Hi Jonathan, I am having the same problem as you had but even after ordering the web.xml as you described, I am still stuck with the error.
I have debugged the cas java client code to find why Single Logout not working and found out that cas-server is sending the Logout request(BACK_CHANNEL) to each application but some java clients are unable to handle and there is no error in the logs. Please provide a solution and Can you please post your applications web.xml for better understanding and it will be very helpful if you can have a look at this page https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/single$20logout/cas-user/Tn1kPEOFvAY/sESb-nI3BAAJ Regards, Sankalp On Wednesday, January 13, 2016 at 6:51:25 PM UTC+5:30, Jonathan Labin wrote: > > It looks like my web.xml was out of order. I collected all of the SLO > elements first (filter, filter-mapping, and listener), all of the > authentication elements next, and finally all of the validation elements at > the end. After doing that SLO seems to work as one might hope. > > So is the statement from the Jasig/java-cas-client Recommended Logout > Procedure > <https://github.com/Jasig/java-cas-client#recommend-logout-procedure> > untrue? > >> The client has no code to help you handle log out. The client merely >> places objects in session. Therefore, we recommend you do a >> session.invalidate() call when you log a user out. However, that's >> entirely your application's responsibility. > > > It seems that it does end the session on receipt of a SLO message from the > CAS server. Or am I still confused about what is happening? > > On Monday, January 11, 2016 at 1:36:34 PM UTC-5, Misagh Moayyed wrote: >> >> No there is. That is the configuration you have. Cookies are not deleted, >> yes, but your session is gone which is mostly what you care about. >> >> If you are not seeing SLO, look into your logs and see what is happening. >> >> >> >> *From:* Jonathan Labin [mailto:[email protected]] >> *Sent:* Monday, January 11, 2016 11:29 AM >> *To:* CAS Community <[email protected]> >> *Cc:* [email protected] >> *Subject:* Re: [cas-user] Re: Help with SLO and Java Web Client >> >> >> >> Thanks for the advice. >> >> >> >> I'm not trying to bypass the nuances of SLO. I'm trying to find out if >> there is any way to enable SLO in a simple cookies-based webapp (like the >> sample >> provided by UniconLabs >> <https://github.com/UniconLabs/cas-sample-java-webapp>). >> >> >> >> It sounds like there is not and I'll have to use one of the compatible >> security frameworks like Shiro or Spring Security. >> >> On Monday, January 11, 2016 at 11:13:19 AM UTC-5, Misagh Moayyed wrote: >> >> Your SLO filter is designed to do just that. It grabs onto the request, >> examines it and if it considers it an SLO request it will attempt to >> terminate the session. It also does nothing with cookies, if I recall. >> There are no other flags. I guess what you are trying to do is advise the >> webapp to log itself out on the next try, so as to preserve the current >> user session so as to lose any work? In that case, why don’t you just turn >> SLO off? What does SLO mean at that point? >> >> >> >> At any rate, I don’t know of a sane way you could manage/implement what >> you propose, unless you wrote your filter that set that flag and did its >> own thing with the session, and even then, I am not sure you can fully get >> there. Way too many variables can go wrong. >> >> >> >> If you are trying to bypass the nuances of SLO, you won’t be able to. You >> either accept SLO as is, or you turn it off and let the app do its own >> thing separate from the CAS SSO session. I dare say the latter is more >> common. >> >> >> >> *From:* [email protected] [mailto:[email protected]] *On Behalf Of >> *Jonathan >> Labin >> *Sent:* Monday, January 11, 2016 8:11 AM >> *To:* CAS Community <[email protected]> >> *Subject:* [cas-user] Re: Help with SLO and Java Web Client >> >> >> >> To simplify the question: >> >> Is there no way to write a webapp to respond to the logout callback by >> setting some flag. Then on the next access by the client browser this flag >> could be noticed and the session terminated (along with cookies)? >> >> >> >> Is this approach inadvisable or not possible for some reason? >> >> >> >> Thanks >> >> >> >> On Tuesday, January 5, 2016 at 11:33:54 AM UTC-5, Jonathan Labin wrote: >> >> I am having trouble with the the single log out feature. I am using CAS >> server 4.1.3 and client web apps based on the sample provided by >> UniconLabs <https://github.com/UniconLabs/cas-sample-java-webapp>. >> After modification according to the java client readme >> <https://github.com/Jasig/java-cas-client#configuring-single-sign-out>: >> >> >> >> <?xml version="1.0" encoding="UTF-8"?