said it didn't work?  Part of the process is calling BACK to your
applications programmatically to let them know the session ended.  CAS
doesn't trust the application endpoint when its trying to call back (i.e.
you're using a self-signed certificate).




 Giuseppe

 Scott Battaglia wrote:

 What you're seeing is CAS trying to call back to your services to let them
 know that the CAS session ended.  One of the endpoints for your applications
 has a certificate that disagrees with CAS :-)



 On Wed, Jan 20, 2010 at 6:07 AM, Giuseppe Sollazzo 
 gsoll...@sgul.ac.ukmailto:
 gsoll...@sgul.ac.uk wrote:

Hi everyone,
I've got a seemingly working install of CAS on Moodle now, after
solving some issues with phpCAS.
Nonetheless I get an exception when using logout from CAS,
invoking https://myserver/cas-server-webapp-3.3.3/logout

I guess this is related to using phpCAS::setNoCasServerValidation()?

Thanks,
Giuseppe

2010-01-20 10:55:49,626 ERROR [org.jasig.cas.util.HttpClient] -
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path validation
failed: java.security.cert.CertPathValidatorException: basic
constraints check failed: pathLenConstraint violated - this cert
must be the last cert in the certification path
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path validation
failed: java.security.cert.CertPathValidatorException: basic
constraints check failed: pathLenConstraint violated - this cert
must be the last cert in the certification path
  at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown
Source)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
  at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
  at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
  at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown
Source)
  at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown
Source)
  at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown
Source)
  at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown
Source)
  at

  com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown
Source)
  at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
Source)
  at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
Source)
  at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown
Source)
  at

  
 sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown
Source)
  at
sun.net.www.protocol.http.HttpURLConnection.followRedirect(Unknown
Source)
  at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown
Source)
  at

  sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown
Source)
  at
org.jasig.cas.util.HttpClient$MessageSender.call(HttpClient.java:200)
  at
org.jasig.cas.util.HttpClient$MessageSender.call(HttpClient.java:160)
  at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
  at java.util.concurrent.FutureTask.run(Unknown Source)
  at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
  at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
Source)
  at java.lang.Thread.run(Unknown Source)
Caused by: sun.security.validator.ValidatorException: PKIX path
validation failed: java.security.cert.CertPathValidatorException:
basic constraints check failed: pathLenConstraint violated - this
cert must be the last cert in the certification path
  at sun.security.validator.PKIXValidator.doValidate(Unknown Source)
  at sun.security.validator.PKIXValidator.doValidate(Unknown Source)
  at sun.security.validator.PKIXValidator.engineValidate(Unknown
Source)
  at sun.security.validator.Validator.validate(Unknown Source)
  at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown
Source)
  at

  com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown
Source)
  at

  com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown
Source)
  ... 20 more
Caused by: java.security.cert.CertPathValidatorException: basic
constraints check failed: pathLenConstraint violated - this cert
must 

RE: [cas-user] Logout from CAS an user

[Diego Benedicto]

A solution is to use the JPATicketRegistry and in an extra table
(users_logued) to store: user | TGT | date login | date logout

users_logued is updated in login, logout and ticket cleaner. 

So if we want to logout an user from an external web application  we can
select all the TGT of an user where logout is null and with all these TGTs
to make request REST : DELETE cas/tickets/TGTxxx


Pieslak, Brian wrote:
 
 This is also a feature I am looking for on my product's roadmap, so
 whatever solution is identified, could someone please socialize the
 design/implementation on the CAS wiki?
 
 Thanks,
 -Brian
 
 
 From: Diego Benedicto [diego.benedi...@gmail.com]
 Sent: Monday, April 13, 2009 11:44 AM
 To: cas-user@lists.jasig.org
 Subject: [cas-user] Logout from CAS an user
 
 Hi all,
 
 I need to logout from CAS a user from an external web application...
 
 For example: logged as an admin in a web application that selects to block
 a
 user ( a column in a table) and in this moment the web application send a
 request to CAS that logout this user (I would secure the request with a
 Proxy Ticket)
 
 Thanks in advance,
 Diego
 --
 View this message in context:
 http://www.nabble.com/Logout-from-CAS-an-user-tp23024111p23024111.html
 Sent from the CAS Users mailing list archive at Nabble.com.
 
