Announcement Announcement Module
Collapse
No announcement yet.
SAML logout does not work. Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • SAML logout does not work.

    Hi,
    I try to logout by using
    Code:
    request.sendRedirect("/myProjectName/saml/logout")
    and it redirects to the successful_logout url (That means I logged out successfully). But when I try to login again, the username/password seems to be remembered, instantly it redirects to the successful_login url. I think user should be navigated to login page. I'm not sure about this case. Please give me some ideas for this issue.

  • #2
    I have the exact same problem. My IdP is Shibboleth 2 IdP. I enabled logging of SAML protocol messages using the following in my log4j.properties file:

    Code:
    log4j.logger.org.springframework.security=debug
    log4j.logger.org.springframework.security.saml=debug
    log4j.logger.org.springframework.security.saml.metadata=info
    log4j.logger.org.opensaml=debug
    log4j.logger.PROTOCOL_MESSAGE=debug
    What is odd is that I do not see any logged SAML protocol messages when I click the Global logout link which has URL http://myhost:8080/myappcontext/saml/logout . I was expecting to see a LogoutRequest SAML protocol message.

    duybinh0208 can you tell me what IdP you are using though I suspect it is not relevant.

    All I see logged in the Glassfish 3 log file is the following:

    Code:
    INFO: 19:52:20,839 DEBUG AntPathRequestMatcher:116 - Checking match of request : '/saml/logout'; against '/saml/web/**'
    
    INFO: 19:52:20,840 DEBUG AntPathRequestMatcher:116 - Checking match of request : '/saml/logout'; against '/logout.jsp'
    
    INFO: 19:52:20,841 DEBUG AntPathRequestMatcher:116 - Checking match of request : '/saml/logout'; against '/login.jsp'
    
    INFO: 19:52:20,841 DEBUG AntPathRequestMatcher:116 - Checking match of request : '/saml/logout'; against '/saml/login/*'
    
    INFO: 19:52:20,842 DEBUG AntPathRequestMatcher:116 - Checking match of request : '/saml/logout'; against '/saml/logout/*'
    
    INFO: 19:52:20,842 DEBUG AntPathRequestMatcher:116 - Checking match of request : '/saml/logout'; against '/favicon.ico'
    
    INFO: 19:52:20,843 DEBUG FilterChainProxy:337 - /saml/logout?local=false at position 1 of 10 in additional filter chain; firing Filter: 'MetadataGeneratorFilter'
    
    INFO: 19:52:20,843 DEBUG FilterChainProxy:337 - /saml/logout?local=false at position 2 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
    
    INFO: 19:52:20,844 DEBUG HttpSessionSecurityContextRepository:127 - No HttpSession currently exists
    
    INFO: 19:52:20,844 DEBUG HttpSessionSecurityContextRepository:85 - No SecurityContext was available from the HttpSession: null. A new one will be created.
    
    INFO: 19:52:20,845 DEBUG FilterChainProxy:337 - /saml/logout?local=false at position 3 of 10 in additional filter chain; firing Filter: 'LogoutFilter'
    
    INFO: 19:52:20,845 DEBUG LogoutFilter:93 - Logging out user 'null' and transferring to logout destination
    
    INFO: 19:52:20,846 DEBUG SimpleUrlLogoutSuccessHandler:107 - Using default Url: /index.jsp
    
    INFO: 19:52:20,846 DEBUG DefaultRedirectStrategy:36 - Redirecting to '/omar-server/index.jsp'
    
    INFO: 19:52:20,847 DEBUG HttpSessionSecurityContextRepository:269 - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
    
    INFO: 19:52:20,847 DEBUG SecurityContextPersistenceFilter:97 - SecurityContextHolder now cleared, as request processing completed
    
    INFO: 19:52:21,001 DEBUG AntPathRequestMatcher:116 - Checking match of request : '/index.jsp'; against '/saml/web/**'
    
    INFO: 19:52:21,002 DEBUG AntPathRequestMatcher:116 - Checking match of request : '/index.jsp'; against '/logout.jsp'
    
    INFO: 19:52:21,003 DEBUG AntPathRequestMatcher:116 - Checking match of request : '/index.jsp'; against '/login.jsp'
    
    INFO: 19:52:21,004 DEBUG AntPathRequestMatcher:116 - Checking match of request : '/index.jsp'; against '/saml/login/*'
    
    INFO: 19:52:21,005 DEBUG AntPathRequestMatcher:116 - Checking match of request : '/index.jsp'; against '/saml/logout/*'
    
    INFO: 19:52:21,006 DEBUG AntPathRequestMatcher:116 - Checking match of request : '/index.jsp'; against '/favicon.ico'
    
    INFO: 19:52:21,007 DEBUG FilterChainProxy:337 - /index.jsp at position 1 of 10 in additional filter chain; firing Filter: 'MetadataGeneratorFilter'
    
    INFO: 19:52:21,008 DEBUG FilterChainProxy:337 - /index.jsp at position 2 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
    
    INFO: 19:52:21,009 DEBUG HttpSessionSecurityContextRepository:127 - No HttpSession currently exists
    
    INFO: 19:52:21,010 DEBUG HttpSessionSecurityContextRepository:85 - No SecurityContext was available from the HttpSession: null. A new one will be created.
    
