Help with SLO and Java Web Client
375 views
Skip to first unread message
Jonathan Labin
Jan 5, 2016, 11:33:54 AM1/5/16
to CAS Community
I am having trouble with the the single log out feature. I am using CAS server 4.1.3 and client web apps based on the sample provided by UniconLabs. After modification according to the java client readme:
<?xml version="1.0" encoding="UTF-8"?><web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"><filter><filter-name>CAS Single Sign Out Filter</filter-name><filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class><!-- <init-param><param-name>casServerUrlPrefix</param-name><param-value>https://localhost:8181/cas</param-value></init-param> --></filter><filter><filter-name>CAS Authentication Filter</filter-name><filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class><init-param><param-name>casServerLoginUrl</param-name><param-value>https://localhost:8181/cas/login</param-value></init-param><init-param><param-name>serverName</param-name><param-value>https://localhost:8181</param-value></init-param></filter><filter><filter-name>CAS Validation Filter</filter-name><filter-class>org.jasig.cas.client.validation.Cas30ProxyReceivingTicketValidationFilter</filter-class><init-param><param-name>casServerUrlPrefix</param-name><param-value>https://localhost:8181/cas</param-value></init-param><init-param><param-name>serverName</param-name><param-value>https://localhost:8181</param-value></init-param><init-param><param-name>redirectAfterValidation</param-name><param-value>true</param-value></init-param><init-param><param-name>useSession</param-name><param-value>true</param-value></init-param><!-- <init-param> <param-name>acceptAnyProxy</param-name> <param-value>true</param-value></init-param> <init-param> <param-name>proxyReceptorUrl</param-name> <param-value>/cas-sample-java-webapp/proxyUrl</param-value></init-param> <init-param> <param-name>proxyCallbackUrl</param-name> <param-value>https://localhost:8181/cas-sample-java-webapp/proxyUrl</param-value></init-param> --></filter><filter><filter-name>CAS HttpServletRequest Wrapper Filter</filter-name><filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class></filter><filter-mapping><filter-name>CAS Validation Filter</filter-name><url-pattern>/*</url-pattern></filter-mapping><filter-mapping><filter-name>CAS Authentication Filter</filter-name><url-pattern>/*</url-pattern></filter-mapping><filter-mapping><filter-name>CAS HttpServletRequest Wrapper Filter</filter-name><url-pattern>/*</url-pattern></filter-mapping><filter-mapping><filter-name>CAS Single Sign Out Filter</filter-name><url-pattern>/*</url-pattern></filter-mapping><listener><listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class></listener><welcome-file-list><welcome-file>index.jsp</welcome-file></welcome-file-list></web-app>
I can successfully log in to the web application through CAS authentication.
When I log out at CAS server in another tab using: https://localhost:8181/cas/logout I receive confirmation that logout was successful.
The server log shows:
2016-01-05T11:18:41.635-0500|Info: 2016-01-05 11:18:41,635 DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] - <Ticket found. Processing logout requests and then deleting the ticket...>2016-01-05T11:18:41.636-0500|Info: 2016-01-05 11:18:41,636 DEBUG [org.jasig.cas.logout.SamlCompliantLogoutMessageCreator] - <Generated logout message: [<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-4-0sROBuPSyWPSs5z6tVOVXxCFjnejqH9jrbs" Version="2.0" IssueInstant="2016-01-05T11:18:41Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex>ST-5-7pGNgBnwf4JGqmJY7era-mycastest.myorg.org</samlp:SessionIndex></samlp:LogoutRequest>]>2016-01-05T11:18:41.636-0500|Info: 2016-01-05 11:18:41,636 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - <Sending logout request for: [https://localhost:8181/cas-sample-java-webapp-2/]>2016-01-05T11:18:41.636-0500|Info: 2016-01-05 11:18:41,636 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - <Prepared logout message to send is [org.jasig.cas.logout.LogoutManagerImpl$LogoutHttpMessage@46569bda[url=https://localhost:8181/cas-sample-java-webapp-2/,message=<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-4-0sROBuPSyWPSs5z6tVOVXxCFjnejqH9jrbs" Version="2.0" IssueInstant="2016-01-05T11:18:41Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex>ST-5-7pGNgBnwf4JGqmJY7era-mycastest.myorg.org</samlp:SessionIndex></samlp:LogoutRequest>,asynchronous=true,contentType=application/x-www-form-urlencoded]]>2016-01-05T11:18:41.638-0500|Info: 