No there is. That is the configuration you have. Cookies are not deleted, yes, but your session is gone which is mostly what you care about.
If you are not seeing SLO, look into your logs and see what is happening. From: Jonathan Labin [mailto:[email protected]] Sent: Monday, January 11, 2016 11:29 AM To: CAS Community <[email protected]> Cc: [email protected] Subject: Re: [cas-user] Re: Help with SLO and Java Web Client Thanks for the advice. I'm not trying to bypass the nuances of SLO. I'm trying to find out if there is any way to enable SLO in a simple cookies-based webapp (like the sample provided by UniconLabs <https://github.com/UniconLabs/cas-sample-java-webapp> ). It sounds like there is not and I'll have to use one of the compatible security frameworks like Shiro or Spring Security. On Monday, January 11, 2016 at 11:13:19 AM UTC-5, Misagh Moayyed wrote: Your SLO filter is designed to do just that. It grabs onto the request, examines it and if it considers it an SLO request it will attempt to terminate the session. It also does nothing with cookies, if I recall. There are no other flags. I guess what you are trying to do is advise the webapp to log itself out on the next try, so as to preserve the current user session so as to lose any work? In that case, why don’t you just turn SLO off? What does SLO mean at that point? At any rate, I don’t know of a sane way you could manage/implement what you propose, unless you wrote your filter that set that flag and did its own thing with the session, and even then, I am not sure you can fully get there. Way too many variables can go wrong. If you are trying to bypass the nuances of SLO, you won’t be able to. You either accept SLO as is, or you turn it off and let the app do its own thing separate from the CAS SSO session. I dare say the latter is more common. From: [email protected] <javascript:> [mailto:[email protected] <javascript:> ] On Behalf Of Jonathan Labin Sent: Monday, January 11, 2016 8:11 AM To: CAS Community <[email protected] <javascript:> > Subject: [cas-user] Re: Help with SLO and Java Web Client To simplify the question: Is there no way to write a webapp to respond to the logout callback by setting some flag. Then on the next access by the client browser this flag could be noticed and the session terminated (along with cookies)? Is this approach inadvisable or not possible for some reason? Thanks On Tuesday, January 5, 2016 at 11:33:54 AM UTC-5, Jonathan Labin wrote: I am having trouble with the the single log out feature. I am using CAS server 4.1.3 and client web apps based on the sample provided by UniconLabs <https://github.com/UniconLabs/cas-sample-java-webapp> . After modification according to the java client readme <https://github.com/Jasig/java-cas-client#configuring-single-sign-out> : <?xml version="1.0" encoding="UTF-8"?> <web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd";> <filter> <filter-name>CAS Single Sign Out Filter</filter-name> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> <!-- <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>https://localhost:8181/cas</param-value> </init-param> --> </filter> <filter> <filter-name>CAS Authentication Filter</filter-name> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> <init-param> <param-name>casServerLoginUrl</param-name> <param-value>https://localhost:8181/cas/login</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>https://localhost:8181</param-value> </init-param> </filter> <filter> <filter-name>CAS Validation Filter</filter-name> <filter-class>org.jasig.cas.client.validation.Cas30ProxyReceivingTicketValidationFilter</filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>https://localhost:8181/cas</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>https://localhost:8181</param-value> </init-param> <init-param> <param-name>redirectAfterValidation</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>useSession</param-name> <param-value>true</param-value> </init-param> <!-- <init-param> <param-name>acceptAnyProxy</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>proxyReceptorUrl</param-name> <param-value>/cas-sample-java-webapp/proxyUrl</param-value> </init-param> <init-param> <param-name>proxyCallbackUrl</param-name> <param-value>https://localhost:8181/cas-sample-java-webapp/proxyUrl</param-value> </init-param> --> </filter> <filter> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS Validation Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CAS Authentication Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CAS Single Sign Out Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <listener> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> </listener> <welcome-file-list> <welcome-file> index.jsp </welcome-file> </welcome-file-list> </web-app> I can successfully log in to the web application through CAS authentication. When I log out at CAS server in another tab using: https://localhost:8181/cas/logout I receive confirmation that logout was successful. The server log shows: 2016-01-05T11:18:41.635-0500|Info: 2016-01-05 11:18:41,635 DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] - <Ticket found. Processing logout requests and then deleting the ticket...