> >> >> <web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"; >> >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; >> >> xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee >> http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd";> >> >> <filter> >> >> <filter-name>CAS Single Sign Out Filter</filter-name> >> >> >> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> >> >> <!-- <init-param> >> >> <param-name>casServerUrlPrefix</param-name> >> >> <param-value>https://localhost:8181/cas</param-value> >> >> </init-param> --> >> >> </filter> >> >> <filter> >> >> <filter-name>CAS Authentication Filter</filter-name> >> >> >> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> >> >> <init-param> >> >> <param-name>casServerLoginUrl</param-name> >> >> <param-value>https://localhost:8181/cas/login</param-value> >> >> </init-param> >> >> <init-param> >> >> <param-name>serverName</param-name> >> >> <param-value>https://localhost:8181</param-value> >> >> </init-param> >> >> </filter> >> >> >> >> <filter> >> >> <filter-name>CAS Validation Filter</filter-name> >> >> >> <filter-class>org.jasig.cas.client.validation.Cas30ProxyReceivingTicketValidationFilter</filter-class> >> >> <init-param> >> >> <param-name>casServerUrlPrefix</param-name> >> >> <param-value>https://localhost:8181/cas</param-value> >> >> </init-param> >> >> <init-param> >> >> <param-name>serverName</param-name> >> >> <param-value>https://localhost:8181</param-value> >> >> </init-param> >> >> <init-param> >> >> <param-name>redirectAfterValidation</param-name> >> >> <param-value>true</param-value> >> >> </init-param> >> >> <init-param> >> >> <param-name>useSession</param-name> >> >> <param-value>true</param-value> >> >> </init-param> >> >> <!-- <init-param> <param-name>acceptAnyProxy</param-name> >> <param-value>true</param-value> >> >> </init-param> <init-param> >> <param-name>proxyReceptorUrl</param-name> >> <param-value>/cas-sample-java-webapp/proxyUrl</param-value> >> >> </init-param> <init-param> >> <param-name>proxyCallbackUrl</param-name> <param-value> >> https://localhost:8181/cas-sample-java-webapp/proxyUrl</param-value> >> >> </init-param> --> >> >> </filter> >> >> <filter> >> >> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> >> >> >> <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> >> >> </filter> >> >> >> >> <filter-mapping> >> >> <filter-name>CAS Validation Filter</filter-name> >> >> <url-pattern>/*</url-pattern> >> >> </filter-mapping> >> >> >> >> <filter-mapping> >> >> <filter-name>CAS Authentication Filter</filter-name> >> >> <url-pattern>/*</url-pattern> >> >> </filter-mapping> >> >> >> >> <filter-mapping> >> >> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> >> >> <url-pattern>/*</url-pattern> >> >> </filter-mapping> >> >> >> >> <filter-mapping> >> >> <filter-name>CAS Single Sign Out Filter</filter-name> >> >> <url-pattern>/*</url-pattern> >> >> </filter-mapping> >> >> >> >> <listener> >> >> >> >> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> >> >> </listener> >> >> >> >> <welcome-file-list> >> >> <welcome-file> >> >> index.jsp >> >> </welcome-file> >> >> </welcome-file-list> >> >> </web-app> >> >> >> >> I can successfully log in to the web application through CAS >> authentication. >> >> When I log out at CAS server in another tab using: >> https://localhost:8181/cas/logout I receive confirmation that logout was >> successful. >> >> >> >> The server log shows: >> >> 2016-01-05T11:18:41.635-0500|Info: 2016-01-05 11:18:41,635 DEBUG >> [org.jasig.cas.CentralAuthenticationServiceImpl] - <Ticket found. >> Processing logout requests and then deleting the ticket...