I am having trouble with the the single log out feature. I am using CAS server 4.1.3 and client web apps based on the sample provided by UniconLabs <https://github.com/UniconLabs/cas-sample-java-webapp>. After modification according to the java client readme <https://github.com/Jasig/java-cas-client#configuring-single-sign-out>:
<?xml version="1.0" encoding="UTF-8"?> <web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd";> <filter> <filter-name>CAS Single Sign Out Filter</filter-name> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> <!-- <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>https://localhost:8181/cas</param-value> </init-param> --> </filter> <filter> <filter-name>CAS Authentication Filter</filter-name> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> <init-param> <param-name>casServerLoginUrl</param-name> <param-value>https://localhost:8181/cas/login</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>https://localhost:8181</param-value> </init-param> </filter> <filter> <filter-name>CAS Validation Filter</filter-name> <filter-class>org.jasig.cas.client.validation.Cas30ProxyReceivingTicketValidationFilter</filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>https://localhost:8181/cas</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>https://localhost:8181</param-value> </init-param> <init-param> <param-name>redirectAfterValidation</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>useSession</param-name> <param-value>true</param-value> </init-param> <!-- <init-param> <param-name>acceptAnyProxy</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>proxyReceptorUrl</param-name> <param-value>/cas-sample-java-webapp/proxyUrl</param-value> </init-param> <init-param> <param-name>proxyCallbackUrl</param-name> <param-value>https://localhost:8181/cas-sample-java-webapp/proxyUrl</param-value> </init-param> --> </filter> <filter> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS Validation Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CAS Authentication Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CAS Single Sign Out Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <listener> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> </listener> <welcome-file-list> <welcome-file> index.jsp </welcome-file> </welcome-file-list> </web-app> I can successfully log in to the web application through CAS authentication. When I log out at CAS server in another tab using: https://localhost:8181/cas/logout I receive confirmation that logout was successful. The server log shows: 2016-01-05T11:18:41.635-0500|Info: 2016-01-05 11:18:41,635 DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] - <Ticket found. Processing logout requests and then deleting the ticket...> 2016-01-05T11:18:41.636-0500|Info: 2016-01-05 11:18:41,636 DEBUG [org.jasig.cas.logout.SamlCompliantLogoutMessageCreator] - <Generated logout message: [<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-4-0sROBuPSyWPSs5z6tVOVXxCFjnejqH9jrbs" Version="2.0" IssueInstant="2016-01-05T11:18:41Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex>ST-5-7pGNgBnwf4JGqmJY7era-mycastest.myorg.org</samlp:SessionIndex></samlp:LogoutRequest>]> 2016-01-05T11:18:41.636-0500|Info: 2016-01-05 11:18:41,636 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - <Sending logout request for: [https://localhost:8181/cas-sample-java-webapp-2/]> 2016-01-05T11:18:41.636-0500|Info: 2016-01-05 11:18:41,636 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - <Prepared logout message to send is [org.jasig.cas.logout.LogoutManagerImpl$LogoutHttpMessage@46569bda[url=https://localhost:8181/cas-sample-java-webapp-2/,message=<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-4-0sROBuPSyWPSs5z6tVOVXxCFjnejqH9jrbs" Version="2.0" IssueInstant="2016-01-05T11:18:41Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex>ST-5-7pGNgBnwf4JGqmJY7era-mycastest.myorg.org</samlp:SessionIndex></samlp:LogoutRequest>,asynchronous=true,contentType=application/x-www-form-urlencoded]]> 2016-01-05T11:18:41.638-0500|Info: 2016-01-05 11:18:41,638 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - <Captured logout request [org.jasig.cas.logout.DefaultLogoutRequest@479d1dbc[ticketId=ST-5-7pGNgBnwf4JGqmJY7era-mycastest.myorg.org,service=https://localhost:8181/cas-sample-java-webapp-2/,status=SUCCESS]]> 2016-01-05T11:18:41.638-0500|Info: 2016-01-05 11:18:41,638 DEBUG [org.jasig.cas.logout.SamlCompliantLogoutMessageCreator] - <Generated logout message: [<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-5-uiOMuNVN2F9ENMiORMqhGn02bWrL6u5NKZf" Version="2.0" IssueInstant="2016-01-05T11:18:41Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex>ST-4-1m5RMx43NhaU2wreOvbp-mycastest.myorg.org</samlp:SessionIndex></samlp:LogoutRequest>]> 2016-01-05T11:18:41.639-0500|Info: 2016-01-05 11:18:41,638 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - <Sending logout request for: [https://localhost:8181/cas-sample-java-webapp-1/]> 2016-01-05T11:18:41.639-0500|Info: 2016-01-05 11:18:41,639 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - <Prepared logout message to send is [org.jasig.cas.logout.LogoutManagerImpl$LogoutHttpMessage@5601d15a[url=https://localhost:8181/cas-sample-java-webapp-1/,message=<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-5-uiOMuNVN2F9ENMiORMqhGn02bWrL6u5NKZf" Version="2.0" IssueInstant="2016-01-05T11:18:41Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex>ST-4-1m5RMx43NhaU2wreOvbp-mycastest.myorg.org</samlp:SessionIndex></samlp:LogoutRequest>,asynchronous=true,contentType=application/x-www-form-urlencoded]]> 2016-01-05T11:18:41.641-0500|Info: 2016-01-05 11:18:41,641 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - <Captured logout request [org.jasig.cas.logout.DefaultLogoutRequest@2b711a3c[ticketId=ST-4-1m5RMx43NhaU2wreOvbp-mycastest.myorg.org,service=https://localhost:8181/cas-sample-java-webapp-1/,status=SUCCESS]]> and then to complete the TICKET_GRANTING_TICKET_DESTROYED action. I'm not exactly sure what i'm looking for but a few things stand out. 1) I see that the chain for logout of each client webapp ends with the term status=SUCCESS. Is that indicative of a successful logout or simply that the POST was made. 2) There are a number of places where SAML shows up in that log segment. Does that mean I need to run the SAML protocol on my client? If so, is that in addition to or in replacement of the CAS ticket validation filter or are those unrelated? After the logout I am still able to navigate the test client application(s) so the session has not been ended. Assuming that my configuration of server and client are correct (may not be true), What should my application do to correctly respond to the SLO protocol? I see the line in the client documentation stating: > The client has no code to help you handle log out. The client merely > places objects in session. but what objects are placed into the session and how should the client be written to recognize these objects and perform a session invalidation on the next access attempt? Are there any simple examples of a web client that appropriately responds to the SLO protocol? Thanks -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
