Let me know it this is clearer: https://wiki.jasig.org/display/CASC/CAS+Client+for+Java+3.1
On Thu, Aug 5, 2010 at 12:48 PM, Scott Battaglia <[email protected]>wrote: > No worries. Its tough to remember whether the filter definition or the > mapping defines the order. Now you'll know for future reference ;-) > > I'll also update the wiki doc to say you need to check the filter mappings. > > Cheers, > Scott > > > On Thu, Aug 5, 2010 at 12:34 PM, Jiangpeng Shi < > [email protected]> wrote: > >> Hey Scott, >> >> This is really embarrassing....I checked twice and was pretty confident >> that my single log out filter is the first in the chain! But I didn't >> realize that the filter's mapping is not.... >> After I move the filter's mapping setting to the top, then everything >> works like magic....I spent a whole morning reading bunch of log files and >> try to find some clue but never thought check with the filter's mapping >> setting. Thank you so so much....I couldn't get this work without your help! >> And Bryan, thank you for the help, too..... >> >> --Jiangpeng Shi >> >> >>> Scott Battaglia <[email protected]> 8/5/2010 11:16 AM >>> >> Your Single Log Out Filter has to be first in the chain if you want it to >> process log out requests. >> >> >> On Wed, Aug 4, 2010 at 6:03 PM, Jiangpeng Shi < >> [email protected]> wrote: >> >> > I think I'd better add some more details information about my case: >> > >> > Currently I am using CAS 3.3.5, the client is 3.1.10. All the CAS server >> > and client application are sitting in same server (weblogic), and all >> the >> > client apps are participant of SSO. The sign on process works very good >> for >> > all the client applications, and, I can also sign out client application >> if >> > I use request.getSession().invalidate(). Now the problem is that I >> couldn't >> > get single sign out work..... >> > >> > Here is my Client app's web.xml setting: >> > >> > >> > <listener> >> > >> > >> >> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> >> > </listener> >> > >> > >> > <filter> >> > <filter-name>CAS Single Sign Out Filter</filter-name> >> > >> > >> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> >> > </filter> >> > >> > >> > >> > <filter> >> > <filter-name>CAS Authentication Filter</filter-name> >> > >> > >> >> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> >> > <init-param> >> > <param-name>casServerLoginUrl</param-name> >> > <param-value> >> > https://mydev.mydomain.org:7002/cas/login</param-value> >> > </init-param> >> > <init-param> >> > <param-name>serverName</param-name> >> > <param-value>https://mydev.mydomain.org:7002 >> > </param-value> >> > </init-param> >> > <init-param> >> > <param-name>renew</param-name> >> > <param-value>false</param-value> >> > </init-param> >> > <init-param> >> > <param-name>gateway</param-name> >> > <param-value>false</param-value> >> > </init-param> >> > </filter> >> > >> > <filter> >> > <filter-name>CAS Validation Filter</filter-name> >> > >> > >> >> <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> >> > <init-param> >> > <param-name>casServerUrlPrefix</param-name> >> > <param-value> >> https://mydev.mydomain.org:7002/cas/ >> > </param-value> >> > </init-param> >> > <init-param> >> > <param-name>serverName</param-name> >> > <param-value>https://mydev.mydomain.org:7002 >> > </param-value> >> > </init-param> >> > >> > >> > </filter> >> > >> > <filter> >> > <filter-name>CAS HttpServletRequest Wrapper >> > Filter</filter-name> >> > >> > >> >> <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> >> > </filter> >> > >> > <filter> >> > <filter-name>CAS Assertion Thread Local >> Filter</filter-name> >> > >> > >> >> <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class> >> > </filter> >> > >> > >> > <filter-mapping> >> > <filter-name>CAS Authentication Filter</filter-name> >> > <url-pattern>/protected/*</url-pattern> >> > </filter-mapping> >> > >> > <filter-mapping> >> > <filter-name>CAS Validation Filter</filter-name> >> > <url-pattern>/*</url-pattern> >> > </filter-mapping> >> > >> > <filter-mapping> >> > <filter-name>CAS HttpServletRequest Wrapper >> > Filter</filter-name> >> > <url-pattern>/*</url-pattern> >> > </filter-mapping> >> > >> > <filter-mapping> >> > <filter-name>CAS Assertion Thread Local >> Filter</filter-name> >> > <url-pattern>/*</url-pattern> >> > </filter-mapping> >> > >> > <filter-mapping> >> > <filter-name>CAS Validation Filter</filter-name> >> > <url-pattern>/proxyCallback</url-pattern> >> > </filter-mapping> >> > >> > <filter-mapping> >> > <filter-name>CAS Single Sign Out Filter</filter-name> >> > <url-pattern>/*</url-pattern> >> > </filter-mapping> >> > >> > >> > Here is the argumentExtractorsConfiguration.xml: >> > >> > <beans xmlns="http://www.springframework.org/schema/beans"; >> > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; >> > xmlns:p="http://www.springframework.org/schema/p"; >> > xmlns:util="http://www.springframework.org/schema/util"; >> > xsi:schemaLocation="http://www.springframework.org/schema/beans >> > http://www.springframework.org/schema/beans/spring-beans-2.0.xsd >> > http://www.springframework.org/schema/util >> > http://www.springframework.org/schema/util/spring-util-2.0.xsd";> >> > <description> >> > Argument Extractors are what are used to translate HTTP >> > requests into requests of the appropriate protocol (i.e. CAS, SAML, >> SAML2, >> > OpenId, etc.). By default CAS and SAML are enabled. >> > </description> >> > <bean >> > id="casArgumentExtractor" >> > class="org.jasig.cas.web.support.CasArgumentExtractor" >> > p:httpClient-ref="httpClient" /> >> > >> > <bean id="samlArgumentExtractor" >> > class="org.jasig.cas.web.support.SamlArgumentExtractor" >> > p:httpClient-ref="httpClient" /> >> > >> > <util:list id="argumentExtractors"> >> > <ref bean="casArgumentExtractor" /> >> > <ref bean="samlArgumentExtractor" /> >> > </util:list> >> > </beans> >> > >> > >> > From Client application, I just simply add a link, which redirect to: >> > https://mydev.mydomain.org:7002/cas/logout?url=/casClient >> > >> > >> > After I click this logout link in client app, I do see CAS's log out >> > confirm page. Based on my understand, CAS server is supposed to send out >> > "POST" request to all registered applications, but seems it not >> happen.... >> > >> > I check cas.log in app server, which has no records about log out....or >> any >> > records about httpClient....Here is part of cas.log: >> > >> > 2010-08-04 16:51:15,958 INFO >> > [org.jasig.cas.authentication.AuthenticationManagerImpl] - >> > AuthenticationHandler: >> > edu.utsw.ais.cas.authentication.UTSWSimpleAuthenticationHandler >> successfully >> > authenticated the user which provided the following credentials: >> [username: >> > testUser] >> > 2010-08-04 16:51:16,005 INFO >> > [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service >> ticket >> > [ST-1-uB5GQK0DlpPnJdZc57Ix-cas] for service [ >> > https://mydev.mydomain.org:7002/casClient2/protected/index.jsp] for >> user >> > [testUser] >> > ...... >> > >> > Then there are no any records about sending requst back to client app, >> not >> > even any info about "sign out".... >> > >> > >> > I also check access.log in my weblogic server, and here is record saved: >> > >> > >> > 129.112.115.6 - - [04/Aug/2010:16:09:51 -0500] "GET >> > /casClient2/protected/index.jsp?ticket=ST-16-HzmgD6XNY0O1eIrjCv5P-cas >> > HTTP/1.1" 302 327 >> > 129.112.115.6 - - [04/Aug/2010:16:09:51 -0500] "GET >> > /casClient2/protected/index.jsp HTTP/1.1" 200 1023 >> > 172.18.101.182 - - [04/Aug/2010:16:10:00 -0500] "POST >> > /casClient2/protected/index.jsp HTTP/1.1" 302 511 >> > 129.112.115.6 - - [04/Aug/2010:16:10:00 -0500] "GET >> > /cas/logout?url=/casClient2 HTTP/1.1" 200 1671 >> > 172.18.101.182 - - [04/Aug/2010:16:10:00 -0500] "GET >> > /cas/login?service=https%3A%2F%2Fmydev.mydomain.org >> %3A7002%2FcasClient2%2Fprotected%2Findex.jsp >> > HTTP/1.1" 200 3696 >> > 129.112.115.6 - - [04/Aug/2010:16:10:41 -0500] "GET /casClient2 >> HTTP/1.1" >> > 302 289 >> > >> > There are no any "POST" request received after the "GET" of log out >> > request... >> > >> > In CAS server, one thing I have changed is I use a customized >> > authentication handler to do authentication. I am not sure this will >> cause >> > the issue? Here is the part of deployerConfigContext.xml: >> > >> > <bean id="authenticationManager" >> > >> > class="org.jasig.cas.authentication.AuthenticationManagerImpl"> >> > <property name="credentialsToPrincipalResolvers"> >> > <list> >> > <bean >> > >> > >> >> class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" >> > /> >> > <bean >> > >> > >> >> class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" >> > /> >> > </list> >> > </property> >> > <property name="authenticationHandlers"> >> > <list> >> > <bean >> > >> class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" >> > p:httpClient-ref="httpClient" /> >> > <bean >> > >> > class="edu.utsw.ais.cas.authentication.UTSWSimpleAuthenticationHandler" >> /> >> > </list> >> > </property> >> > </bean> >> > >> > <bean