> >> >> 2016-01-05T11:18:41.636-0500|Info: 2016-01-05 11:18:41,636 DEBUG >> [org.jasig.cas.logout.SamlCompliantLogoutMessageCreator] - <Generated >> logout message: [<samlp:LogoutRequest >> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" >> ID="LR-4-0sROBuPSyWPSs5z6tVOVXxCFjnejqH9jrbs" Version="2.0" >> IssueInstant="2016-01-05T11:18:41Z"><saml:NameID >> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex> >> ST-5-7pGNgBnwf4JGqmJY7era-mycastest.myorg.org >> </samlp:SessionIndex></samlp:LogoutRequest>]> >> >> 2016-01-05T11:18:41.636-0500|Info: 2016-01-05 11:18:41,636 DEBUG >> [org.jasig.cas.logout.LogoutManagerImpl] - <Sending logout request for: [ >> https://localhost:8181/cas-sample-java-webapp-2/]> >> >> 2016-01-05T11:18:41.636-0500|Info: 2016-01-05 11:18:41,636 DEBUG >> [org.jasig.cas.logout.LogoutManagerImpl] - <Prepared logout message to send >> is [org.jasig.cas.logout.LogoutManagerImpl$LogoutHttpMessage@46569bda[url= >> https://localhost:8181/cas-sample-java-webapp-2/,message=<samlp:LogoutRequest >> >> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" >> ID="LR-4-0sROBuPSyWPSs5z6tVOVXxCFjnejqH9jrbs" Version="2.0" >> IssueInstant="2016-01-05T11:18:41Z"><saml:NameID >> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex> >> ST-5-7pGNgBnwf4JGqmJY7era-mycastest.myorg.org >> </samlp:SessionIndex></samlp:LogoutRequest>,asynchronous=true,contentType=application/x-www-form-urlencoded]]> >> >> 2016-01-05T11:18:41.638-0500|Info: 2016-01-05 11:18:41,638 DEBUG >> [org.jasig.cas.logout.LogoutManagerImpl] - <Captured logout request >> [org.jasig.cas.logout.DefaultLogoutRequest@479d1dbc[ticketId= >> ST-5-7pGNgBnwf4JGqmJY7era-mycastest.myorg.org,service= >> https://localhost:8181/cas-sample-java-webapp-2/,status=SUCCESS]]> >> >> 2016-01-05T11:18:41.638-0500|Info: 2016-01-05 11:18:41,638 DEBUG >> [org.jasig.cas.logout.SamlCompliantLogoutMessageCreator] - <Generated >> logout message: [<samlp:LogoutRequest >> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" >> ID="LR-5-uiOMuNVN2F9ENMiORMqhGn02bWrL6u5NKZf" Version="2.0" >> IssueInstant="2016-01-05T11:18:41Z"><saml:NameID >> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex> >> ST-4-1m5RMx43NhaU2wreOvbp-mycastest.myorg.org >> </samlp:SessionIndex></samlp:LogoutRequest>]> >> >> 2016-01-05T11:18:41.639-0500|Info: 2016-01-05 11:18:41,638 DEBUG >> [org.jasig.cas.logout.LogoutManagerImpl] - <Sending logout request for: [ >> https://localhost:8181/cas-sample-java-webapp-1/]> >> >> 2016-01-05T11:18:41.639-0500|Info: 2016-01-05 11:18:41,639 DEBUG >> [org.jasig.cas.logout.LogoutManagerImpl] - <Prepared logout message to send >> is [org.jasig.cas.logout.LogoutManagerImpl$LogoutHttpMessage@5601d15a[url= >> https://localhost:8181/cas-sample-java-webapp-1/,message=<samlp:LogoutRequest >> >> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" >> ID="LR-5-uiOMuNVN2F9ENMiORMqhGn02bWrL6u5NKZf" Version="2.0" >> IssueInstant="2016-01-05T11:18:41Z"><saml:NameID >> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex> >> ST-4-1m5RMx43NhaU2wreOvbp-mycastest.myorg.org >> </samlp:SessionIndex></samlp:LogoutRequest>,asynchronous=true,contentType=application/x-www-form-urlencoded]]> >> >> 2016-01-05T11:18:41.641-0500|Info: 2016-01-05 11:18:41,641 DEBUG >> [org.jasig.cas.logout.LogoutManagerImpl] - <Captured logout request >> [org.jasig.cas.logout.DefaultLogoutRequest@2b711a3c[ticketId= >> ST-4-1m5RMx43NhaU2wreOvbp-mycastest.myorg.org,service= >> https://localhost:8181/cas-sample-java-webapp-1/,status=SUCCESS]]> >> >> >> >> and then to complete the TICKET_GRANTING_TICKET_DESTROYED action. >> >> >> >> I'm not exactly sure what i'm looking for but a few things stand out. >> >> 1) I see that the chain for logout of each client webapp ends with the >> term status=SUCCESS. Is that indicative of a successful logout or simply >> that the POST was made. >> >> 2) There are a number of places where SAML shows up in that log segment. >> Does that mean I need to run the SAML protocol on my client? If so, is >> that in addition to or in replacement of the CAS ticket validation filter >> or are those unrelated? >> >> >> >> After the logout I am still able to navigate the test client >> application(s) so the session has not been ended. >> >> Assuming that my configuration of server and client are correct (may not >> be true), What should my application do to correctly respond to the SLO >> protocol? >> >> I see the line in the client documentation stating: >> >> The client has no code to help you handle log out. The client merely >> places objects in session. >> >> but what objects are placed into the session and how should the client be >> written to recognize these objects and perform a session invalidation on >> the next access attempt? >> >> >> >> Are there any simple examples of a web client that appropriately responds >> to the SLO protocol? >> >> ... > > -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/bf4e4b4e-2110-43a3-822e-a418a2ec62b6%40apereo.org. For more options, visit https://groups.google.com/a/apereo.org/d/optout.
