All geek questions in one place

CAS Single logout not working

I am implementing Single-Sign-On + Single-Log-Out in a Java EE environment through CAS.

On the authentication side, I have cas-server-webapp v4.0.1. Then two simple Java + Spring MVC web applications with cas-client-corev3.1.10 .

No problems with one sign. If I access / app 1, I am redirected to the cas login page in cas-server-webapp. After user + pass is entered, I am redirected to / app 1 correctly authenticated. Also, if I go to / app 2, this one will get its authorization ticket. So far so good.

Regarding single logoff, maybe I misunderstood the doc : but this is what I am doing:

app1 and app2 have each Spring controller mapped to URL / logout:

 @Controller public class LogoutController { @RequestMapping("/logout") public String logout(HttpSession session){ session.invalidate(); return "redirect:https://cas-server-host:8443/cas/logout?service=http://cas-server-host:9080/cas1/action/index"; } }

That is, I will cancel the http session and redirect the exit URL from the server server so that the tickets are invalid.

In the cas server log, I see that it destroys the TGT ticket and sends a request to exit to the CAS filter for each application:

 DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] - <Removing ticket [TGT-9-inxrphuRfIFpkbPTvNf6v1bAx7RlR7IMeMUFU0aokNCdbZ43Ij-cas01.example.org] from registry.> DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to retrieve ticket [TGT-9-inxrphuRfIFpkbPTvNf6v1bAx7RlR7IMeMUFU0aokNCdbZ43Ij-cas01.example.org]> DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket [TGT-9-inxrphuRfIFpkbPTvNf6v1bAx7RlR7IMeMUFU0aokNCdbZ43Ij-cas01.example.org] found in registry.> DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] - <Ticket found. Processing logout requests and then deleting the ticket...> DEBUG [org.jasig.cas.logout.SamlCompliantLogoutMessageCreator] - <Generated logout message: [<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-13-TfRj1HnvAjpBjNIdaDvDMJUMXk7wffdXgB5" Version="2.0" IssueInstant="2015-02-10T12:18:18Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@ NOT_USED@ </saml:NameID><samlp:SessionIndex>ST-16-aXpUJpwO4MQ09caXZRKX-cas01.example.org</samlp:SessionIndex></samlp:LogoutRequest>]> DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - <Sending logout request for: [http://localhost:9080/cas2]> DEBUG [org.jasig.cas.util.SimpleHttpClient] - <Attempting to access http://localhost:9080/cas2> DEBUG [org.jasig.cas.logout.SamlCompliantLogoutMessageCreator] - <Generated logout message: [<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-14-BaKvuaIbwxg9Le9H3QIvWORfNSE0dxaxsCE" Version="2.0" IssueInstant="2015-02-10T12:18:20Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@ NOT_USED@ </saml:NameID><samlp:SessionIndex>ST-15-zaX6aojKs0PiggCles6J-cas01.example.org</samlp:SessionIndex></samlp:LogoutRequest>]> DEBUG [org.jasig.cas.util.SimpleHttpClient] - <Finished sending message to http://localhost:9080/cas2> DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - <Sending logout request for: [http://localhost:9080/cas1]> DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Removing ticket [TGT-9-inxrphuRfIFpkbPTvNf6v1bAx7RlR7IMeMUFU0aokNCdbZ43Ij-cas01.example.org] from registry> DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to retrieve ticket [TGT-9-inxrphuRfIFpkbPTvNf6v1bAx7RlR7IMeMUFU0aokNCdbZ43Ij-cas01.example.org]> DEBUG [org.jasig.cas.util.SimpleHttpClient] - <Attempting to access http://localhost:9080/cas1> INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: audit:unknown WHAT: TGT-9-inxrphuRfIFpkbPTvNf6v1bAx7RlR7IMeMUFU0aokNCdbZ43Ij-cas01.example.org ACTION: TICKET_GRANTING_TICKET_DESTROYED APPLICATION: CAS WHEN: Tue Feb 10 12:18:20 CET 2015 CLIENT IP ADDRESS: 192.168.13.164 SERVER IP ADDRESS: 192.168.13.164 =============================================================

Now suppose I quit / cas 1, I was sent to the login page in cas-server. Without a login again, if I access / app 2, I am allowed to navigate this application as if I was still authenticated and I can access its java.user.Principal and session. How can this be possible? Should I not delete the logout request received in / app 2 for the Principal and http sections?

+5
source share
1 answer

... my fault, as expected, I missed something. I had to enable Single Sign Out Filter and Listener in both applications:

  <filter> <filter-name>CAS Single Sign Out Filter</filter-name> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter </filter-class> </filter> <filter-mapping> <filter-name>CAS Single Sign Out Filter</filter-name> <url-pattern>/*</url-pattern></filter-mapping> <listener> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> </listener> <filter> <filter-name>CAS Authentication Filter</filter-name> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> <init-param> <param-name>casServerLoginUrl</param-name> <param-value>https://cas-server-host:8443/cas/login</param-value> </init-param> <init-param> <param-name>service</param-name> <param-value>http://localhost:9080/cas1</param-value> </init-param> </filter> <filter-mapping> <filter-name>CAS Authentication Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>CAS Validation Filter</filter-name> <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>https://cas-server-host:8443/cas/</param-value> </init-param> <init-param> <param-name>service</param-name> <param-value>http://localhost:9080/cas1</param-value> </init-param> </filter> <filter-mapping> <filter-name>CAS Validation Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
+5
source

Source: https://habr.com/ru/post/1213041/

More articles:


All Articles