Announcement Announcement Module
Collapse
No announcement yet.
Still logged in after logout Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Still logged in after logout

    I am struggling to successfully log off from my application, unless I log fully off from the CAS server.
    After attempting to log off from my app I can still see all pages. It is not until I go to https://localhost:8443/casldap/logout are the pages secured.

    I am using spring-security-2.0.4, cas-client-3.1.3 and authenticating against a Cas server at 3.3

    I login successfully to CAS. To logout I go to
    http://localhost:7070/dfweb/j_spring_security_logout
    or
    http://localhost:7070/dfweb/logout.htm

    This hits the LogoutController and then I am presented with the expected page which provides me with a link for Single Sign off: https://localhost:8443/casldap/logout

    I have expanded my LogoutController with various gumpf all to no avail:
    Code:
    protected ModelAndView handleRequestInternal(HttpServletRequest aRequest,
          HttpServletResponse aResponse) throws Exception
      {
        Cookie terminate = new Cookie(TokenBasedRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY, null);
        terminate.setMaxAge(0);
        aResponse.addCookie(terminate);
    
    
        SecurityContext securityContext = SecurityContextHolder.getContext();
        securityContext.setAuthentication(null);
        HttpSession session = aRequest.getSession(false);
        if (session != null)
        {
            session.invalidate();
            //session.setMaxInactiveInterval(0);
        }
        SecurityContextHolder.clearContext();
        return new ModelAndView("logout");
      }
    My security.xml is:
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    
    <beans xmlns="http://www.springframework.org/schema/beans"
        xmlns:sec="http://www.springframework.org/schema/security"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
                            http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">
    
        <sec:http entry-point-ref="casProcessingFilterEntryPoint" auto-config="true">
            <sec:intercept-url pattern="/dwr/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
            <sec:intercept-url pattern="/dfweb/**" access="ROLE_CLERK_BILLIN,ROLE_SYSADMIN" />
            <sec:intercept-url pattern="/**" access="ROLE_CLERK_BILLIN,ROLE_SYSADMIN" />
            <sec:logout logout-success-url="/logout.htm" invalidate-session="true"/>
        </sec:http>
    
        <sec:authentication-manager alias="authenticationManager"/>
    
        <bean id="casProcessingFilter" class="org.springframework.security.ui.cas.CasProcessingFilter">
            <sec:custom-filter after="CAS_PROCESSING_FILTER"/>
            <property name="authenticationManager" ref="authenticationManager"/>
            <property name="authenticationFailureUrl" value="/logout.htm"/>
            <property name="defaultTargetUrl" value="/"/>
            <property name="proxyGrantingTicketStorage" ref="proxyGrantingTicketStorage" />
        </bean>
    
        <bean id="casProcessingFilterEntryPoint" class="org.springframework.security.ui.cas.CasProcessingFilterEntryPoint">
            <property name="loginUrl" value="https://localhost:8443/casldap/login"/>
            <property name="serviceProperties" ref="serviceProperties"/>
        </bean>
    
        <bean id="casAuthenticationProvider" class="org.springframework.security.providers.cas.CasAuthenticationProvider">
            <sec:custom-authentication-provider />
        <property name="userDetailsService" ref="authenticationService" />
            <property name="serviceProperties" ref="serviceProperties" />
            <property name="ticketValidator">
              <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
                <constructor-arg index="0" value="https://localhost:8443/casldap" />
                <property name="proxyGrantingTicketStorage" ref="proxyGrantingTicketStorage" />
                <!--
                <property name="proxyCallbackUrl" value="https://localhost:8443/dfweb/receptor" />
                 -->
                </bean>
            </property>
            <property name="key" value="an_id_for_this_auth_provider_only"/>
        </bean>
    
        <bean id="proxyGrantingTicketStorage" class="org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl" />
    
        <bean id="serviceProperties" class="org.springframework.security.ui.cas.ServiceProperties">
            <property name="service" value="https://localhost:8443/dfweb/j_spring_cas_security_check"/>
            <property name="sendRenew" value="false"/>
        </bean>
    
        <bean id="authenticationService" class="uk.co.formfill.dfcommon.service.AuthenticationServiceImpl">
          <constructor-arg ref="userDao" />
       </bean>
    
        <bean id="saltSource" class="org.springframework.security.providers.dao.salt.ReflectionSaltSource">
          <property name="userPropertyToUse" value="getUsername" />
       </bean>
    
       <bean id="passwordEncoder" class="org.springframework.security.providers.encoding.Md5PasswordEncoder" />
    </beans>
    my web.xml is:
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee/web-jsptaglibrary_2_0.xsd,
       http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
    
      <!--  Spring Context Loaders -->
      <listener>
        <listener-class>
          org.springframework.web.context.ContextLoaderListener
        </listener-class>
      </listener>
      <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
          /WEB-INF/dfweb-security.xml,classpath:config/dfcommon-services.xml,classpath:config/dfcommon-db.xml,classpath:config/dfcommon-dao.xml,/WEB-INF/dfweb-dwr-beans.xml
        </param-value>
      </context-param>
    
      <!-- Spring Security -->
    
    
      <filter>
         <filter-name>CAS Single Sign Out Filter</filter-name>
         <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
      </filter>
    
      <filter-mapping>
         <filter-name>CAS Single Sign Out Filter</filter-name>
         <url-pattern>/*</url-pattern>
      </filter-mapping>
    
      <listener>
        <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
      </listener>
    
        <filter>
            <filter-name>springSecurityFilterChain</filter-name>
            <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
        </filter>
        <filter-mapping>
          <filter-name>springSecurityFilterChain</filter-name>
          <url-pattern>/*</url-pattern>
        </filter-mapping>
    