    INFO: 19:52:21,011 DEBUG FilterChainProxy:337 - /index.jsp at position 3 of 10 in additional filter chain; firing Filter: 'LogoutFilter'
    
    INFO: 19:52:21,012 DEBUG FilterChainProxy:337 - /index.jsp at position 4 of 10 in additional filter chain; firing Filter: 'FilterChainProxy'
    
    INFO: 19:52:21,013 DEBUG AntPathRequestMatcher:116 - Checking match of request : '/index.jsp'; against '/saml/login/**'
    
    INFO: 19:52:21,014 DEBUG AntPathRequestMatcher:116 - Checking match of request : '/index.jsp'; against '/saml/logout/**'
    
    INFO: 19:52:21,014 DEBUG AntPathRequestMatcher:116 - Checking match of request : '/index.jsp'; against '/saml/metadata/**'
    
    INFO: 19:52:21,015 DEBUG AntPathRequestMatcher:116 - Checking match of request : '/index.jsp'; against '/saml/sso/**'
    
    INFO: 19:52:21,016 DEBUG AntPathRequestMatcher:116 - Checking match of request : '/index.jsp'; against '/saml/ssohok/**'
    
    INFO: 19:52:21,017 DEBUG AntPathRequestMatcher:116 - Checking match of request : '/index.jsp'; against '/saml/singlelogout/**'
    
    INFO: 19:52:21,018 DEBUG AntPathRequestMatcher:116 - Checking match of request : '/index.jsp'; against '/saml/discovery/**'
    
    INFO: 19:52:21,018 DEBUG FilterChainProxy:180 - /index.jsp has no matching filters
    
    INFO: 19:52:21,019 DEBUG FilterChainProxy:337 - /index.jsp at position 5 of 10 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
    
    INFO: 19:52:21,020 DEBUG FilterChainProxy:337 - /index.jsp at position 6 of 10 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
    
    INFO: 19:52:21,021 DEBUG FilterChainProxy:337 - /index.jsp at position 7 of 10 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
    
    INFO: 19:52:21,022 DEBUG AnonymousAuthenticationFilter:102 - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@978f335f: Principal: guest; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_urn:oasis:names:tc:ebxml-regrep:SubjectRole:RegistryGuest'
    
    INFO: 19:52:21,023 DEBUG FilterChainProxy:337 - /index.jsp at position 8 of 10 in additional filter chain; firing Filter: 'SessionManagementFilter'
    
    INFO: 19:52:21,024 DEBUG SessionManagementFilter:92 - Requested session ID c55444132d9e05750062a5376a97 is invalid.
    
    INFO: 19:52:21,025 DEBUG FilterChainProxy:337 - /index.jsp at position 9 of 10 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
    
    INFO: 19:52:21,025 DEBUG FilterChainProxy:337 - /index.jsp at position 10 of 10 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
    
    INFO: 19:52:21,026 DEBUG AntPathRequestMatcher:116 - Checking match of request : '/index.jsp'; against '/index.jsp'
    
    INFO: 19:52:21,027 DEBUG FilterSecurityInterceptor:194 - Secure object: FilterInvocation: URL: /index.jsp; Attributes: [IS_AUTHENTICATED_ANONYMOUSLY]
    
    INFO: 19:52:21,028 DEBUG FilterSecurityInterceptor:310 - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@978f335f: Principal: guest; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_urn:oasis:names:tc:ebxml-regrep:SubjectRole:RegistryGuest
    
    INFO: 19:52:21,029 DEBUG AffirmativeBased:65 - Voter: org.springframework.security.access.vote.RoleVoter@20fadea2, returned: 0
    
    INFO: 19:52:21,030 DEBUG AffirmativeBased:65 - Voter: [email protected]e98, returned: 1
    
    INFO: 19:52:21,031 DEBUG FilterSecurityInterceptor:215 - Authorization successful
    
    INFO: 19:52:21,034 DEBUG FilterSecurityInterceptor:227 - RunAsManager did not change Authentication object
    
