My web.xml:
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>http://mycasserver</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<listener>
<listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>
<context-param>
<param-name>shiroConfigLocations</param-name>
<param-value>/WEB-INF/shiro/shiro.ini</param-value>
</context-param>
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ShiroFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
I hope that helps
On Monday, May 30, 2016 at 3:24:02 AM UTC-4, Sankalp Sharma wrote:
>
> Hi Jonathan,
>
> I am having the same problem as you had but even after ordering the
> web.xml as you described, I am still stuck with the error.
>
> I have debugged the cas java client code to find why Single Logout not
> working and found out that cas-server is sending the Logout
> request(BACK_CHANNEL) to each application but some java clients are unable
> to handle and there is no error in the logs.
>
> Please provide a solution and Can you please post your applications
> web.xml for better understanding and it will be very helpful if you can
> have a look at this page
>
>
> https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/single$20logout/cas-user/Tn1kPEOFvAY/sESb-nI3BAAJ
>
> Regards,
> Sankalp
>
>
> On Wednesday, January 13, 2016 at 6:51:25 PM UTC+5:30, Jonathan Labin
> wrote:
>>
>> It looks like my web.xml was out of order. I collected all of the SLO
>> elements first (filter, filter-mapping, and listener), all of the
>> authentication elements next, and finally all of the validation elements at
>> the end. After doing that SLO seems to work as one might hope.
>>
>> So is the statement from the Jasig/java-cas-client Recommended Logout
>> Procedure
>> <https://github.com/Jasig/java-cas-client#recommend-logout-procedure>
>> untrue?
>>
>>> The client has no code to help you handle log out. The client merely
>>> places objects in session. Therefore, we recommend you do a
>>> session.invalidate() call when you log a user out. However, that's
>>> entirely your application's responsibility.
>>
>>
>> It seems that it does end the session on receipt of a SLO message from
>> the CAS server. Or am I still confused about what is happening?
>>
>> On Monday, January 11, 2016 at 1:36:34 PM UTC-5, Misagh Moayyed wrote:
>>>
>>> No there is. That is the configuration you have. Cookies are not
>>> deleted, yes, but your session is gone which is mostly what you care about.
>>>
>>> If you are not seeing SLO, look into your logs and see what is
>>> happening.
>>>
>>>
>>>
>>> *From:* Jonathan Labin [mailto:[email protected]]
>>> *Sent:* Monday, January 11, 2016 11:29 AM
>>> *To:* CAS Community <[email protected]>
>>> *Cc:* [email protected]
>>> *Subject:* Re: [cas-user] Re: Help with SLO and Java Web Client
>>>
>>>
>>>
>>> Thanks for the advice.
>>>
>>>
>>>
>>> I'm not trying to bypass the nuances of SLO. I'm trying to find out if
>>> there is any way to enable SLO in a simple cookies-based webapp (like the
>>> sample
>>> provided by UniconLabs
>>> <https://github.com/UniconLabs/cas-sample-java-webapp>).
>>>
>>>
>>>
>>> It sounds like there is not and I'll have to use one of the compatible
>>> security frameworks like Shiro or Spring Security.
>>>
>>> On Monday, January 11, 2016 at 11:13:19 AM UTC-5, Misagh Moayyed wrote:
>>>
>>> Your SLO filter is designed to do just that. It grabs onto the request,
>>> examines it and if it considers it an SLO request it will attempt to
>>> terminate the session. It also does nothing with cookies, if I recall.
>>> There are no other flags. I guess what you are trying to do is advise the
>>> webapp to log itself out on the next try, so as to preserve the current
>>> user session so as to lose any work? In that case, why don’t you just turn
>>> SLO off? What does SLO mean at that point?
>>>
>>>
>>>
>>> At any rate, I don’t know of a sane way you could manage/implement what
>>> you propose, unless you wrote your filter that set that flag and did its
>>> own thing with the session, and even then, I am not sure you can fully get
>>> there. Way too many variables can go wrong.
>>>
>>>
>>>
>>> If you are trying to bypass the nuances of SLO, you won’t be able to.
>>> You either accept SLO as is, or you turn it off and let the app do its own
>>> thing separate from the CAS SSO session. I dare say the latter is more
>>> common.
>>>
>>>
>>>
>>> *From:* [email protected] [mailto:[email protected]] *On Behalf Of
>>> *Jonathan
>>> Labin
>>> *Sent:* Monday, January 11, 2016 8:11 AM
>>> *To:* CAS Community <[email protected]>
>>> *Subject:* [cas-user] Re: Help with SLO and Java Web Client
>>>
>>>
>>>
>>> To simplify the question:
>>>
>>> Is there no way to write a webapp to respond to the logout callback by
>>> setting some flag. Then on the next access by the client browser this flag
>>> could be noticed and the session terminated (along with cookies)?
>>>
>>>
>>>
>>> Is this approach inadvisable or not possible for some reason?
>>>
>>>
>>>
>>> Thanks
>>>
>>>
>>>
>>> On Tuesday, January 5, 2016 at 11:33:54 AM UTC-5, Jonathan Labin wrote:
>>>
>>> I am having trouble with the the single log out feature. I am using CAS
>>> server 4.1.3 and client web apps based on the sample provided by
>>> UniconLabs <https://github.com/UniconLabs/cas-sample-java-webapp>.
>>> After modification according to the java client readme
>>> <https://github.com/Jasig/java-cas-client#configuring-single-sign-out>:
>>>
>>>
>>>
>>> <?xml version="1.0" encoding="UTF-8"?>
>>>
>>> <web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee";
>>>
>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
>>>
>>> xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
>>> http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd";>
>>>
>>> <filter>
>>>
>>> <filter-name>CAS Single Sign Out Filter</filter-name>
>>>
>>>
>>> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
>>>
>>> <!-- <init-param>
>>>
>>> <param-name>casServerUrlPrefix</param-name>
>>>
>>> <param-value>https://localhost:8181/cas</param-value>
>>>
>>> </init-param> -->
>>>
>>> </filter>
>>>
>>> <filter>
>>>
>>> <filter-name>CAS Authentication Filter</filter-name>
>>>
>>>
>>> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
>>>
>>> <init-param>
>>>
>>> <param-name>casServerLoginUrl</param-name>
>>>
>>> <param-value>https://localhost:8181/cas/login</param-value>
>>>
>>> </init-param>
>>>
>>> <init-param>
>>>
>>> <param-name>serverName</param-name>
>>>
>>> <param-value>https://localhost:8181</param-value>
>>>
>>> </init-param>
>>>
>>> </filter>
>>>
>>>
>>>
>>> <filter>
>>>
>>> <filter-name>CAS Validation Filter</filter-name>
>>>
>>>
>>> <filter-class>org.jasig.cas.client.validation.Cas30ProxyReceivingTicketValidationFilter</filter-class>
>>>
>>> <init-param>
>>>
>>> <param-name>casServerUrlPrefix</param-name>
>>>
>>> <param-value>https://localhost:8181/cas</param-value>
>>>
>>> </init-param>
>>>
>>> <init-param>
>>>
>>> <param-name>serverName</param-name>
>>>
>>> <param-value>https://localhost:8181</param-value>
>>>
>>> </init-param>
>>>
>>> <init-param>
>>>
>>> <param-name>redirectAfterValidation</param-name>
>>>
>>> <param-value>true</param-value>
>>>
>>> </init-param>
>>>
>>> <init-param>
>>>
>>> <param-name>useSession</param-name>
>>>
>>> <param-value>true</param-value>
>>>
>>> </init-param>
>>>
>>> <!-- <init-param> <param-name>acceptAnyProxy</param-name>
>>> <param-value>true</param-value>
>>>
>>> </init-param> <init-param>
>>> <param-name>proxyReceptorUrl</param-name>
>>> <param-value>/cas-sample-java-webapp/proxyUrl</param-value>
>>>
>>> </init-param> <init-param>
>>> <param-name>proxyCallbackUrl</param-name> <param-value>
>>> https://localhost:8181/cas-sample-java-webapp/proxyUrl</param-value>
