This week's giveaway is in the EJB and other Java EE Technologies forum. We're giving away four copies of EJB 3 in Action and have Debu Panda, Reza Rahman, Ryan Cuprak, and Michael Remijan on-line! See this thread for details.
On clicking of the Logout link in my application URL with URl /j_spring_security_logout which invalidates session in SecurityContextLogoutHandler and redirects to the service as in the constructor. Our expected behaviour is that the CAS must log itself out ,invalidate session both in CAS and application and redirect to the service configured as above.
What actually happens is that i am getting the service URL getting called but CAS is not creating the ST for the valid user i give at THIS point of time in the CAS login page.
Thanks for the response. The root cause is that i can see that the CAS TGC cookie still existing on the browser , which needs to be invalidated. If you could see the spring config shared , you can see that i am exactly doing the same
1) calling j_spring_security_logout which invalidates application session and also clears security context.
2) On the success , we are directly calling the /cas/logout (please see the constructor arg for LogoutFilter) with which we have appended the url param to where the user has to be finally sent.
What I can see is that the TGT for the session in CAS is getting destroyed, but we can see the CASTGC cookie still sits in the browser. There is also no trail in the logs as to the cookie being destroyed or expired.
I understand that we need to somehow incorporate the /j_spring_cas_security_logout which will invoke the Single SignOut Filter that i believe will expire/remove the cookie. But my requirement is it has to be in addition to my already configured j_spring_security_logout.