CAS TGC cookie deletion

[mckenzie]

Hi,

We are successfully able to logout of the application and we redirect the URL to tje cas Login Page. But we are not able to delete the CASTGC cookie that is set by CAS due to which the user is not able to end the session.

I have been trying a lot of methods and referred a lot of websites for solution.. We tried deleting the cookie using a javascript for the jsp but it was futile . Then we learnt that it has to be done programmatically. One option we learnt was using the CAS Single Sign Out Filter in the CAS server.

I am a new bie in CAS and its implementations.

Can some one help me in successfully help me eradicate this CAS TGC cookie from the client end.

Also i understand that there are some drawbacks with this Single Signout filter . We need his to be closed as fast as possible.

People who have been successful implementing the same and successfully erased the cookie , Please guide me step by step.

Many Thanks,
Mckenzie

[jleleu]

Hi,

The CAS server is responsible for creating and deleting the CASTGC cookie.

The CASTGC cookie is deleted at CAS logout, it means that the SSO session ends.

You can ask the CAS server for logout, by calling the https://mycasserver/cas/logout url.

Take a look at the documentation to understand between the application logout and CAS server logout : http://static.springsource.org/sprin...rence/cas.html, part "22.3.2 Single Logout".

Best regards,
Jérôme

[mckenzie]

Thanks a lot Jerome.

I would like to get some more help from you in this regard as i am facing some issues in implementing the logic explained in the shared link.

Let me illustrate my current logic. may be you can guide me the right way to get the functionality working. THe below is my Logout config in Spring:

<!-- Single Logout Filter configuration -->

<bean id="logoutFilter" class="org.springframework.security.web.authentica tion.logout.LogoutFilter">
<!-- URL redirected to after logout success -->
<constructor-arg value="https://CASURL/cas-server-webapp-3.5.1/logout?url=https://appURL/""/>

<constructor-arg>
<list>

<bean class="org.springframework.security.web.authentica tion.logout.SecurityContextLogoutHandler"/>
<bean class="com.blah.blah.sso.logout.CustomLogoutHandle r">
<property name="eventDispatcher" ref="xxxEventDispatcher"/>
<property name="authenticationProvider" ref="authenticationProvider"/>

</bean>




</list>
</constructor-arg>

</bean>

My application is invoking the LogoutFilter using /j_spring_security_logout . The customLogout Handler as of now does the following
1) invalidates session using the SecurityContextLogoutHandler and invokes the logouthandler of my application and clears authentication.

2) the constructor args is called on the completion of the above which is successfully redirecting to the url parameter. But the CASTGC is not cleared.

I have now understood that there is one more invokation to the SingleLogoutFIlter which will logout from CAS using the j_spring_cas_security_logout link which needs to be configured in a page after the application logout and before the CAS Logout url is called.

How do i modify my Spring now so that i can accomodate one more URL . Also i am not able to understand the positioning concept of filters in the documentation.

Kindly guide me.

Thanks,
Mckenzie

[jleleu]

Hi,

I admit that all these logouts may seem confusing.

You have the regular logout for your application handled by the /j_spring_security_logout url : it kills your own application session. It's configured through a <security:logout tag.

But, as you use a CAS server, someone can request to logout from SSO (someone not using your application), which means from all the applications. It means that your application needs to be able to understand and receive the logout calls from the CAS server, this is done by the singleLogoutFilter (before CAS_FILTER) and the org.jasig.cas.client.session.SingleSignOutHttpSess ionListener listener.

You can also want to request SSO logout (instead or in addition to your application logout) from your own application, this can be done with the requestSingleLogoutFilter which creates an url : /j_spring_cas_security_logout to trigger CAS logout.
I think we can get rid of this last url by calling directly /cas/logout.

Hope it gets clearer.

Best regards,
Jérôme

[mckenzie]

Hi Jerome,

Thanks for the quick response. If you could see the spring config shared , you can see that i am exactly doing the same
1) calling j_spring_security_logout which invalidates application session and also clears security context.

2) On the success , we are directly calling the /cas/logout (please see the constructor arg for LogoutFilter) with which we have appended the url param to where the user has to be finally sent.


What I can see is that the TGT for the session in CAS is getting destroyed, but we can see the CASTGC cookie still sits in the browser. There is also no trail in the logs as to the cookie being destroyed or expired.

I understand from you rabove reply that we need to somehow incorporate the /j_spring_cas_security_logout which will invoke the Single SignOut Filter that i believe will expire/remove the cookie. But my requirement is it has to be in addition to my already configured j_spring_security_logout.

Some help in this direction will be helpful.

Thanks,
Mckenzie

[jleleu]

Hi,

Are you sure that the /cas/logout is called ? If so, the CASTGC cookie should be destroyed.
How do you see that the TGT for the session in CAS is getting destroyed ?
Thanks,
Jérôme