2016-01-05 11:18:41,638 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - <Captured logout request [org.jasig.cas.logout.DefaultLogoutRequest@479d1dbc[ticketId=ST-5-7pGNgBnwf4JGqmJY7era-mycastest.myorg.org,service=https://localhost:8181/cas-sample-java-webapp-2/,status=SUCCESS]]>2016-01-05T11:18:41.638-0500|Info: 2016-01-05 11:18:41,638 DEBUG [org.jasig.cas.logout.SamlCompliantLogoutMessageCreator] - <Generated logout message: [<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-5-uiOMuNVN2F9ENMiORMqhGn02bWrL6u5NKZf" Version="2.0" IssueInstant="2016-01-05T11:18:41Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex>ST-4-1m5RMx43NhaU2wreOvbp-mycastest.myorg.org</samlp:SessionIndex></samlp:LogoutRequest>]>2016-01-05T11:18:41.639-0500|Info: 2016-01-05 11:18:41,638 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - <Sending logout request for: [https://localhost:8181/cas-sample-java-webapp-1/]>2016-01-05T11:18:41.639-0500|Info: 2016-01-05 11:18:41,639 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - <Prepared logout message to send is [org.jasig.cas.logout.LogoutManagerImpl$LogoutHttpMessage@5601d15a[url=https://localhost:8181/cas-sample-java-webapp-1/,message=<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-5-uiOMuNVN2F9ENMiORMqhGn02bWrL6u5NKZf" Version="2.0" IssueInstant="2016-01-05T11:18:41Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex>ST-4-1m5RMx43NhaU2wreOvbp-mycastest.myorg.org</samlp:SessionIndex></samlp:LogoutRequest>,asynchronous=true,contentType=application/x-www-form-urlencoded]]>2016-01-05T11:18:41.641-0500|Info: 2016-01-05 11:18:41,641 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - <Captured logout request [org.jasig.cas.logout.DefaultLogoutRequest@2b711a3c[ticketId=ST-4-1m5RMx43NhaU2wreOvbp-mycastest.myorg.org,service=https://localhost:8181/cas-sample-java-webapp-1/,status=SUCCESS]]>
and then to complete the TICKET_GRANTING_TICKET_DESTROYED action.
I'm not exactly sure what i'm looking for but a few things stand out.
1) I see that the chain for logout of each client webapp ends with the term status=SUCCESS. Is that indicative of a successful logout or simply that the POST was made.
2) There are a number of places where SAML shows up in that log segment. Does that mean I need to run the SAML protocol on my client? If so, is that in addition to or in replacement of the CAS ticket validation filter or are those unrelated?
After the logout I am still able to navigate the test client application(s) so the session has not been ended.
Assuming that my configuration of server and client are correct (may not be true), What should my application do to correctly respond to the SLO protocol?
I see the line in the client documentation stating:
The client has no code to help you handle log out. The client merely places objects in session.
but what objects are placed into the session and how should the client be written to recognize these objects and perform a session invalidation on the next access attempt?
Are there any simple examples of a web client that appropriately responds to the SLO protocol?
Thanks
Jonathan Labin
Jan 11, 2016, 10:11:02 AM1/11/16
to CAS Community
To simplify the question:
Is there no way to write a webapp to respond to the logout callback by setting some flag. Then on the next access by the client browser this flag could be noticed and the session terminated (along with cookies)?
Is this approach inadvisable or not possible for some reason?
Thanks
Misagh Moayyed
Jan 11, 2016, 11:13:19 AM1/11/16
to CAS Community
Your SLO filter is designed to do just that. It grabs onto the request, examines it and if it considers it an SLO request it will attempt to terminate the session. It also does nothing with cookies, if I recall. There are no other flags. I guess what you are trying to do is advise the webapp to log itself out on the next try, so as to preserve the current user session so as to lose any work? In that case, why don’t you just turn SLO off? What does SLO mean at that point?
At any rate, I don’t know of a sane way you could manage/implement what you propose, unless you wrote your filter that set that flag and did its own thing with the session, and even then, I am not sure you can fully get there. Way too many variables can go wrong.
