Bill Gorder ,
Thanks for the response. The root cause is that i can see that the CAS TGC cookie still existing on the browser , which needs to be invalidated. If you could see the spring config shared , you can see that i am exactly doing the same
1) calling j_spring_security_logout which invalidates application session and also clears security context.
2) On the success , we are directly calling the /cas/logout (please see the constructor arg for LogoutFilter) with which we have appended the url param to where the user has to be finally sent.
What I can see is that the TGT for the session in CAS is getting destroyed, but we can see the CASTGC cookie still sits in the browser. There is also no trail in the logs as to the cookie being destroyed or expired.
I understand that we need to somehow incorporate the /j_spring_cas_security_logout which will invoke the Single SignOut Filter that i believe will expire/remove the cookie. But my requirement is it has to be in addition to my already configured j_spring_security_logout.
Some help in this direction will be helpful.
And yeah my URLs are absolute
Thanks,
Mckenzie