Custom Logout Issue in CAS integrated with Spring

Hi,

I have a problem with my Logout functionality in my application which using CAS integrated with Spring security. My spring configuration is as below:

<bean id="logoutFilter" class="org.springframework.security.web.authentica tion.logout.LogoutFilter">
<!-- URL redirected to after logout success -->
<constructor-arg value="https://casURL/cas-server-webapp-3.5.1/logout?service=applnURL"/>

<constructor-arg>
<list>
<bean class="org.springframework.security.web.authentica tion.logout.SecurityContextLogoutHandler"/>
<bean class="com.blah.blah.sso.logout.CustomLogoutHandle r"/>
</list>
</constructor-arg>
</bean>

On clicking of the Logout link in my application URL with URl /j_spring_security_logout which invalidates session in SecurityContextLogoutHandler and redirects to the service as in the constructor. Our expected behaviour is that the CAS must log itself out ,invalidate session both in CAS and application and redirect to the service configured as above.

What actually happens is that i am getting the service URL getting called but CAS is not creating the ST for the valid user i give at THIS point of time in the CAS login page.

Any help please.

Thanks,
Mckenzie

Once again please UseCodeTags <-click

Not sure I am understanding but why not just replace all that with

<http auto-config="true" use-expressions="true"> ... ..<logout invalidate-session="true" <!--Here goes the url for CAS login page --> logout-success-url="/" logout-url="/logout"/> </http>

You can have a look at this link to maybe it applies to what you are trying to do.
http://forum.springsource.org/showthread.php?99859-spring-security-3-and-CAS-logout

I noticed in that link that if you are using https you may need absolute paths

https://localhost:8443/cas/logout

Bill Gorder ,

Thanks for the response. The root cause is that i can see that the CAS TGC cookie still existing on the browser , which needs to be invalidated. If you could see the spring config shared , you can see that i am exactly doing the same

<!-- Single Logout Filter configuration --> <bean id="logoutFilter" class="org.springframework.security.web.authentica tion.logout.LogoutFilter"> <!-- URL redirected to after logout success --> <constructor-arg value="https://CASURL/cas-server-webapp-3.5.1/logout?url=https://appURL/""/> <constructor-arg> <list> <bean class="org.springframework.security.web.authentica tion.logout.SecurityContextLogoutHandler"/> <bean class="com.blah.blah.sso.logout.CustomLogoutHandle r"> <property name="eventDispatcher" ref="xxxEventDispatcher"/> <property name="authenticationProvider" ref="authenticationProvider"/> </bean> </list> </constructor-arg> </bean>

1) calling j_spring_security_logout which invalidates application session and also clears security context.

2) On the success , we are directly calling the /cas/logout (please see the constructor arg for LogoutFilter) with which we have appended the url param to where the user has to be finally sent.


What I can see is that the TGT for the session in CAS is getting destroyed, but we can see the CASTGC cookie still sits in the browser. There is also no trail in the logs as to the cookie being destroyed or expired.

I understand that we need to somehow incorporate the /j_spring_cas_security_logout which will invoke the Single SignOut Filter that i believe will expire/remove the cookie. But my requirement is it has to be in addition to my already configured j_spring_security_logout.

Some help in this direction will be helpful.

And yeah my URLs are absolute

Thanks,
Mckenzie