id="userDetailsService" >> > >> class="edu.utsw.ais.cas.authentication.service.ServiceUserDetailsServiceImpl"> >> > >> > </bean> >> > >> > <bean id="attributeRepository" >> > >> > class="org.jasig.services.persondir.support.StubPersonAttributeDao"> >> > <property name="backingMap"> >> > <map> >> > <entry key="uid" value="uid" /> >> > <entry key="eduPersonAffiliation" >> > value="eduPersonAffiliation" /> >> > <entry key="groupMembership" >> > value="groupMembership" /> >> > </map> >> > </property> >> > </bean> >> > >> > >> > <bean id="serviceRegistryDao" >> > class="org.jasig.cas.services.JpaServiceRegistryDaoImpl" >> > p:entityManagerFactory-ref="entityManagerFactory" /> >> > >> > <bean id="entityManagerFactory" >> > >> class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean"> >> > <property name="dataSource" ref="dataSource"/> >> > <property name="jpaVendorAdapter"> >> > <bean >> > class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter"> >> > <property name="generateDdl" >> value="true"/> >> > <property name="showSql" value="true" /> >> > </bean> >> > </property> >> > <property name="jpaProperties"> >> > <props> >> > <prop >> > key="hibernate.dialect">org.hibernate.dialect.SQLServerDialect</prop> >> > <prop >> > key="hibernate.hbm2ddl.auto">update</prop> >> > </props> >> > </property> >> > </bean> >> > >> > <bean id="transactionManager" >> > class="org.springframework.orm.jpa.JpaTransactionManager"> >> > <property name="entityManagerFactory" >> > ref="entityManagerFactory"/> >> > </bean> >> > >> > <tx:annotation-driven transaction-manager="transactionManager"/> >> > >> > >> > <bean id="dataSource" >> > class="org.springframework.jdbc.datasource.DriverManagerDataSource" >> > > >> > <property name="driverClassName" >> > value="com.microsoft.sqlserver.jdbc.SQLServerDriver"/> >> > <property name="url" value="jdbc:sqlserver:// >> dbserver.mydomain.org >> > ;databaseName=casdb"/> >> > <property name="username" value="cas"/> >> > <property name="password" value="cas"/> >> > >> > </bean> >> > >> > >> > >> > >> > >> > Seems like I've never been so close to creating our own functional CAS >> > server....Any suggestion is hightly appreciated....Thanks you very much. >> > >> > >> > >> > >> > >>> Bryan Wooten <[email protected]> 8/4/2010 12:04 PM >>> >> > Here is how to do it: >> > >> > https://wiki.jasig.org/display/CASC/Configuring+Single+Sign+Out >> > >> > Just add the listener and filter to your web.xml. >> > >> > It is working well for me. >> > >> > Bryan Wooten >> > >> > [email protected] >> > Work: 801.585.9323 >> > Cell: 801.414.3593 >> > >> > >> > -----Original Message----- >> > From: Jiangpeng Shi [mailto:[email protected]] >> > Sent: Wednesday, August 04, 2010 10:51 AM >> > To: [email protected] >> > Subject: [cas-user] a new single sign out question >> > >> > I asked a question about an issue that I couldn't logout from SSO by >> using >> > request.getSession().invalidate(), and acevedo gave me a very good >> > suggestion. He helped me solve my issue very well. But seems I am still >> > having some issues with Single sign out: How can I sign out all client >> apps >> > when I sign out from one of client apps? >> > My current case is: >> > I have 4 client app, which all using CAS and SSO. For each client app, I >> am >> > using following code in each client to log out: >> > >> > request.getSession().invalidate(); >> > response.sendRedirect(" >> https://cas.mywork.org:7088/cas/logout?url=/myapp >> > "); >> > >> > For each client, the log out works well, but, seems I have to logout >> each >> > client one by one, which means I can't logout all client apps all >> together >> > by just signing out from one client application. Are there any way that >> we >> > can let user sign out from app and then sign out all other Single Sign >> On >> > client apps? >> > >> > Thanks a lot in advance. >> > >> > --Jiangpeng Shi >> > >> > >> > >> > >> > -- >> > You are currently subscribed to [email protected] as: >> > [email protected] >> > To unsubscribe, change settings or access archives, see >> > http://www.ja-sig.org/wiki/display/JSG/cas-user >> > >> > >> > -- >> > You are currently subscribed to [email protected] as: >> > [email protected] >> > To unsubscribe, change settings or access archives, see >> > http://www.ja-sig.org/wiki/display/JSG/cas-user >> > >> > >> > -- >> > You are currently subscribed to [email protected] as: >> > [email protected] >> > To unsubscribe, change settings or access archives, see >> > http://www.ja-sig.org/wiki/display/JSG/cas-user >> > >> > >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
