It's hard to understand what you are after, but perhaps take a look at the sample CASyfied Spring Boot web app: https://github.com/UniconLabs/bootiful-cas-client [https://github.com/UniconLabs/bootiful-cas-client] Cheers, D.
On Mon, Jun 13, 2016 at 02:06, Atul shinde <[email protected]> wrote: HI .. i am trying to spring boot service for centralize authentication for any login service can authenticate in as a server level and provide token for login serves. how to create server service and client service for login page . help for that. On Thu, Jun 9, 2016 at 9:20 PM, Jonathan Labin < [email protected] [[email protected]] > wrote: My web.xml: <filter> <filter-name>CAS Single Sign Out Filter</filter-name> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value> http://mycasserver [http://mycasserver] </param-value> </init-param> </filter> <filter-mapping> <filter-name>CAS Single Sign Out Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <listener> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> </listener> <listener> <listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class> </listener> <context-param> <param-name>shiroConfigLocations</param-name> <param-value>/WEB-INF/shiro/shiro.ini</param-value> </context-param> <filter> <filter-name>ShiroFilter</filter-name> <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class> </filter> <filter-mapping> <filter-name>ShiroFilter</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> <dispatcher>FORWARD</dispatcher> <dispatcher>INCLUDE</dispatcher> <dispatcher>ERROR</dispatcher> </filter-mapping> <welcome-file-list> <welcome-file>index.jsp</welcome-file> </welcome-file-list> I hope that helps On Monday, May 30, 2016 at 3:24:02 AM UTC-4, Sankalp Sharma wrote: Hi Jonathan, I am having the same problem as you had but even after ordering the web.xml as you described, I am still stuck with the error. I have debugged the cas java client code to find why Single Logout not working and found out that cas-server is sending the Logout request(BACK_CHANNEL) to each application but some java clients are unable to handle and there is no error in the logs. Please provide a solution and Can you please post your applications web.xml for better understanding and it will be very helpful if you can have a look at this page https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/single$20logout/cas-user/Tn1kPEOFvAY/sESb-nI3BAAJ [https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/single$20logout/cas-user/Tn1kPEOFvAY/sESb-nI3BAAJ] Regards, Sankalp On Wednesday, January 13, 2016 at 6:51:25 PM UTC+5:30, Jonathan Labin wrote: It looks like my web.xml was out of order. I collected all of the SLO elements first (filter, filter-mapping, and listener), all of the authentication elements next, and finally all of the validation elements at the end. After doing that SLO seems to work as one might hope. So is the statement from the Jasig/java-cas-client Recommended Logout Procedure [https://github.com/Jasig/java-cas-client#recommend-logout-procedure] untrue? The client has no code to help you handle log out. The client merely places objects in session. Therefore, we recommend you do a session.invalidate() call when you log a user out. However, that's entirely your application's responsibility. It seems that it does end the session on receipt of a SLO message from the CAS server. Or am I still confused about what is happening? On Monday, January 11, 2016 at 1:36:34 PM UTC-5, Misagh Moayyed wrote:No there is. That is the configuration you have. Cookies are not deleted, yes, but your session is gone which is mostly what you care about. If you are not seeing SLO, look into your logs and see what is happening. From: Jonathan Labin [mailto: [email protected] ] Sent: Monday, January 11, 2016 11:29 AM To: CAS Community < [email protected] > Cc: [email protected] Subject: Re: [cas-user] Re: Help with SLO and Java Web Client Thanks for the advice. I'm not trying to bypass the nuances of SLO. I'm trying to find out if there is any way to enable SLO in a simple cookies-based webapp (like the sample provided by UniconLabs [https://github.com/UniconLabs/cas-sample-java-webapp] ). It sounds like there is not and I'll have to use one of the compatible security frameworks like Shiro or Spring Security. On Monday, January 11, 2016 at 11:13:19 AM UTC-5, Misagh Moayyed wrote: Your SLO filter is designed to do just that. It grabs onto the request, examines it and if it considers it an SLO request it will attempt to terminate the session. It also does nothing with cookies, if I recall. There are no other flags. I guess what you are trying to do is advise the webapp to log itself out on the next try, so as to preserve the current user session so as to lose any work? In that case, why don’t you just turn SLO off? What does SLO mean at that point? At any rate, I don’t know of a sane way you could manage/implement what you propose, unless you wrote your filter that set that flag and did its own thing with the session, and even then, I am not sure you can fully get there. Way too many variables can go wrong. If you are trying to bypass the nuances of SLO, you won’t be able to. You either accept SLO as is, or you turn it off and let the app do its own thing separate from the CAS SSO session. I dare say the latter is