Hi, It's pretty strange : with just Shiro + CAS, the application logout does not work (as it was not designed to).
I use a demo I created to test CAS support in Shiro : https://github.com/leleuj/cas-shiro-demo. I go to the application, try to access a protected area : http://localhost:8080/app/user/index.jsp, I'm redirected to CAS server, I authenticate and I'm redirected back to the Shiro application. I can see that my session has been created on Shiro application side and the Shiro principal is the username from CAS server. If I call the CAS logout : http://localhost:8080/cas/logout, I'm hopefully logged out from CAS and the Shiro application receives a CAS logout : /CAS SHIRO DEMO APP 2012/11/29 11:08:33,253 DEBUG [qtp18397504-36] org.apache.shiro.realm.AuthenticatingRealm - Looked up AuthenticationInfo [null] from doGetAuthenticationInfo CAS SHIRO DEMO APP 2012/11/29 11:08:33,253 DEBUG [qtp18397504-36] org.apache.shiro.realm.AuthenticatingRealm - No AuthenticationInfo found for submitted AuthenticationToken [org.apache.shiro.cas.CasToken@180d48a]. Returning null. CAS SHIRO DEMO APP 2012/11/29 11:08:33,254 DEBUG [qtp18397504-36] org.apache.shiro.web.servlet.SimpleCookie - Added HttpServletResponse Cookie [rememberMe=deleteMe; Path=/app; Max-Age=0; Expires=Wed, 28-Nov-2012 10:08:33 GMT]/ Which is in fact ignored by the Shiro application as the CAS support for Shiro does not handle CAS logout. Then, I can still access a protected area in my Shiro application : http://localhost:8080/app/user/index.jsp and my Shiro session is still valid : the CAS logout has not been taken into account. The web session is initialized in Shiro with a first round-trip to the CAS server, it happens just once, after that you're authenticated in your Shiro application (without any communication with CAS) until a tilmeout occurs. Best regards, Jérôme -- View this message in context: http://shiro-user.582556.n2.nabble.com/CAS-single-sign-out-exception-tp7577991p7578007.html Sent from the Shiro User mailing list archive at Nabble.com.
