Single Sign Out problem
|
|
Xuejin Ruan
|
Hi all,
I have a couple applications implementing Single Sign Out solution. When CAS Server and CAS clients running on the same box, everything works as expected. When I log off one applcation, it also logs off another application. However, when I put them in distributed environment, Single Sign Out doesn't work correctly. I am running cas-server-3.3.3 in boxA, and I have a Spring Security application (app1) running on boxB using cas-client-3.1.6, and another Spring Acegi application (app2) using cas-client-3.1.6 also on boxB. I have configured Single Sign Out filter and listener in web.xml file for both apps (http://www.ja-sig.org/wiki/display/CASC/Configuring+Single+Sign+Out). For app1, I defined logout-success-url as "https://casserver:8443/cas/logout"; and for app2, I have customed code to invalidate session variable and then redirect to "https://casserver:8443/cas/logout" upon logout. Single Sign On works correctly for both apps. However, if I have both app1 and app2 running, when I logout of app1, app1's session was invalidated, it logout of app1 and logout-success-url was correctly displayed. But I can still browse app2 without being challenged for credentials. The same thing happens if I logout of app2, app1 seems still running fine. From what I have learned, for a Spring Security application, when user click the following link to logout: it will invalidate user's session, and then it will be redirected to logout-success-url defined in the xml config file. Then cas server will send out a request to other applications to destroy cache entry contraining the corresponding service ticket. I don't have a very deep understanding about this process. It seems to me that when app1 logout, and triggers cas server to logout, it seems app2's SingleSignOutHttpSessionListener is not really listening to the request sent out by cas server. Can someone correct me if I am wrong? Is there any configuration that I am missing? Please help! Another thing I don't understand is, why it works with no problem when CAS server and client applications are in the same box same tomcat server? Thanks, Xuejin |
Scott Battaglia-2
|
Check your firewall settings, etc. to see if your outgoing call is being blocked.
On Tue, Jul 7, 2009 at 5:14 PM, Xuejin Ruan <[hidden email]> wrote:
-- |
||||||||||||||||
|
Xuejin Ruan
|
Scott,
Thanks for your reply. Actually both the CAS server box and CAS client box are within our organization's firewall, and those two boxes don't have firewall set up to block each other. I tried to add a third application to the client box and it works as follows: CAS server: box1 app1 is a Spring Acegi application in box2 app2 is a Spring Security application in box2 app3 is a jsp servlet application (Hello World example from Tomcat) in box2 All 3 client apps are configured for Single Sign Out. 1) I have all three apps running in the same browser. When I logout of app1, it also log me out of app3, but I can still access app2. 2) I have all three apps running in the same browser. When I logout of app2, it also log me out of app3, but I can still access app1. Below is the web.xml configure for app1 and app2: web.xml for app1: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ <?xml version="1.0" encoding="UTF-8"?> <web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4"> <!-- Session timeout is x minutes --> <session-config> <session-timeout>30</session-timeout> </session-config> <!-- The Spring Application Contexts --> <context-param> <param-name>contextConfigLocation</param-name> <param-value> classpath:gov/pc/portal/acegi/spring.xml /WEB-INF/applicationContext.xml </param-value> </context-param> <!--CAS single sign out--> <filter> <filter-name>CAS Single Sign Out Filter</filter-name> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> </filter> <filter-mapping> <filter-name>CAS Single Sign Out Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <listener> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> </listener> <!-- The Spring Context Loader Listener --> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <listener> <listener-class>org.acegisecurity.ui.session.HttpSessionEventPublisher</listener-class> </listener> <!-- The Acegi Security Filter --> <filter> <filter-name>Acegi Filter Chain Proxy</filter-name> <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class> <init-param> <param-name>targetClass</param-name> <param-value>org.acegisecurity.util.FilterChainProxy</param-value> </init-param> </filter> <!-- The Acegi Security Filter Mapping --> <filter-mapping> <filter-name>Acegi Filter Chain Proxy</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- Welcome Files --> <welcome-file-list> <welcome-file>index.jsp</welcome-file> </welcome-file-list> </web-app> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ web.xml for app2: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ <?xml version="1.0" encoding="UTF-8"?> <web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4"> <display-name>Spring Security Tutorial Application</display-name> <context-param> <param-name>contextConfigLocation</param-name> <param-value> classpath:applicationContext-business.xml classpath:gov/pc/portal/springsecurity/spring.xml /WEB-INF/applicationContext-security.xml </param-value> </context-param> <context-param> <param-name>log4jConfigLocation</param-name> <param-value>/WEB-INF/classes/log4j.properties</param-value> </context-param> <filter> <filter-name>CAS Single Sign Out Filter</filter-name> <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> </filter> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>CAS Single Sign Out Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <listener> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> </listener> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <listener> <listener-class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-class> </listener> <listener> <listener-class>org.springframework.web.util.Log4jConfigListener</listener-class> </listener> <servlet> <servlet-name>bank</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>bank</servlet-name> <url-pattern>*.html</url-pattern> </servlet-mapping> <!-- Test on session timeout configuration --> <session-config> <session-timeout>1</session-timeout> </session-config> <welcome-file-list> <welcome-file>index.jsp</welcome-file> </welcome-file-list> </web-app> ~~~~~~~~~~~~~~~~~~~~~~~~~~ For spring security application, I used "j_spring_security_logout" to logout. I even explicitly added a SingleSignOut filter in applicationContext.xml file: <bean id="casSingleSignOutFilter" class="org.jasig.cas.client.session.SingleSignOutFilter"> <sec:custom-filter before="CAS_PROCESSING_FILTER"/> </bean> What else do I need to do, or what did I do wrong? Please help! Thanks so much, Xuejin
|
||||||||||||||||
| Free Embeddable Forum Powered by Nabble | Help |