more common. From: [email protected] [mailto: [email protected] ] On Behalf Of Jonathan Labin Sent: Monday, January 11, 2016 8:11 AM To: CAS Community < [email protected] > Subject: [cas-user] Re: Help with SLO and Java Web Client To simplify the question: Is there no way to write a webapp to respond to the logout callback by setting some flag. Then on the next access by the client browser this flag could be noticed and the session terminated (along with cookies)? Is this approach inadvisable or not possible for some reason? Thanks On Tuesday, January 5, 2016 at 11:33:54 AM UTC-5, Jonathan Labin wrote: I am having trouble with the the single log out feature. I am using CAS server 4.1.3 and client web apps based on the sample provided by UniconLabs [https://github.com/UniconLabs/cas-sample-java-webapp] . After modification according to the java client readme [https://github.com/Jasig/java-cas-client#configuring-single-sign-out] : <?xml version="1.0" encoding="UTF-8"?> <web-app version="2.4" xmlns=" http://java.sun.com/xml/ns/j2ee [http://java.sun.com/xml/ns/j2ee] " xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance [http://www.w3.org/2001/XMLSchema-instance] " xsi:schemaLocation=" http://java.sun.com/xml/ns/j2ee [http://java.sun.com/xml/ns/j2ee] http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd [http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd] "> <filter> <filter-name>CAS Single Sign Out Filter</filter-name> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> <!-- <init-param> <param-name>casServerUrlPrefix</param-name> <param-value> https://localhost:8181/cas [https://localhost:8181/cas] </param-value> </init-param> --> </filter> <filter> <filter-name>CAS Authentication Filter</filter-name> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> <init-param> <param-name>casServerLoginUrl</param-name> <param-value> https://localhost:8181/cas/login [https://localhost:8181/cas/login] </param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value> https://localhost:8181 [https://localhost:8181] </param-value> </init-param> </filter> <filter> <filter-name>CAS Validation Filter</filter-name> <filter-class>org.jasig.cas.client.validation.Cas30ProxyReceivingTicketValidationFilter</filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value> https://localhost:8181/cas [https://localhost:8181/cas] </param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value> https://localhost:8181 [https://localhost:8181] </param-value> </init-param> <init-param> <param-name>redirectAfterValidation</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>useSession</param-name> <param-value>true</param-value> </init-param> <!-- <init-param> <param-name>acceptAnyProxy</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>proxyReceptorUrl</param-name> <param-value>/cas-sample-java-webapp/proxyUrl</param-value> </init-param> <init-param> <param-name>proxyCallbackUrl</param-name> <param-value> https://localhost:8181/cas-sample-java-webapp/proxyUrl [https://localhost:8181/cas-sample-java-webapp/proxyUrl] </param-value> </init-param> --> </filter> <filter> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS Validation Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CAS Authentication Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CAS Single Sign Out Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <listener> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> </listener> <welcome-file-list> <welcome-file> index.jsp </welcome-file> </welcome-file-list> </web-app> I can successfully log in to the web application through CAS authentication. When I log out at CAS server in another tab using: https://localhost:8181/cas/logout [https://localhost:8181/cas/logout] I receive confirmation that logout was successful. The server log shows: 2016-01-05T11:18:41.635-0500|Info: 2016-01-05 11:18:41,635 DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] - <Ticket found. Processing logout requests and then deleting the ticket...> 2016-01-05T11:18:41.636-0500|Info: 2016-01-05 11:18:41,636 DEBUG [org.jasig.cas.logout.SamlCompliantLogoutMessageCreator] - <Generated logout message: [<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-4-0sROBuPSyWPSs5z6tVOVXxCFjnejqH9jrbs" Version="2.0" IssueInstant="2016-01-05T11:18:41Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex> ST-5-7pGNgBnwf4JGqmJY7era-mycastest.myorg.org [http://ST-5-7pGNgBnwf4JGqmJY7era-mycastest.myorg.org] </samlp:SessionIndex></samlp:LogoutRequest>]> 2016-01-05T11:18:41.636-0500|Info: 2016-01-05 11:18:41,636 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - <Sending logout request for: [ https://localhost:8181/cas-sample-java-webapp-2/ [https://localhost:8181/cas-sample-java-webapp-2/] ]> 2016-01-05T11:18:41.636-0500|Info: 2016-01-05 11:18:41,636 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - <Prepared logout message to send is [org.jasig.cas.logout.LogoutManagerImpl$LogoutHttpMessage@46569bda[url= https://localhost:8181/cas-sample-java-webapp-2/,message= [https://localhost:8181/cas-sample-java-webapp-2/,message=] <samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-4-0sROBuPSyWPSs5z6tVOVXxCFjnejqH9jrbs" Version="2.0" IssueInstant="2016-01-05T11:18:41Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex> ST-5-7pGNgBnwf4JGqmJY7era-mycastest.myorg.org [http://ST-5-7pGNgBnwf4JGqmJY7era-mycastest.myorg.org] </samlp:SessionIndex></samlp:LogoutRequest>,asynchronous=true,contentType=application/x-www-form-urlencoded]]> 2016-01-05T11:18:41.638-0500|Info: 2016-01-05 11:18:41,638 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - <Captured logout request [org.jasig.cas.logout.DefaultLogoutRequest@479d1dbc[ticketId= ST-5-7pGNgBnwf4JGqmJY7era-mycastest.myorg.org [http://ST-5-7pGNgBnwf4JGqmJY7era-mycastest.myorg.org] ,service= https://localhost:8181/cas-sample-java-webapp-2/,status=SUCCESS] [https://localhost:8181/cas-sample-java-webapp-2/,status=SUCCESS%5D] ]> 2016-01-05T11:18:41.638-0500|Info: 2016-01-05 11:18:41,638 DEBUG [org.jasig.cas.logout.SamlCompliantLogoutMessageCreator] - <Generated logout message: [<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-5-uiOMuNVN2F9ENMiORMqhGn02bWrL6u5NKZf" Version="2.0" IssueInstant="2016-01-05T11:18:41Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex> ST-4-1m5RMx43NhaU2wreOvbp-mycastest.myorg.org [http://ST-4-1m5RMx43NhaU2wreOvbp-mycastest.myorg.org] </samlp:SessionIndex></samlp:LogoutRequest>]> 2016-01-05T11:18:41.639-0500|Info: 2016-01-05 11:18:41,638 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - <Sending logout request for: [ https://localhost:8181/cas-sample-java-webapp-1/ [https://localhost:8181/cas-sample-java-webapp-1/] ]> 2016-01-05T11:18:41.639-0500|Info: 2016-01-05 11:18:41,639 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - <Prepared logout message to send is [org.jasig.cas.logout.LogoutManagerImpl$LogoutHttpMessage@5601d15a[url= https://localhost:8181/cas-sample-java-webapp-1/,message= [https://localhost:8181/cas-sample-java-webapp-1/,message=] <samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-5-uiOMuNVN2F9ENMiORMqhGn02bWrL6u5NKZf" Version="2.0" IssueInstant="2016-01-05T11:18:41Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex> ST-4-1m5RMx43NhaU2wreOvbp-mycastest.myorg.org [http://ST-4-1m5RMx43NhaU2wreOvbp-mycastest.myorg.org] </samlp:SessionIndex></samlp:LogoutRequest>,asynchronous=true,contentType=application/x-www-form-urlencoded]]> 2016-01-05T11:18:41.641-0500|Info: 2016-01-05 11:18:41,641 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - <Captured logout request [org.jasig.cas.logout.DefaultLogoutRequest@2b711a3c[ticketId= ST-4-1m5RMx43NhaU2wreOvbp-mycastest.myorg.org [http://ST-4-1m5RMx43NhaU2wreOvbp-mycastest.myorg.org] ,service= https://localhost:8181/cas-sample-java-webapp-1/,status=SUCCESS] [https://localhost:8181/cas-sample-java-webapp-1/,status=SUCCESS%5D] ]> and then to complete the TICKET_GRANTING_TICKET_DESTROYED action. I'm not exactly sure what i'm looking for but a few things stand out. 1) I see that the chain for logout of each client webapp ends with the term status=SUCCESS. Is that indicative of a successful logout or simply that the POST was made. 2) There are a number of places where SAML shows up in that log segment. Does that mean I need to run the SAML protocol on my client? If so, is that in addition to or in replacement of the CAS ticket validation filter or are those unrelated? After the logout I am still able to navigate the test client application(s) so the session has not been ended. Assuming that my configuration of server and client are correct (may not be true), What should my application do to correctly respond to the SLO protocol? I see the line in the client documentation stating: The client has no code to help you handle log out. The client merely places objects in session. but what objects are placed into the session and how should the client be written to recognize these objects and perform a session invalidation on the next access attempt? Are there any simple examples of a web client that appropriately responds to the SLO protocol? ... -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] [[email protected]] . To post to this group, send email to [email protected] [[email protected]] . Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/ [https://groups.google.com/a/apereo.org/group/cas-user/] . To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/66713d94-d1a6-4fc4-aef5-482df50978d2%40apereo.org [https://groups.google.com/a/apereo.org/d/msgid/cas-user/66713d94-d1a6-4fc4-aef5-482df50978d2%40apereo.org?utm_medium=email&utm_source=footer] . For more options, visit https://groups.google.com/a/apereo.org/d/optout [https://groups.google.com/a/apereo.org/d/optout] . -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] [[email protected]] . To post to this group, send email to [email protected] [[email protected]] . Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/ [https://groups.google.com/a/apereo.org/group/cas-user/] . To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAE7%2Ber8vF%2BFPRYrWpSOs%2BcX65eXNf3bFLHdoMkHv54L6f-LY6A%40mail.gmail.com [https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAE7%2Ber8vF%2BFPRYrWpSOs%2BcX65eXNf3bFLHdoMkHv54L6f-LY6A%40mail.gmail.com?utm_medium=email&utm_source=footer] . For more options, visit https://groups.google.com/a/apereo.org/d/optout [https://groups.google.com/a/apereo.org/d/optout] . -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e979d44f-e683-4567-8f46-b773e9f4a3d5%40unicon.net. For more options, visit https://groups.google.com/a/apereo.org/d/optout.