 
 --
 You are currently subscribed to cas-user@lists.jasig.org as:
 bpies...@metier.com
 To unsubscribe, change settings or access archives, see
 http://www.ja-sig.org/wiki/display/JSG/cas-user
 -- 
 You are currently subscribed to cas-user@lists.jasig.org as:
 li...@nabble.com
 To unsubscribe, change settings or access archives, see
 http://www.ja-sig.org/wiki/display/JSG/cas-user
 
 

-- 
View this message in context: 
http://www.nabble.com/Logout-from-CAS-an-user-tp23024111p23037738.html
Sent from the CAS Users mailing list archive at Nabble.com.


-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] Logout from CAS an user

[Diego Benedicto]

Another solution is to store the user in the table ticketgrantingticket,
using JpaTicketRegistry.
How can I modify JpaTicketRegistry to achieve it ?


Diego Benedicto wrote:
 
 A solution is to use the JPATicketRegistry and in an extra table
 (users_logued) to store: user | TGT | date login | date logout
 
 users_logued is updated in login, logout and ticket cleaner. 
 
 So if we want to logout an user from an external web application  we can
 select all the TGT of an user where logout is null and with all these TGTs
 to make request REST : DELETE cas/tickets/TGTxxx
 
 
 Pieslak, Brian wrote:
 
 This is also a feature I am looking for on my product's roadmap, so
 whatever solution is identified, could someone please socialize the
 design/implementation on the CAS wiki?
 
 Thanks,
 -Brian
 
 
 From: Diego Benedicto [diego.benedi...@gmail.com]
 Sent: Monday, April 13, 2009 11:44 AM
 To: cas-user@lists.jasig.org
 Subject: [cas-user] Logout from CAS an user
 
 Hi all,
 
 I need to logout from CAS a user from an external web application...
 
 For example: logged as an admin in a web application that selects to
 block a
 user ( a column in a table) and in this moment the web application send a
 request to CAS that logout this user (I would secure the request with a
 Proxy Ticket)
 
 Thanks in advance,
 Diego
 --
 View this message in context:
 http://www.nabble.com/Logout-from-CAS-an-user-tp23024111p23024111.html
 Sent from the CAS Users mailing list archive at Nabble.com.
 
 
 --
 You are currently subscribed to cas-user@lists.jasig.org as:
 bpies...@metier.com
 To unsubscribe, change settings or access archives, see
 http://www.ja-sig.org/wiki/display/JSG/cas-user
 -- 
 You are currently subscribed to cas-user@lists.jasig.org as:
 li...@nabble.com
 To unsubscribe, change settings or access archives, see
 http://www.ja-sig.org/wiki/display/JSG/cas-user
 
 
 
 

-- 
View this message in context: 
http://www.nabble.com/Logout-from-CAS-an-user-tp23024111p23048617.html
Sent from the CAS Users mailing list archive at Nabble.com.


-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] Logout from CAS an user

[Pieslak, Brian]

This is also a feature I am looking for on my product's roadmap, so whatever 
solution is identified, could someone please socialize the 
design/implementation on the CAS wiki?

Thanks,
-Brian


From: Diego Benedicto [diego.benedi...@gmail.com]
Sent: Monday, April 13, 2009 11:44 AM
To: cas-user@lists.jasig.org
Subject: [cas-user] Logout from CAS an user

Hi all,

I need to logout from CAS a user from an external web application...

For example: logged as an admin in a web application that selects to block a
user ( a column in a table) and in this moment the web application send a
request to CAS that logout this user (I would secure the request with a
Proxy Ticket)

Thanks in advance,
Diego
--
View this message in context: 
http://www.nabble.com/Logout-from-CAS-an-user-tp23024111p23024111.html
Sent from the CAS Users mailing list archive at Nabble.com.


--
You are currently subscribed to cas-user@lists.jasig.org as: bpies...@metier.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user
-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user