      <!--  Spring Dispatcher Servlet -->
      <servlet>
        <servlet-name>dfweb</servlet-name>
        <servlet-class>
          org.springframework.web.servlet.DispatcherServlet
        </servlet-class>
        <load-on-startup>1</load-on-startup>
      </servlet>
      <servlet-mapping>
        <servlet-name>dfweb</servlet-name>
        <url-pattern>/j_acegi_cas_security_check</url-pattern>
      </servlet-mapping>
      <servlet-mapping>
        <servlet-name>dfweb</servlet-name>
        <url-pattern>*.htm</url-pattern>
      </servlet-mapping>
    
      <!-- DWR Servlet -->
      <servlet>
        <servlet-name>dwr-servlet</servlet-name>
        <servlet-class>uk.ltd.getahead.dwr.DWRServlet</servlet-class>
        <init-param>
           <param-name>debug</param-name>
           <param-value>true</param-value>
        </init-param>
      </servlet>
      <servlet-mapping>
         <servlet-name>dwr-servlet</servlet-name>
         <url-pattern>/dwr/*</url-pattern>
      </servlet-mapping>
    
      <!-- Welcome File List -->
      <welcome-file-list>
        <welcome-file>index.htm</welcome-file>
      </welcome-file-list>
    
      <!-- JSTL tag libraries -->
      <taglib>
        <taglib-uri>http://java.sun.com/jstl/core</taglib-uri>
        <taglib-location>/WEB-INF/taglibs/c-1_0.tld</taglib-location>
      </taglib>
      <taglib>
        <taglib-uri>http://java.sun.com/jstl/core_rt</taglib-uri>
        <taglib-location>/WEB-INF/taglibs/c-1_0-rt.tld</taglib-location>
      </taglib>
      <taglib>
        <taglib-uri>http://java.sun.com/jstl/fmt</taglib-uri>
        <taglib-location>/WEB-INF/taglibs/fmt-1_0.tld</taglib-location>
      </taglib>
      <taglib>
        <taglib-uri>http://java.sun.com/jstl/fmt_rt</taglib-uri>
        <taglib-location>
          /WEB-INF/taglibs/fmt-1_0-rt.tld
        </taglib-location>
      </taglib>
      <taglib>
        <taglib-uri>http://java.sun.com/jstl/fn</taglib-uri>
        <taglib-location>/WEB-INF/taglibs/fn.tld</taglib-location>
      </taglib>
      <taglib>
        <taglib-uri>http://java.sun.com/jstl/sql</taglib-uri>
        <taglib-location>/WEB-INF/taglibs/sql-1_0.tld</taglib-location>
      </taglib>
      <taglib>
        <taglib-uri>http://java.sun.com/jstl/sql_rt</taglib-uri>
        <taglib-location>
          /WEB-INF/taglibs/sql-1_0-rt.tld
        </taglib-location>
      </taglib>
      <taglib>
        <taglib-uri>http://java.sun.com/jstl/xml</taglib-uri>
        <taglib-location>/WEB-INF/taglibs/x-1_0.tld</taglib-location>
      </taglib>
      <taglib>
        <taglib-uri>http://java.sun.com/jstl/xml_rt</taglib-uri>
        <taglib-location>/WEB-INF/taglibs/x-1_0-rt.tld</taglib-location>
      </taglib>
      <!-- Tiles Tag Libraries -->
      <taglib>
        <taglib-uri>/tags/struts-tiles</taglib-uri>
        <taglib-location>
          /WEB-INF/taglibs/struts-tiles.tld
        </taglib-location>
      </taglib>
      <taglib>
        <taglib-uri>/tags/struts-tiles-el</taglib-uri>
        <taglib-location>
          /WEB-INF/taglibs/struts-tiles-el.tld
        </taglib-location>
      </taglib>
      <!-- Spring Tag Library -->
      <taglib>
        <taglib-uri>/tags/spring</taglib-uri>
        <taglib-location>/WEB-INF/taglibs/spring.tld</taglib-location>
      </taglib>
    
    
    </web-app>

  • #2
    Isn't that just what you would expect - CAS is a single sign-on solution, so until you logout of CAS you will be able to access everything?

    Presumably you have a new session when you re-enter the application?

    Comment


    • #3
      I do indeed have a new session Luke.

      I think my problem is that I was going down a route and I had forgotten the destination.

      Is there a way for an indevidual application to sign out completely from CAS so accessing that again requires log in to CAS again?

      Comment


      • #4
        Applications don't really sign out of CAS, users do - so the recommended pattern on logging out of an application is to inform the user that they may still be logged into the SSO system and offer them the CAS logout URL to logout fully. You'll find more on this on the CAS site.

        Comment


        • #5
          Sorry that is my dyslexia. I meant user when I said an indevidual application to sign out.

          Yep I have already doe that. Thanks.

          Comment


          • #6
            Usign the org.jasig.cas.client.session.SingleSignOutFilter which listens on /j_spring_security_logout, it should be possible to singleSignOut.
            [EDIT]
            The SingleSignOutFilter is only responsible for logout request reception from your cas server (e.g. to invalidate the session).

            By using your own (additional) logout filter, which redirects the user to the cas server's /logout url, it should be possible to initiate a singleSignOut.
            If you provide your apps service url as a parameter, the user has the chance to be redirected back to where he was in your application if he decides to relogin.
            Last edited by robertoschwald; Nov 24th, 2008, 11:18 AM.

            Comment

            Working...
            X