No worries. Its tough to remember whether the filter definition or the mapping defines the order. Now you'll know for future reference ;-)
I'll also update the wiki doc to say you need to check the filter mappings. Cheers, Scott On Thu, Aug 5, 2010 at 12:34 PM, Jiangpeng Shi < [email protected]> wrote: > Hey Scott, > > This is really embarrassing....I checked twice and was pretty confident > that my single log out filter is the first in the chain! But I didn't > realize that the filter's mapping is not.... > After I move the filter's mapping setting to the top, then everything works > like magic....I spent a whole morning reading bunch of log files and try to > find some clue but never thought check with the filter's mapping setting. > Thank you so so much....I couldn't get this work without your help! And > Bryan, thank you for the help, too..... > > --Jiangpeng Shi > > >>> Scott Battaglia <[email protected]> 8/5/2010 11:16 AM >>> > Your Single Log Out Filter has to be first in the chain if you want it to > process log out requests. > > > On Wed, Aug 4, 2010 at 6:03 PM, Jiangpeng Shi < > [email protected]> wrote: > > > I think I'd better add some more details information about my case: > > > > Currently I am using CAS 3.3.5, the client is 3.1.10. All the CAS server > > and client application are sitting in same server (weblogic), and all the > > client apps are participant of SSO. The sign on process works very good > for > > all the client applications, and, I can also sign out client application > if > > I use request.getSession().invalidate(). Now the problem is that I > couldn't > > get single sign out work..... > > > > Here is my Client app's web.xml setting: > > > > > > <listener> > > > > > > <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> > > </listener> > > > > > > <filter> > > <filter-name>CAS Single Sign Out Filter</filter-name> > > > > > <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> > > </filter> > > > > > > > > <filter> > > <filter-name>CAS Authentication Filter</filter-name> > > > > > > <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> > > <init-param> > > <param-name>casServerLoginUrl</param-name> > > <param-value> > > https://mydev.mydomain.org:7002/cas/login</param-value> > > </init-param> > > <init-param> > > <param-name>serverName</param-name> > > <param-value>https://mydev.mydomain.org:7002 > > </param-value> > > </init-param> > > <init-param> > > <param-name>renew</param-name> > > <param-value>false</param-value> > > </init-param> > > <init-param> > > <param-name>gateway</param-name> > > <param-value>false</param-value> > > </init-param> > > </filter> > > > > <filter> > > <filter-name>CAS Validation Filter</filter-name> > > > > > > <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> > > <init-param> > > <param-name>casServerUrlPrefix</param-name> > > <param-value>https://mydev.mydomain.org:7002/cas/ > > </param-value> > > </init-param> > > <init-param> > > <param-name>serverName</param-name> > > <param-value>https://mydev.mydomain.org:7002 > > </param-value> > > </init-param> > > > > > > </filter> > > > > <filter> > > <filter-name>CAS HttpServletRequest Wrapper > > Filter</filter-name> > > > > > > <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> > > </filter> > > > > <filter> > > <filter-name>CAS Assertion Thread Local > Filter</filter-name> > > > > > > <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class> > > </filter> > > > > > > <filter-mapping> > > <filter-name>CAS Authentication Filter</filter-name> > > <url-pattern>/protected/*</url-pattern> > > </filter-mapping> > > > > <filter-mapping> > > <filter-name>CAS Validation Filter</filter-name> > > <url-pattern>/*</url-pattern> > > </filter-mapping> > > > > <filter-mapping> > > <filter-name>CAS HttpServletRequest Wrapper > > Filter</filter-name> > > <url-pattern>/*</url-pattern> > > </filter-mapping> > > > > <filter-mapping> > > <filter-name>CAS Assertion Thread Local > Filter</filter-name> > > <url-pattern>/*</url-pattern> > > </filter-mapping> > > > > <filter-mapping> > > <filter-name>CAS Validation Filter</filter-name> > > <url-pattern>/proxyCallback</url-pattern> > > </filter-mapping> > > > > <filter-mapping> > > <filter-name>CAS Single Sign Out Filter</filter-name> > > <url-pattern>/*</url-pattern> > > </filter-mapping> > > > > > > Here