I followed the CAS Best Practices (https://wiki.jasig.org/display/CASUM/Best+Practice+-+Setting+Up+CAS+Locally+using+the+Maven+WAR+Overlay+Method) for building a "cas.war" (v4.0.0) and deploying it to Tomcat7. When I spin up Tomcat, I am able to access my CAS login page at:
> https://localhost:8443/cas/login I then deploy one of my "client" apps (a Grails web app using Shiro for authentication), which comes online at: > http://localhost:9100/myapp I go to an authenticated URL for myapp.war (the CAS client app): > http://localhost:9100/myapp/secret I am successfully redirected to my CAS login page (for now, I'm using the default casLoginView.jsp). I check my browser cookies, and for the CAS site I have a JSESSIONID. I login using the CAS default credentials (username is *casuser*; password is *Melon*) and am successfully redirected to http://localhost:9100/myapp/secret. Great success! I check my cookies again and see that I have the same exact JSESSIONID as well as a new CASTGC cookie. I now go directly to my CAS logout page: > https://localhost:8443/cas/logout I see a "Logout successful" message, and check my cookies again. The CASTGC cookie is gone, and I still have a JSESSIONID, however, it's a different one than the first JSESSIONID that I got. I now go back to my authenticated URL: > http://localhost:9100/myapp/secret I expect to be redirected to the CAS login page: instead I am allowed to view the /secret page and **appear to still be authenticated, even after logging out!!!** I *believe* I need to implement the SingleSignOutFilter by placing it in myapp's web.xml as instructed here: https://wiki.jasig.org/display/CASC/Configuring+Single+Sign+Out My questions: 1. Will configuring SingleSignOutFilter in web.xml complete my implementation for single sign out, or is there more config that I need to do? If so, where? 2. Once single sign out is implemented, will it have the expected behavior that I describe above? Meaning, if I go to the /logout link, then anytime I try to go to an authenticated URL, it should redirect me back to the /login page? 3. How can I tell which protocol (CAS 2.0 or SAML 1.1) I'm using? I should be using whatever default CAS 4.0.0 ships with as I didn't override anything in my project. Thanks in advance! -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user