Announcement Announcement Module
Collapse
No announcement yet.
CAS TGC cookie deletion Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • CAS TGC cookie deletion

    Hi,

    We are successfully able to logout of the application and we redirect the URL to tje cas Login Page. But we are not able to delete the CASTGC cookie that is set by CAS due to which the user is not able to end the session.

    I have been trying a lot of methods and referred a lot of websites for solution.. We tried deleting the cookie using a javascript for the jsp but it was futile . Then we learnt that it has to be done programmatically. One option we learnt was using the CAS Single Sign Out Filter in the CAS server.

    I am a new bie in CAS and its implementations.

    Can some one help me in successfully help me eradicate this CAS TGC cookie from the client end.

    Also i understand that there are some drawbacks with this Single Signout filter . We need his to be closed as fast as possible.

    People who have been successful implementing the same and successfully erased the cookie , Please guide me step by step.

    Many Thanks,
    Mckenzie

  • #2
    Hi,

    The CAS server is responsible for creating and deleting the CASTGC cookie.

    The CASTGC cookie is deleted at CAS logout, it means that the SSO session ends.

    You can ask the CAS server for logout, by calling the https://mycasserver/cas/logout url.

    Take a look at the documentation to understand between the application logout and CAS server logout : http://static.springsource.org/sprin...rence/cas.html, part "22.3.2 Single Logout".

    Best regards,
    Jérôme

    Comment


    • #3
      Thanks a lot Jerome.

      I would like to get some more help from you in this regard as i am facing some issues in implementing the logic explained in the shared link.

      Let me illustrate my current logic. may be you can guide me the right way to get the functionality working. THe below is my Logout config in Spring:

      <!-- Single Logout Filter configuration -->

      <bean id="logoutFilter" class="org.springframework.security.web.authentica tion.logout.LogoutFilter">
      <!-- URL redirected to after logout success -->
      <constructor-arg value="https://CASURL/cas-server-webapp-3.5.1/logout?url=https://appURL/""/>

      <constructor-arg>
      <list>

      <bean class="org.springframework.security.web.authentica tion.logout.SecurityContextLogoutHandler"/>
      <bean class="com.blah.blah.sso.logout.CustomLogoutHandle r">
      <property name="eventDispatcher" ref="xxxEventDispatcher"/>
      <property name="authenticationProvider" ref="authenticationProvider"/>

      </bean>




      </list>
      </constructor-arg>

      </bean>

      My application is invoking the LogoutFilter using /j_spring_security_logout . The customLogout Handler as of now does the following
      1) invalidates session using the SecurityContextLogoutHandler and invokes the logouthandler of my application and clears authentication.

      2) the constructor args is called on the completion of the above which is successfully redirecting to the url parameter. But the CASTGC is not cleared.

      I have now understood that there is one more invokation to the SingleLogoutFIlter which will logout from CAS using the j_spring_cas_security_logout link which needs to be configured in a page after the application logout and before the CAS Logout url is called.

      How do i modify my Spring now so that i can accomodate one more URL . Also i am not able to understand the positioning concept of filters in the documentation.

      Kindly guide me.

      Thanks,
      Mckenzie

      Comment


      • #4
        Hi,

        I admit that all these logouts may seem confusing.

        You have the regular logout for your application handled by the /j_spring_security_logout url : it kills your own application session. It's configured through a <security:logout tag.

        But, as you use a CAS server, someone can request to logout from SSO (someone not using your application), which means from all the applications. It means that your application needs to be able to understand and receive the logout calls from the CAS server, this is done by the singleLogoutFilter (before CAS_FILTER) and the org.jasig.cas.client.session.SingleSignOutHttpSess ionListener listener.

        You can also want to request SSO logout (instead or in addition to your application logout) from your own application, this can be done with the requestSingleLogoutFilter which creates an url : /j_spring_cas_security_logout to trigger CAS logout.
        I think we can get rid of this last url by calling directly /cas/logout.

        Hope it gets clearer.

        Best regards,
        Jérôme

        Comment


        • #5
          Hi Jerome,

          Thanks for the quick response. If you could see the spring config shared , you can see that i am exactly doing the same
          1) calling j_spring_security_logout which invalidates application session and also clears security context.

          2) On the success , we are directly calling the /cas/logout (please see the constructor arg for LogoutFilter) with which we have appended the url param to where the user has to be finally sent.


          What I can see is that the TGT for the session in CAS is getting destroyed, but we can see the CASTGC cookie still sits in the browser. There is also no trail in the logs as to the cookie being destroyed or expired.

          I understand from you rabove reply that we need to somehow incorporate the /j_spring_cas_security_logout which will invoke the Single SignOut Filter that i believe will expire/remove the cookie. But my requirement is it has to be in addition to my already configured j_spring_security_logout.

          Some help in this direction will be helpful.