is the argumentExtractorsConfiguration.xml: > > > > <beans xmlns="http://www.springframework.org/schema/beans"; > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > > xmlns:p="http://www.springframework.org/schema/p"; > > xmlns:util="http://www.springframework.org/schema/util"; > > xsi:schemaLocation="http://www.springframework.org/schema/beans > > http://www.springframework.org/schema/beans/spring-beans-2.0.xsd > > http://www.springframework.org/schema/util > > http://www.springframework.org/schema/util/spring-util-2.0.xsd";> > > <description> > > Argument Extractors are what are used to translate HTTP > > requests into requests of the appropriate protocol (i.e. CAS, SAML, > SAML2, > > OpenId, etc.). By default CAS and SAML are enabled. > > </description> > > <bean > > id="casArgumentExtractor" > > class="org.jasig.cas.web.support.CasArgumentExtractor" > > p:httpClient-ref="httpClient" /> > > > > <bean id="samlArgumentExtractor" > > class="org.jasig.cas.web.support.SamlArgumentExtractor" > > p:httpClient-ref="httpClient" /> > > > > <util:list id="argumentExtractors"> > > <ref bean="casArgumentExtractor" /> > > <ref bean="samlArgumentExtractor" /> > > </util:list> > > </beans> > > > > > > From Client application, I just simply add a link, which redirect to: > > https://mydev.mydomain.org:7002/cas/logout?url=/casClient > > > > > > After I click this logout link in client app, I do see CAS's log out > > confirm page. Based on my understand, CAS server is supposed to send out > > "POST" request to all registered applications, but seems it not > happen.... > > > > I check cas.log in app server, which has no records about log out....or > any > > records about httpClient....Here is part of cas.log: > > > > 2010-08-04 16:51:15,958 INFO > > [org.jasig.cas.authentication.AuthenticationManagerImpl] - > > AuthenticationHandler: > > edu.utsw.ais.cas.authentication.UTSWSimpleAuthenticationHandler > successfully > > authenticated the user which provided the following credentials: > [username: > > testUser] > > 2010-08-04 16:51:16,005 INFO > > [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket > > [ST-1-uB5GQK0DlpPnJdZc57Ix-cas] for service [ > > https://mydev.mydomain.org:7002/casClient2/protected/index.jsp] for user > > [testUser] > > ...... > > > > Then there are no any records about sending requst back to client app, > not > > even any info about "sign out".... > > > > > > I also check access.log in my weblogic server, and here is record saved: > > > > > > 129.112.115.6 - - [04/Aug/2010:16:09:51 -0500] "GET > > /casClient2/protected/index.jsp?ticket=ST-16-HzmgD6XNY0O1eIrjCv5P-cas > > HTTP/1.1" 302 327 > > 129.112.115.6 - - [04/Aug/2010:16:09:51 -0500] "GET > > /casClient2/protected/index.jsp HTTP/1.1" 200 1023 > > 172.18.101.182 - - [04/Aug/2010:16:10:00 -0500] "POST > > /casClient2/protected/index.jsp HTTP/1.1" 302 511 > > 129.112.115.6 - - [04/Aug/2010:16:10:00 -0500] "GET > > /cas/logout?url=/casClient2 HTTP/1.1" 200 1671 > > 172.18.101.182 - - [04/Aug/2010:16:10:00 -0500] "GET > > /cas/login?service=https%3A%2F%2Fmydev.mydomain.org > %3A7002%2FcasClient2%2Fprotected%2Findex.jsp > > HTTP/1.1" 200 3696 > > 129.112.115.6 - - [04/Aug/2010:16:10:41 -0500] "GET /casClient2 HTTP/1.1" > > 302 289 > > > > There are no any "POST" request received after the "GET" of log out > > request... > > > > In CAS server, one thing I have changed is I use a customized > > authentication handler to do authentication. I am not sure this will > cause > > the issue? Here is the part of deployerConfigContext.xml: > > > > <bean id="authenticationManager" > > > > class="org.jasig.cas.authentication.AuthenticationManagerImpl"> > > <property name="credentialsToPrincipalResolvers"> > > <list> > > <bean > > > > > > class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" > > /> > > <bean > > > > > > class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" > > /> > > </list> > > </property> > > <property name="authenticationHandlers"> > > <list> > > <bean > > > class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" > > p:httpClient-ref="httpClient" /> > > <bean > > > > class="edu.utsw.ais.cas.authentication.UTSWSimpleAuthenticationHandler" > /> > > </list> > > </property> > > </bean> > > > > <bean