To simplify the question: Is there no way to write a webapp to respond to the logout callback by setting some flag. Then on the next access by the client browser this flag could be noticed and the session terminated (along with cookies)?
Is this approach inadvisable or not possible for some reason? Thanks On Tuesday, January 5, 2016 at 11:33:54 AM UTC-5, Jonathan Labin wrote: > > I am having trouble with the the single log out feature. I am using CAS > server 4.1.3 and client web apps based on the sample provided by > UniconLabs <https://github.com/UniconLabs/cas-sample-java-webapp>. After > modification according to the java client readme > <https://github.com/Jasig/java-cas-client#configuring-single-sign-out>: > > <?xml version="1.0" encoding="UTF-8"?> > <web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee > http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd";> > <filter> > <filter-name>CAS Single Sign Out Filter</filter-name> > > <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> > <!-- <init-param> > <param-name>casServerUrlPrefix</param-name> > <param-value>https://localhost:8181/cas</param-value> > </init-param> --> > </filter> > <filter> > <filter-name>CAS Authentication Filter</filter-name> > > <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> > <init-param> > <param-name>casServerLoginUrl</param-name> > <param-value>https://localhost:8181/cas/login</param-value> > </init-param> > <init-param> > <param-name>serverName</param-name> > <param-value>https://localhost:8181</param-value> > </init-param> > </filter> > > <filter> > <filter-name>CAS Validation Filter</filter-name> > > <filter-class>org.jasig.cas.client.validation.Cas30ProxyReceivingTicketValidationFilter</filter-class> > <init-param> > <param-name>casServerUrlPrefix</param-name> > <param-value>https://localhost:8181/cas</param-value> > </init-param> > <init-param> > <param-name>serverName</param-name> > <param-value>https://localhost:8181</param-value> > </init-param> > <init-param> > <param-name>redirectAfterValidation</param-name> > <param-value>true</param-value> > </init-param> > <init-param> > <param-name>useSession</param-name> > <param-value>true</param-value> > </init-param> > <!-- <init-param> <param-name>acceptAnyProxy</param-name> > <param-value>true</param-value> > </init-param> <init-param> <param-name>proxyReceptorUrl</param-name> > <param-value>/cas-sample-java-webapp/proxyUrl</param-value> > </init-param> <init-param> <param-name>proxyCallbackUrl</param-name> > <param-value>https://localhost:8181/cas-sample-java-webapp/proxyUrl > </param-value> > </init-param> --> > </filter> > <filter> > <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> > > <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> > </filter> > > <filter-mapping> > <filter-name>CAS Validation Filter</filter-name> > <url-pattern>/*</url-pattern> > </filter-mapping> > > <filter-mapping> > <filter-name>CAS Authentication Filter</filter-name> > <url-pattern>/*</url-pattern> > </filter-mapping> > > <filter-mapping> > <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> > <url-pattern>/*</url-pattern> > </filter-mapping> > <filter-mapping> > <filter-name>CAS Single Sign Out Filter</filter-name> > <url-pattern>/*</url-pattern> > </filter-mapping> > <listener> > > > <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> > </listener> > > <welcome-file-list> > <welcome-file> > index.jsp > </welcome-file> > </welcome-file-list> > </web-app> > > > I can successfully log in to the web application through CAS > authentication. > When I log out at CAS server in another tab using: > https://localhost:8181/cas/logout I receive confirmation that logout was > successful. > > The server log shows: > > 2016-01-05T11:18:41.635-0500|Info: 2016-01-05 11:18:41,635 DEBUG > [org.jasig.cas.CentralAuthenticationServiceImpl] - <Ticket found. > Processing logout requests and then deleting the ticket...> > 2016-01-05T11:18:41.636-0500|Info: 2016-01-05 11:18:41,636 DEBUG > [org.jasig.cas.logout.SamlCompliantLogoutMessageCreator] - <Generated > logout message: [<samlp:LogoutRequest > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" > ID="LR-4-0sROBuPSyWPSs5z6tVOVXxCFjnejqH9jrbs" Version="2.0" > IssueInstant="2016-01-05T11:18:41Z"><saml:NameID > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex> > ST-5-7pGNgBnwf4JGqmJY7era-mycastest.myorg.org > </samlp:SessionIndex></samlp:LogoutRequest>]> > 2016-01-05T11:18:41.636-0500|Info: 2016-01-05 11:18:41,636 DEBUG > [org.jasig.cas.logout.LogoutManagerImpl] - <Sending logout request for: [ > https://localhost:8181/cas-sample-java-webapp-2/]> > 2016-01-05T11:18:41.636-0500|Info: 2016-01-05 11:18:41,636 DEBUG > [org.jasig.cas.logout.LogoutManagerImpl] - <Prepared logout message to send > is [org.jasig.cas.logout.LogoutManagerImpl$LogoutHttpMessage@46569bda[url= > https://localhost:8181/cas-sample-java-webapp-2/,message=<samlp:LogoutRequest > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" > ID="LR-4-0sROBuPSyWPSs5z6tVOVXxCFjnejqH9jrbs" Version="2.0" > IssueInstant="2016-01-05T11:18:41Z"><saml:NameID > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex> > ST-5-7pGNgBnwf4JGqmJY7era-mycastest.myorg.org > </samlp:SessionIndex></samlp:LogoutRequest>,asynchronous=true,contentType=application/x-www-form-urlencoded]]> > 2016-01-05T11:18:41.638-0500|Info: 2016-01-05 11:18:41,638 DEBUG > [org.jasig.cas.logout.LogoutManagerImpl] - <Captured logout request > [org.jasig.cas.logout.DefaultLogoutRequest@479d1dbc[ticketId= > ST-5-7pGNgBnwf4JGqmJY7era-mycastest.myorg.org,service= > https://localhost:8181/cas-sample-java-webapp-2/,status=SUCCESS]]> > 2016-01-05T11:18:41.638-0500|Info: 2016-01-05 11:18:41,638 DEBUG > [org.jasig.cas.logout.SamlCompliantLogoutMessageCreator] - <Generated > logout message: [<samlp:LogoutRequest > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" > ID="LR-5-uiOMuNVN2F9ENMiORMqhGn02bWrL6u5NKZf" Version="2.0" > IssueInstant="2016-01-05T11:18:41Z"><saml:NameID > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex> > ST-4-1m5RMx43NhaU2wreOvbp-mycastest.myorg.org > </samlp:SessionIndex></samlp:LogoutRequest>]> > 2016-01-05T11:18:41.639-0500|Info: 2016-01-05 11:18:41,638 DEBUG > [org.jasig.cas.logout.LogoutManagerImpl] - <Sending logout request for: [ > https://localhost:8181/cas-sample-java-webapp-1/]> > 2016-01-05T11:18:41.639-0500|Info: 2016-01-05 11:18:41,639 DEBUG > [org.jasig.cas.logout.LogoutManagerImpl] - <Prepared logout message to send > is [org.jasig.cas.logout.LogoutManagerImpl$LogoutHttpMessage@5601d15a[url= > https://localhost:8181/cas-sample-java-webapp-1/,message=<samlp:LogoutRequest > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" > ID="LR-5-uiOMuNVN2F9ENMiORMqhGn02bWrL6u5NKZf" Version="2.0" > IssueInstant="2016-01-05T11:18:41Z"><saml:NameID > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex> > ST-4-1m5RMx43NhaU2wreOvbp-mycastest.myorg.org > </samlp:SessionIndex></samlp:LogoutRequest>,asynchronous=true,contentType=application/x-www-form-urlencoded]]> > 2016-01-05T11:18:41.641-0500|Info: 2016-01-05 11:18:41,641 DEBUG > [org.jasig.cas.logout.LogoutManagerImpl] - <Captured logout request > [org.jasig.cas.logout.DefaultLogoutRequest@2b711a3c[ticketId= > ST-4-1m5RMx43NhaU2wreOvbp-mycastest.myorg.org,service= > https://localhost:8181/cas-sample-java-webapp-1/,status=SUCCESS]]> > > > and then to complete the TICKET_GRANTING_TICKET_DESTROYED action. > > I'm not exactly sure what i'm looking for but a few things stand out. > 1) I see that the chain for logout of each client webapp ends with the > term status=SUCCESS. Is that indicative of a successful logout or simply > that the POST was made. > 2) There are a number of places where SAML shows up in that log segment. > Does that mean I need to run the SAML protocol on my client? If so, is > that in addition to or in replacement of the CAS ticket validation filter > or are those unrelated? > > After the logout I am still able to navigate the test client > application(s) so the session has not been ended. > Assuming that my configuration of server and client are correct (may not > be true), What should my application do to correctly respond to the SLO > protocol? > I see the line in the client documentation stating: > >> The client has no code to help you handle log out. The client merely >> places objects in session. > > but what objects are placed into the session and how should the client be > written to recognize these objects and perform a session invalidation on > the next access attempt? > > Are there any simple examples of a web client that appropriately responds > to the SLO protocol? > > Thanks > -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