          Thanks,
          Mckenzie

          Comment


          • #6
            Hi,

            Are you sure that the /cas/logout is called ? If so, the CASTGC cookie should be destroyed.
            How do you see that the TGT for the session in CAS is getting destroyed ?
            Thanks,
            Jérôme

            Comment


            • #7
              Hi Jerome,

              I can see that the TGT is deleted from the CAS logs:
              On Login to CAS -
              WHAT: TGT-31-4Rvjv9QlhcU1HVNXCeTaheOjVynkLAA2j19sWUVf91s3bCPHY5-cas01.example.org
              ACTION: TICKET_GRANTING_TICKET_CREATED


              WHAT: ST-44-xJZz6AIIz74ucuZ2FoRw-cas01.example.org for https:/xxxx/yyy/j_spring_cas_security_check
              ACTION: SERVICE_TICKET_CREATED

              WHAT: ST-44-xJZz6AIIz74ucuZ2FoRw-cas01.example.org
              ACTION: SERVICE_TICKET_VALIDATED


              On Clicking logout which calls the cas/logout link :

              WHO: audit:unknown
              WHAT: TGT-31-4Rvjv9QlhcU1HVNXCeTaheOjVynkLAA2j19sWUVf91s3bCPHY5-cas01.example.org
              ACTION: TICKET_GRANTING_TICKET_DESTROYED
              APPLICATION: CAS

              ================================================== ===========


              But i can see that in the browser , the TGC cookie still resides , which forces me to delete the cookies or close the browser for a fresh login. Is there any way to avoid this?

              Comment


              • #8
                I have tried using js on load function but they still don serve the purpose.

                Comment


                • #9
                  Hi,

                  There's something wrong with your CAS logout. The CASTGC cookie should be removed after CAS logout.
                  Can you check the cookies removal on the HTTP response for the /cas/logout url ?
                  Thanks,
                  Jérôme

                  Comment


                  • #10
                    JHi Jerome,

                    Please find the Http Fox observations show :

                    00:00:01.219 0.162 538 3268 GET 200 text/html https://CASURL/cas-server-webapp-3.5.1/logout

                    Cookie sent
                    CASTGC TGT-4-93UQYHDquId4hgBtqvvNbbDOU1cAFtstbsFUGCf4Mj6YMHQvG6-cas01.example.org /cas-server-webapp-3.5.1 casserver:8443 End Of Session

                    Cookie Recieved :


                    CASTGC TGT-4-93UQYHDquId4hgBtqvvNbbDOU1cAFtstbsFUGCf4Mj6YMHQvG6-cas01.example.org /cas-server-webapp-3.5.1 casserver:8443 End Of Session
                    CASTGC "" /cas-server-webapp-3.5.1/ casserver:8443 Thu, 01-Jan-1970 00:00:10 GMT
                    CASPRIVACY "" /cas-server-webapp-3.5.1/ casserver:8443 Thu, 01-Jan-1970 00:00:10 GMT



                    From the observations i can see that the CASTGC and CASPRIVACY is expired at the reception . But the cookie manager shows me that CASTGC is still present from the CAS server domain.

                    P.S. we have not yet implemented the SingleSignOut filter till now. Is it because of that? i went through the source code of SingleSignOut Filter. i could not find anything related to cookie...

                    Provide your valuable inputs please.

                    Thanks,
                    Mckenzie

                    Comment


                    • #11
                      Hi,

                      Very strange !
                      The CASTGC cookie is deleted and set at the same time. It has nothing to do with the SingleSingOut filter which is on client side.

                      Your CAS server should destroy the cookie and not set it ! Do you have any specific customization on CAS server side ?

                      I don't see any other option than activating DEBUG logs on org.jasig.cas on CAS server side. Please post these logs.

                      Thanks,
                      Jérôme

                      Comment


                      • #12
                        Hi Jerome,
                        a quick iteration of the other clarification from you.Can you please confirm that the calling of /cas/logout be able to delete the cookie set in the browser as well?

                        Regards,
                        Mckenzie

                        Comment


                        • #13
                          Hi Jerome,

                          can you guide me as to how can i register two different applications which want to use the same CAS session. Say i have a java application(app1) and a .NET application (app2) which needs to be registered for the same CAS.Assume i loginto app A and authenticate myself in CAS , when i want to access App B , it must be able to provide me access without asking me to login and logout from any of the applications should be logging me out from both.

                          Where do i need to add the appropriate entries for the same. Any pointers or guidance will help me
                          Thanks,
                          Mckenzie

                          Comment


                          • #14
                            Hi,

                            I confirm that the CASTGC is deleted on CAS logout.
                            Best regards,
                            Jérôme

                            Comment


                            • #15
                              Hi,

                              You should start a new thread for a new topic, it's easier to reply and follow.

                              I may be missing the point, but using the same CAS session accross integrated applications is exactly the definition of the SSO.

                              You need a Java CAS client for your Java application and the .Net CAS client for your .Net application, both applications must be configured on the CAS services back office :
                              https://wiki.jasig.org/display/CASC/.Net+Cas+Client
                              https://wiki.jasig.org/display/CASUM...ces+Management

                              Best,
                              Jérôme

                              Comment

                              Working...
                              X