id="userDetailsService" > > > class="edu.utsw.ais.cas.authentication.service.ServiceUserDetailsServiceImpl"> > > > > </bean> > > > > <bean id="attributeRepository" > > > > class="org.jasig.services.persondir.support.StubPersonAttributeDao"> > > <property name="backingMap"> > > <map> > > <entry key="uid" value="uid" /> > > <entry key="eduPersonAffiliation" > > value="eduPersonAffiliation" /> > > <entry key="groupMembership" > > value="groupMembership" /> > > </map> > > </property> > > </bean> > > > > > > <bean id="serviceRegistryDao" > > class="org.jasig.cas.services.JpaServiceRegistryDaoImpl" > > p:entityManagerFactory-ref="entityManagerFactory" /> > > > > <bean id="entityManagerFactory" > > > class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean"> > > <property name="dataSource" ref="dataSource"/> > > <property name="jpaVendorAdapter"> > > <bean > > class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter"> > > <property name="generateDdl" > value="true"/> > > <property name="showSql" value="true" /> > > </bean> > > </property> > > <property name="jpaProperties"> > > <props> > > <prop > > key="hibernate.dialect">org.hibernate.dialect.SQLServerDialect</prop> > > <prop > > key="hibernate.hbm2ddl.auto">update</prop> > > </props> > > </property> > > </bean> > > > > <bean id="transactionManager" > > class="org.springframework.orm.jpa.JpaTransactionManager"> > > <property name="entityManagerFactory" > > ref="entityManagerFactory"/> > > </bean> > > > > <tx:annotation-driven transaction-manager="transactionManager"/> > > > > > > <bean id="dataSource" > > class="org.springframework.jdbc.datasource.DriverManagerDataSource" > > > > > <property name="driverClassName" > > value="com.microsoft.sqlserver.jdbc.SQLServerDriver"/> > > <property name="url" value="jdbc:sqlserver:// > dbserver.mydomain.org > > ;databaseName=casdb"/> > > <property name="username" value="cas"/> > > <property name="password" value="cas"/> > > > > </bean> > > > > > > > > > > > > Seems like I've never been so close to creating our own functional CAS > > server....Any suggestion is hightly appreciated....Thanks you very much. > > > > > > > > > > >>> Bryan Wooten <[email protected]> 8/4/2010 12:04 PM >>> > > Here is how to do it: > > > > https://wiki.jasig.org/display/CASC/Configuring+Single+Sign+Out > > > > Just add the listener and filter to your web.xml. > > > > It is working well for me. > > > > Bryan Wooten > > > > [email protected] > > Work: 801.585.9323 > > Cell: 801.414.3593 > > > > > > -----Original Message----- > > From: Jiangpeng Shi [mailto:[email protected]] > > Sent: Wednesday, August 04, 2010 10:51 AM > > To: [email protected] > > Subject: [cas-user] a new single sign out question > > > > I asked a question about an issue that I couldn't logout from SSO by > using > > request.getSession().invalidate(), and acevedo gave me a very good > > suggestion. He helped me solve my issue very well. But seems I am still > > having some issues with Single sign out: How can I sign out all client > apps > > when I sign out from one of client apps? > > My current case is: > > I have 4 client app, which all using CAS and SSO. For each client app, I > am > > using following code in each client to log out: > > > > request.getSession().invalidate(); > > response.sendRedirect("https://cas.mywork.org:7088/cas/logout?url=/myapp > > "); > > > > For each client, the log out works well, but, seems I have to logout each > > client one by one, which means I can't logout all client apps all > together > > by just signing out from one client application. Are there any way that > we > > can let user sign out from app and then sign out all other Single Sign On > > client apps? > > > > Thanks a lot in advance. > > > > --Jiangpeng Shi > > > > > > > > > > -- > > You are currently subscribed to [email protected] as: > > [email protected] > > To unsubscribe, change settings or access archives, see > > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > > > -- > > You are currently subscribed to [email protected] as: > > [email protected] > > To unsubscribe, change settings or access archives, see > > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > > > -- > > You are currently subscribed to [email protected] as: > > [email protected] > > To unsubscribe, change settings or access archives, see > > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