    INFO: 19:52:21,036 DEBUG FilterChainProxy:323 - /index.jsp reached end of additional filter chain; proceeding with original chain
    
    INFO: index.jsp:  authentication: org.springframework.security.authentication.AnonymousAuthenticationToken@978f335f: Principal: guest; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_urn:oasis:names:tc:ebxml-regrep:SubjectRole:RegistryGuest
    INFO: index.jsp:  authentication.isAuthenticated: true
    INFO: index.jsp:  authentication.getCredentials(): 
    INFO: index.jsp:  Got credential '' of type class java.lang.String
    INFO: 19:52:21,042 DEBUG ExceptionTranslationFilter:115 - Chain processed normally
    
    INFO: 19:52:21,043 DEBUG HttpSessionSecurityContextRepository:269 - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
    
    INFO: 19:52:21,044 DEBUG SecurityContextPersistenceFilter:97 - SecurityContextHolder now cleared, as request processing completed
    What could be going wrong? Note that I have had issues in the recent past with index.jsp being incorrectly declared with security="none" which was fixed.

    Is there any other info that can shed light on this unexpected behavior? Thanks for your help.

    Also, duybinh0208, in case it is relevant (though I doubt it), what IdP are you using?
    Last edited by farrukh_najmi; Jul 29th, 2013, 07:57 PM.

    Comment


    • #3
      It appears from debugging the problem that after the LogoutFilter is called the url for the request changes from "/saml/logout" to /index.jsp" for some reason. This causes the FilterChainProxy to not match the SAMLLogoutFilter resulting in behavior being seen.


      My configuration is based on the spring-security-saml2-sample sample. Here are the relevant portions:

      Code:
          <!-- Unsecured pages -->
          <security:http security="none" pattern="/saml/web/**"/>
          <security:http security="none" pattern="/logout.jsp"/>
          <security:http security="none" pattern="/login.jsp"/>
          <security:http security="none" pattern="/favicon.ico"/>
      
          <!-- Secured pages -->
          <security:http entry-point-ref="samlEntryPoint">      
              <security:intercept-url pattern="/index.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
              <security:intercept-url pattern="/rest/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
              <security:intercept-url pattern="/query/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
              <security:intercept-url pattern="/lcm/**" access="IS_AUTHENTICATED_FULLY"/>
              <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
              <security:custom-filter before="FIRST" ref="metadataGeneratorFilter"/>
              <security:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/>
              <security:logout logout-url="/saml/logout" logout-success-url="/index.jsp"/>
              <security:anonymous username="guest" granted-authority="ROLE_urn:oasis:names:tc:ebxml-regrep:SubjectRole:RegistryGuest"/>        
          </security:http>
      
          <bean id="samlFilter" class="org.springframework.security.web.FilterChainProxy">
              <security:filter-chain-map request-matcher="ant">
                  <security:filter-chain pattern="/saml/login/**" filters="samlEntryPoint"/>
                  <security:filter-chain pattern="/saml/logout" filters="samlLogoutFilter"/>
                  <security:filter-chain pattern="/saml/metadata/**" filters="metadataDisplayFilter"/>
                  <security:filter-chain pattern="/saml/SSO/**" filters="samlWebSSOProcessingFilter"/>
                  <security:filter-chain pattern="/saml/SSOHoK/**" filters="samlWebSSOHoKProcessingFilter"/>
                  <security:filter-chain pattern="/saml/SingleLogout/**" filters="samlLogoutProcessingFilter"/>
                  <security:filter-chain pattern="/saml/discovery/**" filters="samlIDPDiscovery"/>
              </security:filter-chain-map>
          </bean>
      
          <!-- Handler deciding where to redirect user after successful login -->
          <bean id="successRedirectHandler"
                class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
              <property name="defaultTargetUrl" value="/"/>
          </bean>
          <!--
          Use the following for interpreting RelayState coming from unsolicited response as redirect URL:
          <bean id="successRedirectHandler" class="org.springframework.security.saml.SAMLRelayStateSuccessHandler">
             <property name="defaultTargetUrl" value="/" />
          </bean>
          -->
      
          <!-- Handler for successful logout -->
          <bean id="successLogoutHandler" class="org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler">
              <property name="defaultTargetUrl" value="/logout.jsp"/>
          </bean>
      What am I doing wrong. Vladi, I would be grateful if you can help. Thanks.

      Comment


      • #4
        I finally figured it out. I was specifying <security:logout .../> sub-element within the <security:http> element. This was causing the LogoutFilter to be run and then changing the request context to logout-success-url="/index.jsp".

        After removing this I am getting the SamlLogoutFilter to be invoked and all is working with single logout protocol.

        Comment

        Working...
        X