>>>
>>> </init-param> -->
>>>
>>> </filter>
>>>
>>> <filter>
>>>
>>> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
>>>
>>>
>>> <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
>>>
>>> </filter>
>>>
>>>
>>>
>>> <filter-mapping>
>>>
>>> <filter-name>CAS Validation Filter</filter-name>
>>>
>>> <url-pattern>/*</url-pattern>
>>>
>>> </filter-mapping>
>>>
>>>
>>>
>>> <filter-mapping>
>>>
>>> <filter-name>CAS Authentication Filter</filter-name>
>>>
>>> <url-pattern>/*</url-pattern>
>>>
>>> </filter-mapping>
>>>
>>>
>>>
>>> <filter-mapping>
>>>
>>> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
>>>
>>> <url-pattern>/*</url-pattern>
>>>
>>> </filter-mapping>
>>>
>>>
>>>
>>> <filter-mapping>
>>>
>>> <filter-name>CAS Single Sign Out Filter</filter-name>
>>>
>>> <url-pattern>/*</url-pattern>
>>>
>>> </filter-mapping>
>>>
>>>
>>>
>>> <listener>
>>>
>>>
>>>
>>> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
>>>
>>> </listener>
>>>
>>>
>>>
>>> <welcome-file-list>
>>>
>>> <welcome-file>
>>>
>>> index.jsp
>>>
>>> </welcome-file>
>>>
>>> </welcome-file-list>
>>>
>>> </web-app>
>>>
>>>
>>>
>>> I can successfully log in to the web application through CAS
>>> authentication.
>>>
>>> When I log out at CAS server in another tab using:
>>> https://localhost:8181/cas/logout I receive confirmation that logout
>>> was successful.
>>>
>>>
>>>
>>> The server log shows:
>>>
>>> 2016-01-05T11:18:41.635-0500|Info: 2016-01-05 11:18:41,635 DEBUG
>>> [org.jasig.cas.CentralAuthenticationServiceImpl] - <Ticket found.
>>> Processing logout requests and then deleting the ticket...>
>>>
>>> 2016-01-05T11:18:41.636-0500|Info: 2016-01-05 11:18:41,636 DEBUG
>>> [org.jasig.cas.logout.SamlCompliantLogoutMessageCreator] - <Generated
>>> logout message: [<samlp:LogoutRequest
>>> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>>> ID="LR-4-0sROBuPSyWPSs5z6tVOVXxCFjnejqH9jrbs" Version="2.0"
>>> IssueInstant="2016-01-05T11:18:41Z"><saml:NameID
>>> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex>
>>> ST-5-7pGNgBnwf4JGqmJY7era-mycastest.myorg.org
>>> </samlp:SessionIndex></samlp:LogoutRequest>]>
>>>
>>> 2016-01-05T11:18:41.636-0500|Info: 2016-01-05 11:18:41,636 DEBUG
>>> [org.jasig.cas.logout.LogoutManagerImpl] - <Sending logout request for: [
>>> https://localhost:8181/cas-sample-java-webapp-2/]>
>>>
>>> 2016-01-05T11:18:41.636-0500|Info: 2016-01-05 11:18:41,636 DEBUG
>>> [org.jasig.cas.logout.LogoutManagerImpl] - <Prepared logout message to send
>>> is [org.jasig.cas.logout.LogoutManagerImpl$LogoutHttpMessage@46569bda[url=
>>> https://localhost:8181/cas-sample-java-webapp-2/,message=<samlp:LogoutRequest
>>>
>>> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>>> ID="LR-4-0sROBuPSyWPSs5z6tVOVXxCFjnejqH9jrbs" Version="2.0"
>>> IssueInstant="2016-01-05T11:18:41Z"><saml:NameID
>>> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex>
>>> ST-5-7pGNgBnwf4JGqmJY7era-mycastest.myorg.org
>>> </samlp:SessionIndex></samlp:LogoutRequest>,asynchronous=true,contentType=application/x-www-form-urlencoded]]>
>>>
>>> 2016-01-05T11:18:41.638-0500|Info: 2016-01-05 11:18:41,638 DEBUG
>>> [org.jasig.cas.logout.LogoutManagerImpl] - <Captured logout request
>>> [org.jasig.cas.logout.DefaultLogoutRequest@479d1dbc[ticketId=
>>> ST-5-7pGNgBnwf4JGqmJY7era-mycastest.myorg.org,service=
>>> https://localhost:8181/cas-sample-java-webapp-2/,status=SUCCESS]]>
>>>
>>> 2016-01-05T11:18:41.638-0500|Info: 2016-01-05 11:18:41,638 DEBUG
>>> [org.jasig.cas.logout.SamlCompliantLogoutMessageCreator] - <Generated
>>> logout message: [<samlp:LogoutRequest
>>> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>>> ID="LR-5-uiOMuNVN2F9ENMiORMqhGn02bWrL6u5NKZf" Version="2.0"
>>> IssueInstant="2016-01-05T11:18:41Z"><saml:NameID
>>> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex>
>>> ST-4-1m5RMx43NhaU2wreOvbp-mycastest.myorg.org
>>> </samlp:SessionIndex></samlp:LogoutRequest>]>
>>>
>>> 2016-01-05T11:18:41.639-0500|Info: 2016-01-05 11:18:41,638 DEBUG
>>> [org.jasig.cas.logout.LogoutManagerImpl] - <Sending logout request for: [
>>> https://localhost:8181/cas-sample-java-webapp-1/]>
>>>
>>> 2016-01-05T11:18:41.639-0500|Info: 2016-01-05 11:18:41,639 DEBUG
>>> [org.jasig.cas.logout.LogoutManagerImpl] - <Prepared logout message to send
>>> is [org.jasig.cas.logout.LogoutManagerImpl$LogoutHttpMessage@5601d15a[url=
>>> https://localhost:8181/cas-sample-java-webapp-1/,message=<samlp:LogoutRequest
>>>
>>> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>>> ID="LR-5-uiOMuNVN2F9ENMiORMqhGn02bWrL6u5NKZf" Version="2.0"
>>> IssueInstant="2016-01-05T11:18:41Z"><saml:NameID
>>> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex>
>>> ST-4-1m5RMx43NhaU2wreOvbp-mycastest.myorg.org
>>> </samlp:SessionIndex></samlp:LogoutRequest>,asynchronous=true,contentType=application/x-www-form-urlencoded]]>
>>>
>>> 2016-01-05T11:18:41.641-0500|Info: 2016-01-05 11:18:41,641 DEBUG
>>> [org.jasig.cas.logout.LogoutManagerImpl] - <Captured logout request
>>> [org.jasig.cas.logout.DefaultLogoutRequest@2b711a3c[ticketId=
>>> ST-4-1m5RMx43NhaU2wreOvbp-mycastest.myorg.org,service=
>>> https://localhost:8181/cas-sample-java-webapp-1/,status=SUCCESS]]>
>>>
>>>
>>>
>>> and then to complete the TICKET_GRANTING_TICKET_DESTROYED action.
>>>
>>>
>>>
>>> I'm not exactly sure what i'm looking for but a few things stand out.
>>>
>>> 1) I see that the chain for logout of each client webapp ends with the
>>> term status=SUCCESS. Is that indicative of a successful logout or simply
>>> that the POST was made.
>>>
>>> 2) There are a number of places where SAML shows up in that log segment.
>>> Does that mean I need to run the SAML protocol on my client? If so, is
>>> that in addition to or in replacement of the CAS ticket validation filter
>>> or are those unrelated?
>>>
>>>
>>>
>>> After the logout I am still able to navigate the test client
>>> application(s) so the session has not been ended.
>>>
>>> Assuming that my configuration of server and client are correct (may not
>>> be true), What should my application do to correctly respond to the SLO
>>> protocol?
>>>
>>> I see the line in the client documentation stating:
>>>
>>> The client has no code to help you handle log out. The client merely
>>> places objects in session.
>>>
>>> but what objects are placed into the session and how should the client
>>> be written to recognize these objects and perform a session invalidation on
>>> the next access attempt?
>>>
>>>
>>>
>>> Are there any simple examples of a web client that appropriately
>>> responds to the SLO protocol?
>>>
>>> ...
>>
>>
--
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/66713d94-d1a6-4fc4-aef5-482df50978d2%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.