If you are trying to bypass the nuances of SLO, you won’t be able to. You either accept SLO as is, or you turn it off and let the app do its own thing separate from the CAS SSO session. I dare say the latter is more common.
--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
Jonathan Labin
Jan 11, 2016, 1:28:31 PM1/11/16
to CAS Community, mmoa...@unicon.net
Thanks for the advice.
I'm not trying to bypass the nuances of SLO. I'm trying to find out if there is any way to enable SLO in a simple cookies-based webapp (like the sample provided by UniconLabs).
It sounds like there is not and I'll have to use one of the compatible security frameworks like Shiro or Spring Security.
Misagh Moayyed
Jan 11, 2016, 1:36:34 PM1/11/16
to CAS Community
No there is. That is the configuration you have. Cookies are not deleted, yes, but your session is gone which is mostly what you care about.
If you are not seeing SLO, look into your logs and see what is happening.
Jonathan Labin
Jan 13, 2016, 8:21:25 AM1/13/16
to CAS Community, mmoa...@unicon.net
It looks like my web.xml was out of order. I collected all of the SLO elements first (filter, filter-mapping, and listener), all of the authentication elements next, and finally all of the validation elements at the end. After doing that SLO seems to work as one might hope.
So is the statement from the Jasig/java-cas-client Recommended Logout Procedure untrue?
The client has no code to help you handle log out. The client merely places objects in session. Therefore, we recommend you do a session.invalidate() call when you log a user out. However, that's entirely your application's responsibility.It seems that it does end the session on receipt of a SLO message from the CAS server. Or am I still confused about what is happening?
...
Misagh Moayyed
Jan 13, 2016, 12:04:23 PM1/13/16
to CAS Community
I’d have to defer to Scott or Marvin, but my understanding is that the client invalidates the session and is also able to provide you with a logout strategy. So the docs may be old for the current version.
--
Sankalp Sharma
May 30, 2016, 3:24:02 AM5/30/16
to CAS Community, mmoa...@unicon.net
Hi Jonathan,
I am having the same problem as you had but even after ordering the web.xml as you described, I am still stuck with the error.
I have debugged the cas java client code to find why Single Logout not working and found out that cas-server is sending the Logout request(BACK_CHANNEL) to each application but some java clients are unable to handle and there is no error in the logs.
Please provide a solution and Can you please post your applications web.xml for better understanding and it will be very helpful if you can have a look at this page
https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/single$20logout/cas-user/Tn1kPEOFvAY/sESb-nI3BAAJ
Regards,
Sankalp
I am having the same problem as you had but even after ordering the web.xml as you described, I am still stuck with the error.
I have debugged the cas java client code to find why Single Logout not working and found out that cas-server is sending the Logout request(BACK_CHANNEL) to each application but some java clients are unable to handle and there is no error in the logs.
Please provide a solution and Can you please post your applications web.xml for better understanding and it will be very helpful if you can have a look at this page
https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/single$20logout/cas-user/Tn1kPEOFvAY/sESb-nI3BAAJ
Regards,
Sankalp
Jonathan Labin
Jun 9, 2016, 11:50:33 AM6/9/16
to CAS Community, mmoa...@unicon.net
My web.xml:
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>http://mycasserver</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<listener>
<listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>
<context-param>
<param-name>shiroConfigLocations</param-name>
<param-value>/WEB-INF/shiro/shiro.ini</param-value>
</context-param>
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ShiroFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
I hope that helps
Atul shinde
Jun 13, 2016, 2:06:39 AM6/13/16
to Jonathan Labin, CAS Community, mmoa...@unicon.net
HI ..
i am trying to spring boot service for centralize authentication for any login service can authenticate in as a server level and provide token for login serves.
how to create server service and client service for login page .
help for that.
--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/66713d94-d1a6-4fc4-aef5-482df50978d2%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.
Dmitriy Kopylenko
Jun 13, 2016, 5:49:57 AM6/13/16
to Atul shinde, Jonathan Labin, CAS Community, mmoa...@unicon.net
It's hard to understand what you are after, but perhaps take a look at the sample CASyfied Spring Boot web app: https://github.com/UniconLabs/bootiful-cas-client
Cheers,
D.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAE7%2Ber8vF%2BFPRYrWpSOs%2BcX65eXNf3bFLHdoMkHv54L6f-LY6A%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages