RegexUriLogoutValve not working as expected

[Jaume Moral]

Hi!

I have a problem using RegexUriLogoutValve to achieve global logout in a tomcat server.

I have two applications (app1 and app2) in the same tomcat protected with org.jasig.cas.client.tomcat.v7.Cas20CasAuthenticator. Single Sign On works perfect, but I have troubles with logout.

I have this in global context.xml

 <Valve
    className="org.jasig.cas.client.tomcat.v7.RegexUriLogoutValve"
    logoutUriRegex="/.*/logout" redirectUrl="https://mycasserver.edu/cas/logout"
    />
 

When I go to http://localhost:8080/app1/logout, it seems fine but none of my applications forget the logged user.

Inside my applications, I have

web.xml

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Protected Area</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>user</role-name>
        </auth-constraint>
    </security-constraint>

And one jsp for testing

<h1>Logged user: ${pageContext.request.remoteUser}</h1>

I was expecting that after visit /app1/logout, both application forget the CAS user. Is this correct? Or am I missing something?

[Ray Bon]

Jaume,

cas/logout will end the CAS session. It is up to your application to end its own session. If tomcat is redirecting on your application logout, then your application will never know to end the session.

Perhaps your cas client can perform the right steps (end session and redirect to cas/logout).

You can add logout url to service definition. CAS will then send a request when cas/logout is visited.

Ray

-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

[Jaume Moral]

Ok. I can use the single sign out request on cas logout, but this is not what I'm looking for.

I thaught that logoutvalve would do a logout in all applications on same tomcat, without the need of a single sign out request from cas server.

Am I wrong?

El dj., 4 oct. 2018 19.24, Ray Bon <rb...@uvic.ca> va escriure:

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1538673841.2852.18.camel%40uvic.ca.

[Ray Bon]

Jaume,

Does the redirect to CAS happen?

If CAS does not terminate the session but your application does (i.e. the valve works), then when you access your application, it will go to CAS and create a new session using the previous single sign on.

If this is happening you will see the redirect in your developer tools and new service tickets issued in CAS logs.

Is there a way to tell if tomcat ends the sessions?

Ray

[Jaume Moral]

Yes, redirection happens and CAS server forgets the logged user

My flow is:

* http://localhost:8080/app1/test.jsp

-> redirects to CAS login

* login in cas server with username and password

-> redirects to /app1/test.jsp, showing my username and a _const_cas_assertion_

* http://localhost:8080/app1/logout

-> redirects to CAS server logout url (and it really forgets the authentication)

* http://localhost:8080/app1/test.jsp

-> It shows my username! I'm not logged out of app1 !! But there is not a _const_cas_assertion_

I think that logout valve deletes the cas assertion in session, but perhaps the user is also stored in session and is not deleted. I thought that the user exposed to the application via pageContext.remoteUser was the one in cas_assertion, but in the last step, there is no cas assertion, but the user remains.

Perhaps your answer will be. "ok, you can invalidate your session and then go to CAS logout", but the reason I'm doing this is that i want to logout from all applications in same tomcat. I can't invalidate other contexts sessions, as far as I know.

Any ideas?

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1538686027.2852.26.camel%40uvic.ca.

[Ray Bon]

Jaume,

If test.jsp requires login and you can access it after app1/logout, I agree that you are not logged out.

https://github.com/apereo/java-cas-client/blob/master/cas-client-integration-tomcat-common/src/main/java/org/jasig/cas/client/tomcat/AbstractLogoutHandler.java

If you turn on debugging for the cas client, you will see the log out happen.

If you do not want CAS to log user out of all apps, you can turn off single sign out.

Ray

[Jaume Moral]

Ok, I will turn on debug and check the logs.

What is the right way to do it? All the documentation I find is to enable in CAS server. I try to enable it in logging.properties in /conf folder but I doesn't work. It seems it uses a different cofiguration file.

Can you help me?

Thanks!

El divendres, 5 octubre de 2018 1:51:10 UTC+2, rbon va escriure:

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1538673841.2852.18.camel%40uvic.ca.

-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1538686027.2852.26.camel%40uvic.ca.

[Ray Bon]

Jaume,

logging.properties is for tomcat itself.

You can add a log4j2.xml file to your application. To it, add a logger for org.apereo. I think I started by copying the one that comes with CAS server.

Ray