Thanks for the advice. I'm not trying to bypass the nuances of SLO. I'm trying to find out if there is any way to enable SLO in a simple cookies-based webapp (like the sample provided by UniconLabs <https://github.com/UniconLabs/cas-sample-java-webapp>).
It sounds like there is not and I'll have to use one of the compatible security frameworks like Shiro or Spring Security. On Monday, January 11, 2016 at 11:13:19 AM UTC-5, Misagh Moayyed wrote: > > Your SLO filter is designed to do just that. It grabs onto the request, > examines it and if it considers it an SLO request it will attempt to > terminate the session. It also does nothing with cookies, if I recall. > There are no other flags. I guess what you are trying to do is advise the > webapp to log itself out on the next try, so as to preserve the current > user session so as to lose any work? In that case, why don’t you just turn > SLO off? What does SLO mean at that point? > > > > At any rate, I don’t know of a sane way you could manage/implement what > you propose, unless you wrote your filter that set that flag and did its > own thing with the session, and even then, I am not sure you can fully get > there. Way too many variables can go wrong. > > > > If you are trying to bypass the nuances of SLO, you won’t be able to. You > either accept SLO as is, or you turn it off and let the app do its own > thing separate from the CAS SSO session. I dare say the latter is more > common. > > > > *From:* [email protected] <javascript:> [mailto:[email protected] > <javascript:>] *On Behalf Of *Jonathan Labin > *Sent:* Monday, January 11, 2016 8:11 AM > *To:* CAS Community <[email protected] <javascript:>> > *Subject:* [cas-user] Re: Help with SLO and Java Web Client > > > > To simplify the question: > > Is there no way to write a webapp to respond to the logout callback by > setting some flag. Then on the next access by the client browser this flag > could be noticed and the session terminated (along with cookies)? > > > > Is this approach inadvisable or not possible for some reason? > > > > Thanks > > > > On Tuesday, January 5, 2016 at 11:33:54 AM UTC-5, Jonathan Labin wrote: > > I am having trouble with the the single log out feature. I am using CAS > server 4.1.3 and client web apps based on the sample provided by > UniconLabs <https://github.com/UniconLabs/cas-sample-java-webapp>. After > modification according to the java client readme > <https://github.com/Jasig/java-cas-client#configuring-single-sign-out>: > > > > <?xml version="1.0" encoding="UTF-8"?> > > <web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"; > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > > xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee > http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd";> > > <filter> > > <filter-name>CAS Single Sign Out Filter</filter-name> > > > <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> > > <!-- <init-param> > > <param-name>casServerUrlPrefix</param-name> > > <param-value>https://localhost:8181/cas</param-value> > > </init-param> --> > > </filter> > > <filter> > > <filter-name>CAS Authentication Filter</filter-name> > > > <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> > > <init-param> > > <param-name>casServerLoginUrl</param-name> > > <param-value>https://localhost:8181/cas/login</param-value> > > </init-param> > > <init-param> > > <param-name>serverName</param-name> > > <param-value>https://localhost:8181</param-value> > > </init-param> > > </filter> > > > > <filter> > > <filter-name>CAS Validation Filter</filter-name> > > > <filter-class>org.jasig.cas.client.validation.Cas30ProxyReceivingTicketValidationFilter</filter-class> > > <init-param> > > <param-name>casServerUrlPrefix</param-name> > > <param-value>https://localhost:8181/cas</param-value> > > </init-param> > > <init-param> > > <param-name>serverName</param-name> > > <param-value>https://localhost:8181</param-value> > > </init-param> > > <init-param> > > <param-name>redirectAfterValidation</param-name> > > <param-value>true</param-value> > > </init-param> > > <init-param> > > <param-name>useSession</param-name> > > <param-value>true</param-value> > > </init-param> > > <!-- <init-param> <param-name>acceptAnyProxy</param-name> > <param-value>true</param-value> > > </init-param> <init-param> > <param-name>proxyReceptorUrl</param-name> > <param-value>/cas-sample-java-webapp/proxyUrl</param-value> > > </init-param> <init-param> > <param-name>proxyCallbackUrl</param-name> <param-value> > https://localhost:8181/cas-sample-java-webapp/proxyUrl</param-value> > > </init-param> --> > > </filter> > > <filter> > > <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> > > > <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> > > </filter> > > > > <filter-mapping> > > <filter-name>CAS Validation Filter</filter-name> > > <url-pattern>/*</url-pattern> > > </filter-mapping> > > > > <filter-mapping> > > <filter-name>CAS Authentication Filter</filter-name> > > <url-pattern>/*</url-pattern> > > </filter-mapping> > > > > <filter-mapping> > > <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> > > <url-pattern>/*</url-pattern> > > </filter-mapping> > > > > <filter-mapping> > > <filter-name>CAS Single Sign Out Filter</filter-name> > > <url-pattern>/*</url-pattern> > > </filter-mapping> > > > > <listener> > > > > <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> > > </listener> > > > > <welcome-file-list> > > <welcome-file> > > index.jsp > > </welcome-file> > > </welcome-file-list> > > </web-app> > > > > I can successfully log in to the web application through CAS > authentication. > > When I log out at CAS server in another tab using: > https://localhost:8181/cas/logout I receive confirmation that logout was > successful. > > > > The server log shows: > > 2016-01-05T11:18:41.635-0500|Info: 2016-01-05 11:18:41,635 DEBUG > [org.jasig.cas.CentralAuthenticationServiceImpl] - <Ticket found. > Processing logout requests and then deleting the ticket...