I think I'd better add some more details information about my case:
Currently I am using CAS 3.3.5, the client is 3.1.10. All the CAS server and
client application are sitting in same server (weblogic), and all the client
apps are participant of SSO. The sign on process works very good for all the
client applications, and, I can also sign out client application if I use
request.getSession().invalidate(). Now the problem is that I couldn't get
single sign out work.....
Here is my Client app's web.xml setting:
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://mydev.mydomain.org:7002/cas/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>https://mydev.mydomain.org:7002</param-value>
</init-param>
<init-param>
<param-name>renew</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>gateway</param-name>
<param-value>false</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://mydev.mydomain.org:7002/cas/</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>https://mydev.mydomain.org:7002</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/protected/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/proxyCallback</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Here is the argumentExtractorsConfiguration.xml:
<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:p="http://www.springframework.org/schema/p";
xmlns:util="http://www.springframework.org/schema/util";
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util-2.0.xsd";>
<description>
Argument Extractors are what are used to translate HTTP
requests into requests of the appropriate protocol (i.e. CAS, SAML, SAML2,
OpenId, etc.). By default CAS and SAML are enabled.
</description>
<bean
id="casArgumentExtractor"
class="org.jasig.cas.web.support.CasArgumentExtractor"
p:httpClient-ref="httpClient" />
<bean id="samlArgumentExtractor"
class="org.jasig.cas.web.support.SamlArgumentExtractor"
p:httpClient-ref="httpClient" />
<util:list id="argumentExtractors">
<ref bean="casArgumentExtractor" />
<ref bean="samlArgumentExtractor" />
</util:list>
</beans>
>From Client application, I just simply add a link, which redirect to:
https://mydev.mydomain.org:7002/cas/logout?url=/casClient
After I click this logout link in client app, I do see CAS's log out confirm
page. Based on my understand, CAS server is supposed to send out "POST" request
to all registered applications, but seems it not happen....
I check cas.log in app server, which has no records about log out....or any
records about httpClient....Here is part of cas.log:
2010-08-04 16:51:15,958 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
AuthenticationHandler:
edu.utsw.ais.cas.authentication.UTSWSimpleAuthenticationHandler successfully
authenticated the user which provided the following credentials: [username:
testUser]
2010-08-04 16:51:16,005 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] -
Granted service ticket [ST-1-uB5GQK0DlpPnJdZc57Ix-cas] for service
[https://mydev.mydomain.org:7002/casClient2/protected/index.jsp] for user
[testUser]
......
Then there are no any records about sending requst back to client app, not even
any info about "sign out"....
I also check access.log in my weblogic server, and here is record saved:
129.112.115.6 - - [04/Aug/2010:16:09:51 -0500] "GET
/casClient2/protected/index.jsp?ticket=ST-16-HzmgD6XNY0O1eIrjCv5P-cas HTTP/1.1"
302 327
129.112.115.6 - - [04/Aug/2010:16:09:51 -0500] "GET
/casClient2/protected/index.jsp HTTP/1.1" 200 1023
172.18.101.182 - - [04/Aug/2010:16:10:00 -0500] "POST
/casClient2/protected/index.jsp HTTP/1.1" 302 511
129.112.115.6 - - [04/Aug/2010:16:10:00 -0500] "GET /cas/logout?url=/casClient2
HTTP/1.1" 200 1671
172.18.101.182 - - [04/Aug/2010:16:10:00 -0500] "GET
/cas/login?service=https%3A%2F%2Fmydev.mydomain.org%3A7002%2FcasClient2%2Fprotected%2Findex.jsp
HTTP/1.1" 200 3696
129.112.115.6 - - [04/Aug/2010:16:10:41 -0500] "GET /casClient2 HTTP/1.1" 302
289
There are no any "POST" request received after the "GET" of log out request...
In CAS server, one thing I have changed is I use a customized authentication
handler to do authentication. I am not sure this will cause the issue? Here is
the part of deployerConfigContext.xml:
<bean id="authenticationManager"
class="org.jasig.cas.authentication.AuthenticationManagerImpl">
<property name="credentialsToPrincipalResolvers">
<list>
<bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"
/>
<bean
class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver"
/>
</list>
</property>
<property name="authenticationHandlers">
<list>
<bean
class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:httpClient-ref="httpClient" />
<bean
class="edu.utsw.ais.cas.authentication.UTSWSimpleAuthenticationHandler" />
</list>
</property>
</bean>
<bean id="userDetailsService"
class="edu.utsw.ais.cas.authentication.service.ServiceUserDetailsServiceImpl">
</bean>
<bean id="attributeRepository"
class="org.jasig.services.persondir.support.StubPersonAttributeDao">
<property name="backingMap">
<map>
<entry key="uid" value="uid" />
<entry key="eduPersonAffiliation"
value="eduPersonAffiliation" />
<entry key="groupMembership"
value="groupMembership" />
</map>
</property>
</bean>
<bean id="serviceRegistryDao"
class="org.jasig.cas.services.JpaServiceRegistryDaoImpl"
p:entityManagerFactory-ref="entityManagerFactory" />
<bean id="entityManagerFactory"
class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean">
<property name="dataSource" ref="dataSource"/>
<property name="jpaVendorAdapter">
<bean
class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter">
<property name="generateDdl" value="true"/>
<property name="showSql" value="true" />
</bean>
</property>
<property name="jpaProperties">
<props>
<prop
key="hibernate.dialect">org.hibernate.dialect.SQLServerDialect</prop>
<prop key="hibernate.hbm2ddl.auto">update</prop>
</props>
</property>
</bean>
<bean id="transactionManager"
class="org.springframework.orm.jpa.JpaTransactionManager">
<property name="entityManagerFactory"
ref="entityManagerFactory"/>
</bean>
<tx:annotation-driven transaction-manager="transactionManager"/>
<bean id="dataSource"
class="org.springframework.jdbc.datasource.DriverManagerDataSource"
>
<property name="driverClassName"
value="com.microsoft.sqlserver.jdbc.SQLServerDriver"/>
<property name="url"
value="jdbc:sqlserver://dbserver.mydomain.org;databaseName=casdb"/>
<property name="username" value="cas"/>
<property name="password" value="cas"/>
</bean>
Seems like I've never been so close to creating our own functional CAS
server....Any suggestion is hightly appreciated....Thanks you very much.
>>> Bryan Wooten <[email protected]> 8/4/2010 12:04 PM >>>
Here is how to do it:
https://wiki.jasig.org/display/CASC/Configuring+Single+Sign+Out
Just add the listener and filter to your web.xml.
It is working well for me.
Bryan Wooten
[email protected]
Work: 801.585.9323
Cell: 801.414.3593
-----Original Message-----
From: Jiangpeng Shi [mailto:[email protected]]
Sent: Wednesday, August 04, 2010 10:51 AM
To: [email protected]
Subject: [cas-user] a new single sign out question
I asked a question about an issue that I couldn't logout from SSO by using
request.getSession().invalidate(), and acevedo gave me a very good suggestion.
He helped me solve my issue very well. But seems I am still having some issues
with Single sign out: How can I sign out all client apps when I sign out from
one of client apps?
My current case is:
I have 4 client app, which all using CAS and SSO. For each client app, I am
using following code in each client to log out:
request.getSession().invalidate();
response.sendRedirect("https://cas.mywork.org:7088/cas/logout?url=/myapp";);
For each client, the log out works well, but, seems I have to logout each
client one by one, which means I can't logout all client apps all together by
just signing out from one client application. Are there any way that we can let
user sign out from app and then sign out all other Single Sign On client apps?
Thanks a lot in advance.
--Jiangpeng Shi
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