> 2016-01-05T11:18:41.636-0500|Info: 2016-01-05 11:18:41,636 DEBUG [org.jasig.cas.logout.SamlCompliantLogoutMessageCreator] - <Generated logout message: [<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-4-0sROBuPSyWPSs5z6tVOVXxCFjnejqH9jrbs" Version="2.0" IssueInstant="2016-01-05T11:18:41Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex>ST-5-7pGNgBnwf4JGqmJY7era-mycastest.myorg.org <http://ST-5-7pGNgBnwf4JGqmJY7era-mycastest.myorg.org> </samlp:SessionIndex></samlp:LogoutRequest>]> 2016-01-05T11:18:41.636-0500|Info: 2016-01-05 11:18:41,636 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - <Sending logout request for: [https://localhost:8181/cas-sample-java-webapp-2/]> 2016-01-05T11:18:41.636-0500|Info: 2016-01-05 11:18:41,636 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - <Prepared logout message to send is [org.jasig.cas.logout.LogoutManagerImpl$LogoutHttpMessage@46569bda[url=https://localhost:8181/cas-sample-java-webapp-2/,message=<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-4-0sROBuPSyWPSs5z6tVOVXxCFjnejqH9jrbs" Version="2.0" IssueInstant="2016-01-05T11:18:41Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex>ST-5-7pGNgBnwf4JGqmJY7era-mycastest.myorg.org <http://ST-5-7pGNgBnwf4JGqmJY7era-mycastest.myorg.org> </samlp:SessionIndex></samlp:LogoutRequest>,asynchronous=true,contentType=application/x-www-form-urlencoded]]> 2016-01-05T11:18:41.638-0500|Info: 2016-01-05 11:18:41,638 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - <Captured logout request [org.jasig.cas.logout.DefaultLogoutRequest@479d1dbc[ticketId=ST-5-7pGNgBnwf4JGqmJY7era-mycastest.myorg.org <http://ST-5-7pGNgBnwf4JGqmJY7era-mycastest.myorg.org> ,service=https://localhost:8181/cas-sample-java-webapp-2/,status=SUCCESS] <https://localhost:8181/cas-sample-java-webapp-2/,status=SUCCESS%5D> ]> 2016-01-05T11:18:41.638-0500|Info: 2016-01-05 11:18:41,638 DEBUG [org.jasig.cas.logout.SamlCompliantLogoutMessageCreator] - <Generated logout message: [<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-5-uiOMuNVN2F9ENMiORMqhGn02bWrL6u5NKZf" Version="2.0" IssueInstant="2016-01-05T11:18:41Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex>ST-4-1m5RMx43NhaU2wreOvbp-mycastest.myorg.org <http://ST-4-1m5RMx43NhaU2wreOvbp-mycastest.myorg.org> </samlp:SessionIndex></samlp:LogoutRequest>]> 2016-01-05T11:18:41.639-0500|Info: 2016-01-05 11:18:41,638 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - <Sending logout request for: [https://localhost:8181/cas-sample-java-webapp-1/]> 2016-01-05T11:18:41.639-0500|Info: 2016-01-05 11:18:41,639 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - <Prepared logout message to send is [org.jasig.cas.logout.LogoutManagerImpl$LogoutHttpMessage@5601d15a[url=https://localhost:8181/cas-sample-java-webapp-1/,message=<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-5-uiOMuNVN2F9ENMiORMqhGn02bWrL6u5NKZf" Version="2.0" IssueInstant="2016-01-05T11:18:41Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex>ST-4-1m5RMx43NhaU2wreOvbp-mycastest.myorg.org <http://ST-4-1m5RMx43NhaU2wreOvbp-mycastest.myorg.org> </samlp:SessionIndex></samlp:LogoutRequest>,asynchronous=true,contentType=application/x-www-form-urlencoded]]> 2016-01-05T11:18:41.641-0500|Info: 2016-01-05 11:18:41,641 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - <Captured logout request [org.jasig.cas.logout.DefaultLogoutRequest@2b711a3c[ticketId=ST-4-1m5RMx43NhaU2wreOvbp-mycastest.myorg.org <http://ST-4-1m5RMx43NhaU2wreOvbp-mycastest.myorg.org> ,service=https://localhost:8181/cas-sample-java-webapp-1/,status=SUCCESS] <https://localhost:8181/cas-sample-java-webapp-1/,status=SUCCESS%5D> ]> and then to complete the TICKET_GRANTING_TICKET_DESTROYED action. I'm not exactly sure what i'm looking for but a few things stand out. 1) I see that the chain for logout of each client webapp ends with the term status=SUCCESS. Is that indicative of a successful logout or simply that the POST was made. 2) There are a number of places where SAML shows up in that log segment. Does that mean I need to run the SAML protocol on my client? If so, is that in addition to or in replacement of the CAS ticket validation filter or are those unrelated? After the logout I am still able to navigate the test client application(s) so the session has not been ended. Assuming that my configuration of server and client are correct (may not be true), What should my application do to correctly respond to the SLO protocol? I see the line in the client documentation stating: The client has no code to help you handle log out. The client merely places objects in session. but what objects are placed into the session and how should the client be written to recognize these objects and perform a session invalidation on the next access attempt? Are there any simple examples of a web client that appropriately responds to the SLO protocol? Thanks -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <javascript:> . Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