> > > 2016-01-05T11:18:41.636-0500|Info: 2016-01-05 11:18:41,636 DEBUG > [org.jasig.cas.logout.SamlCompliantLogoutMessageCreator] - <Generated > logout message: [<samlp:LogoutRequest > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" > ID="LR-4-0sROBuPSyWPSs5z6tVOVXxCFjnejqH9jrbs" Version="2.0" > IssueInstant="2016-01-05T11:18:41Z"><saml:NameID > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex> > ST-5-7pGNgBnwf4JGqmJY7era-mycastest.myorg.org > </samlp:SessionIndex></samlp:LogoutRequest>]> > > 2016-01-05T11:18:41.636-0500|Info: 2016-01-05 11:18:41,636 DEBUG > [org.jasig.cas.logout.LogoutManagerImpl] - <Sending logout request for: [ > https://localhost:8181/cas-sample-java-webapp-2/]> > > 2016-01-05T11:18:41.636-0500|Info: 2016-01-05 11:18:41,636 DEBUG > [org.jasig.cas.logout.LogoutManagerImpl] - <Prepared logout message to send > is [org.jasig.cas.logout.LogoutManagerImpl$LogoutHttpMessage@46569bda[url= > https://localhost:8181/cas-sample-java-webapp-2/,message=<samlp:LogoutRequest > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" > ID="LR-4-0sROBuPSyWPSs5z6tVOVXxCFjnejqH9jrbs" Version="2.0" > IssueInstant="2016-01-05T11:18:41Z"><saml:NameID > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex> > ST-5-7pGNgBnwf4JGqmJY7era-mycastest.myorg.org > </samlp:SessionIndex></samlp:LogoutRequest>,asynchronous=true,contentType=application/x-www-form-urlencoded]]> > > 2016-01-05T11:18:41.638-0500|Info: 2016-01-05 11:18:41,638 DEBUG > [org.jasig.cas.logout.LogoutManagerImpl] - <Captured logout request > [org.jasig.cas.logout.DefaultLogoutRequest@479d1dbc[ticketId= > ST-5-7pGNgBnwf4JGqmJY7era-mycastest.myorg.org,service= > https://localhost:8181/cas-sample-java-webapp-2/,status=SUCCESS]]> > > 2016-01-05T11:18:41.638-0500|Info: 2016-01-05 11:18:41,638 DEBUG > [org.jasig.cas.logout.SamlCompliantLogoutMessageCreator] - <Generated > logout message: [<samlp:LogoutRequest > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" > ID="LR-5-uiOMuNVN2F9ENMiORMqhGn02bWrL6u5NKZf" Version="2.0" > IssueInstant="2016-01-05T11:18:41Z"><saml:NameID > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex> > ST-4-1m5RMx43NhaU2wreOvbp-mycastest.myorg.org > </samlp:SessionIndex></samlp:LogoutRequest>]> > > 2016-01-05T11:18:41.639-0500|Info: 2016-01-05 11:18:41,638 DEBUG > [org.jasig.cas.logout.LogoutManagerImpl] - <Sending logout request for: [ > https://localhost:8181/cas-sample-java-webapp-1/]> > > 2016-01-05T11:18:41.639-0500|Info: 2016-01-05 11:18:41,639 DEBUG > [org.jasig.cas.logout.LogoutManagerImpl] - <Prepared logout message to send > is [org.jasig.cas.logout.LogoutManagerImpl$LogoutHttpMessage@5601d15a[url= > https://localhost:8181/cas-sample-java-webapp-1/,message=<samlp:LogoutRequest > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" > ID="LR-5-uiOMuNVN2F9ENMiORMqhGn02bWrL6u5NKZf" Version="2.0" > IssueInstant="2016-01-05T11:18:41Z"><saml:NameID > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex> > ST-4-1m5RMx43NhaU2wreOvbp-mycastest.myorg.org > </samlp:SessionIndex></samlp:LogoutRequest>,asynchronous=true,contentType=application/x-www-form-urlencoded]]> > > 2016-01-05T11:18:41.641-0500|Info: 2016-01-05 11:18:41,641 DEBUG > [org.jasig.cas.logout.LogoutManagerImpl] - <Captured logout request > [org.jasig.cas.logout.DefaultLogoutRequest@2b711a3c[ticketId= > ST-4-1m5RMx43NhaU2wreOvbp-mycastest.myorg.org,service= > https://localhost:8181/cas-sample-java-webapp-1/,status=SUCCESS]]> > > > > and then to complete the TICKET_GRANTING_TICKET_DESTROYED action. > > > > I'm not exactly sure what i'm looking for but a few things stand out. > > 1) I see that the chain for logout of each client webapp ends with the > term status=SUCCESS. Is that indicative of a successful logout or simply > that the POST was made. > > 2) There are a number of places where SAML shows up in that log segment. > Does that mean I need to run the SAML protocol on my client? If so, is > that in addition to or in replacement of the CAS ticket validation filter > or are those unrelated? > > > > After the logout I am still able to navigate the test client > application(s) so the session has not been ended. > > Assuming that my configuration of server and client are correct (may not > be true), What should my application do to correctly respond to the SLO > protocol? > > I see the line in the client documentation stating: > > The client has no code to help you handle log out. The client merely > places objects in session. > > but what objects are placed into the session and how should the client be > written to recognize these objects and perform a session invalidation on > the next access attempt? > > > > Are there any simple examples of a web client that appropriately responds > to the SLO protocol? > > > > Thanks > > -- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/ > . > -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
