aspose file tools*
The moose likes Spring and the fly likes Custom Logout Issue in CAS integrated with Spring Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Frameworks » Spring
Bookmark "Custom Logout Issue in CAS integrated with Spring" Watch "Custom Logout Issue in CAS integrated with Spring" New topic
Author

Custom Logout Issue in CAS integrated with Spring

Mckenzie John
Greenhorn

Joined: Sep 21, 2012
Posts: 16
Hi,

I have a problem with my Logout functionality in my application which using CAS integrated with Spring security. My spring configuration is as below:

<bean id="logoutFilter" class="org.springframework.security.web.authentica tion.logout.LogoutFilter">
<!-- URL redirected to after logout success -->
<constructor-arg value="https://casURL/cas-server-webapp-3.5.1/logout?service=applnURL"/>

<constructor-arg>
<list>
<bean class="org.springframework.security.web.authentica tion.logout.SecurityContextLogoutHandler"/>
<bean class="com.blah.blah.sso.logout.CustomLogoutHandle r"/>
</list>
</constructor-arg>
</bean>

On clicking of the Logout link in my application URL with URl /j_spring_security_logout which invalidates session in SecurityContextLogoutHandler and redirects to the service as in the constructor. Our expected behaviour is that the CAS must log itself out ,invalidate session both in CAS and application and redirect to the service configured as above.

What actually happens is that i am getting the service URL getting called but CAS is not creating the ST for the valid user i give at THIS point of time in the CAS login page.

Any help please.

Thanks,
Mckenzie
Bill Gorder
Bartender

Joined: Mar 07, 2010
Posts: 1648
    
    7

Once again please UseCodeTags <-click

Not sure I am understanding but why not just replace all that with



You can have a look at this link to maybe it applies to what you are trying to do.
http://forum.springsource.org/showthread.php?99859-spring-security-3-and-CAS-logout


[How To Ask Questions][Read before you PM me]
Bill Gorder
Bartender

Joined: Mar 07, 2010
Posts: 1648
    
    7

I noticed in that link that if you are using https you may need absolute paths
Mckenzie John
Greenhorn

Joined: Sep 21, 2012
Posts: 16
Bill Gorder ,

Thanks for the response. The root cause is that i can see that the CAS TGC cookie still existing on the browser , which needs to be invalidated. If you could see the spring config shared , you can see that i am exactly doing the same



1) calling j_spring_security_logout which invalidates application session and also clears security context.

2) On the success , we are directly calling the /cas/logout (please see the constructor arg for LogoutFilter) with which we have appended the url param to where the user has to be finally sent.


What I can see is that the TGT for the session in CAS is getting destroyed, but we can see the CASTGC cookie still sits in the browser. There is also no trail in the logs as to the cookie being destroyed or expired.

I understand that we need to somehow incorporate the /j_spring_cas_security_logout which will invoke the Single SignOut Filter that i believe will expire/remove the cookie. But my requirement is it has to be in addition to my already configured j_spring_security_logout.

Some help in this direction will be helpful.

And yeah my URLs are absolute

Thanks,
Mckenzie
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Custom Logout Issue in CAS integrated with Spring