stackoom
  简体   繁体   中英

JASIG CAS: single sign out not working

 原文  2011-05-25 13:50:58       spring/ jsp/ java-ee/ single-sign-on/ cas

Question

I have single sign on working beautifully, but single sign-out is not working.

The scenario is like this:

  1. Open webapp1 and get redirected to CAS login page
  2. Enter details and login
  3. Open webapp2 which also uses CAS. Automatically logs in, as the user already signed in.
  4. Log out of webapp1
  5. Try to open webapp1 or webapp2 (in another tab) redirects you back to the login page.
  6. However, the session to webapp2 in step 3 is not closed and the user can still use the application without any problems. How do I automatically invalidate the session when the user signs out?

The log off button for both applications first call session.invalidate() and then redirects to https://localhost:8443/cas/logout

The single sign out filter is the first filter in the web.xml file. I also have the SingleSignOutHttpSessionListener in web.xml.

Following is the extract from my web.xml

<!-- CAS settings -->
<!-- Use filter init-param if your container does not support context params. 
    CAS Authentication Filter and CAS Validation Filter need a serverName init-param 
    in lieu of a context-param definition. -->
<context-param>
    <param-name>serverName</param-name>
    <param-value>https://localhost:8443</param-value>
</context-param>

  <!-- Facilitates CAS single sign-out -->
  <listener>
        <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
  </listener>

  <!--
  CAS client filters
  Single sign-out filter MUST come first since it needs to be evaluated
  before other filters.
  -->
  <filter>
        <filter-name>CAS Single Sign Out Filter</filter-name>
        <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
  </filter>

  <filter>
        <filter-name>CAS Authentication Filter</filter-name>
        <!--
        IMPORTANT:
        Use Saml11AuthenticationFilter for version 3.1.12 and later.
        Use org.jasig.cas.client.authentication.AuthenticationFilter for previous
        versions.
        -->
        <filter-class>
              org.jasig.cas.client.authentication.Saml11AuthenticationFilter</filter-class>
        <init-param>
              <param-name>casServerLoginUrl</param-name>
              <param-value>https://localhost:8443/cas/login</param-value>
        </init-param>
        <init-param>
        <param-name>service</param-name>
        <param-value>https://localhost:8443/JAdaptiv/default.action</param-value>
    </init-param>
  </filter>

  <filter>
        <filter-name>CAS Validation Filter</filter-name>
        <filter-class>
              org.jasig.cas.client.validation.Saml11TicketValidationFilter</filter-class>
        <init-param>
              <param-name>casServerUrlPrefix</param-name>
              <param-value>https://localhost:8443/cas</param-value>
        </init-param>
        <init-param>
              <param-name>redirectAfterValidation</param-name>
              <param-value>true</param-value>
        </init-param>
        <init-param>
              <!-- Leniency of time checking in ms when validating SAML assertions. Consider 
                    setting this parameter more liberally if you anticipate system clock drift 
                    on your application servers relative to the CAS server. The default is 1000 
                    (1s) and at least one person had problems with drift at that small a tolerance 
                    value. A good approach is to start low and then increase by 1000 as needed 
                    until problems stop. Note that increasing this value may have negative security 
                    implications. Consider fixing clock drift problems as an alternative. -->
              <param-name>tolerance</param-name>
              <param-value>1000</param-value>
        </init-param>
  </filter>

  <filter>
        <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
        <filter-class>
              org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
  </filter>

  <filter>
        <filter-name>CAS Assertion Thread Local Filter</filter-name>
        <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
  </filter>

  <filter-mapping>
        <filter-name>CAS Single Sign Out Filter</filter-name>
        <url-pattern>/*</url-pattern>
  </filter-mapping>

  <filter-mapping>
        <filter-name>CAS Authentication Filter</filter-name>
        <url-pattern>/*</url-pattern>
  </filter-mapping>

  <filter-mapping>
        <filter-name>CAS Validation Filter</filter-name>
        <url-pattern>/*</url-pattern>
  </filter-mapping>

  <filter-mapping>
        <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
        <url-pattern>/*</url-pattern>
  </filter-mapping>

  <filter-mapping>
    <filter-name>CAS Assertion Thread Local Filter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

5 answers

solution1
 1  2013-04-24 18:23:01

If you're using SAML 1.1 protocol be sure that you included the artifactParameterName parameter

https://wiki.jasig.org/display/CASC/Configuring+Single+Sign+Out 

<filter>
   <filter-name>CAS Single Sign Out Filter</filter-name>
   <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
   <init-param>
      <param-name>artifactParameterName</param-name>
      <param-value>SAMLart</param-value>
   </init-param>
</filter>

solution2
 1  2013-04-24 18:34:58

I also had another issue with standard CAS protocol, where single sign-out worked on an integration server but not from localhost.

Scenario

  • log into both http://my-app-dev/app and http://localhost:8080/app with CAS on http://my-cas/cas
  • log out of CAS http://my-cas/cas/logout
  • http://my-app-dev/app now bounces me to CAS
  • http://localhost:8080 - still logged in!

I suspect the reason is the CAS server couldn't send a sign-out message to localhost:8080 because localhost is resolved in the CAS server's context, so it doesn't actually talk to my local dev environment.

solution3
 1  2012-02-27 18:42:33

I had the same problem. We had a java and a php client. When I went to http://mycasserver/logout only the java client logged out.

For the single sign out to work in the php client, you have to change:

phpCAS::handleLogoutRequests();

for

phpCAS::handleLogoutRequests(false);

And Voila! Refer to the documentation at phpCAS examples

solution4
 0  2015-07-22 06:19:41

You should verify that the CAS server can send a HTTP request to your webapp. Have a look in the logs of the CAS server.

solution5
 0  2011-05-25 14:09:27

I've had basically the same configuration for my application before I switched to the spring configuration. I had a look on the SVN and basically the only difference to your config is the use of the Single Sign Out Listener

listener>
    <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>

Could this work for you? Of course don't forget to add it on both WebApps if it works.

UPDATE: I found the description of the listener in the docs , and it should do what's missing in your setting

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Jasig-CAS single sign out with one link CAS Single Sign Out ticket not valid Single Sign Out with Spring Security and CAS Can't make CAS Single Sign Out work with Spring Security CAS Single Sign Out requests being ignored by JSP+Spring Extending JASIG CAS for Authorization Problem with Jasig CAS webflow CAS Single Signout not working SPRING BOOT Configure with Jasig CAS Configuring Jasig CAS to use BCrypt
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM