CAS TGC cookie deletion

[jleleu]

Hi,

Very strange !
The CASTGC cookie is deleted and set at the same time. It has nothing to do with the SingleSingOut filter which is on client side.

Your CAS server should destroy the cookie and not set it ! Do you have any specific customization on CAS server side ?

I don't see any other option than activating DEBUG logs on org.jasig.cas on CAS server side. Please post these logs.

Thanks,
Jérôme

[mckenzie]

Hi Jerome,
a quick iteration of the other clarification from you.Can you please confirm that the calling of /cas/logout be able to delete the cookie set in the browser as well?

Regards,
Mckenzie

[mckenzie]

Hi Jerome,

can you guide me as to how can i register two different applications which want to use the same CAS session. Say i have a java application(app1) and a .NET application (app2) which needs to be registered for the same CAS.Assume i loginto app A and authenticate myself in CAS , when i want to access App B , it must be able to provide me access without asking me to login and logout from any of the applications should be logging me out from both.

Where do i need to add the appropriate entries for the same. Any pointers or guidance will help me
Thanks,
Mckenzie

[jleleu]

Hi,

I confirm that the CASTGC is deleted on CAS logout.
Best regards,
Jérôme

[jleleu]

Hi,

You should start a new thread for a new topic, it's easier to reply and follow.

I may be missing the point, but using the same CAS session accross integrated applications is exactly the definition of the SSO.

You need a Java CAS client for your Java application and the .Net CAS client for your .Net application, both applications must be configured on the CAS services back office :
https://wiki.jasig.org/display/CASC/.Net+Cas+Client
https://wiki.jasig.org/display/CASUM...ces+Management

Best,
Jérôme

[mckenzie]

Thanks Jerome.. I will start that one as a new thread. let us now stick to the CAS TGC cookie deletion. Is there any way to remove the cookie sitting in the browser. As per my understanding , the browser must ignore an expired cookie. but it is strange to see the cookie still remains.

[jleleu]

The CASTGC cookie should be destroyed. Enable DEBUG logs on org.jasig.cas on CAS server side to investiguate...

[mckenzie]

Hi Jerome,

I have enabled debug in the CAS server. I can see the following entries:

2012-12-19 00:01:44,592 DEBUG [org.jasig.cas.web.support.CookieRetrievingCookieGe nerator] - <Removed cookie with name [CASTGC]>
2012-12-19 00:01:44,592 DEBUG [org.jasig.cas.web.support.CookieRetrievingCookieGe nerator] - <Removed cookie with name [CASPRIVACY]>
2012-12-19 00:01:44,608 DEBUG [org.jasig.cas.util.HttpClient] - <Attempting to access https://APPURL/j_spring_cas_security_check>
2012-12-19 00:01:44,725 WARN [org.jasig.cas.util.HttpClient] - <Error Sending message to url endpoint [https://APPURL/j_spring_cas_security_check]. Error is [blrkec114921d.ad.infosys.com]>
2012-12-19 00:01:44,885 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor did not generate service.>
2012-12-19 00:01:44,885 DEBUG [org.jasig.cas.web.support.SamlArgumentExtractor] - <Extractor did not generate service.>
2012-12-19 00:01:44,892 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor did not generate service.>
2012-12-19 00:01:44,892 DEBUG [org.jasig.cas.web.support.SamlArgumentExtractor] - <Extractor did not generate service.>
2012-12-19 00:01:44,895 DEBUG [org.jasig.cas.web.flow.TerminateWebSessionListener] - <Terminate web session C6891F3A4063E6583B1C5401DD017177.node1 in 2 seconds>
2012-12-19 00:01:44,896 DEBUG [org.jasig.cas.web.flow.TerminateWebSessionListener] - <Error getting service from flow state.>
java.lang.IllegalStateException: No active FlowSession to access; this FlowExecution has ended
at org.springframework.webflow.engine.impl.FlowExecut ionImpl.getActiveSession(FlowExecutionImpl.java:19 1)
at org.springframework.webflow.engine.impl.RequestCon trolContextImpl.getFlowScope(RequestControlContext Impl.java:134)
at org.jasig.cas.web.support.WebUtils.getService_arou ndBody8(WebUtils.java:87)
at org.jasig.cas.web.support.WebUtils.getService_arou ndBody9$advice(WebUtils.java:57)
at org.jasig.cas.web.support.WebUtils.getService(WebU tils.java:1)
at org.jasig.cas.web.flow.TerminateWebSessionListener .sessionStarted_aroundBody0(TerminateWebSessionLis tener.java:62)
at org.jasig.cas.web.flow.TerminateWebSessionListener .sessionStarted_aroundBody1$advice(TerminateWebSes sionListener.java:57)
at org.jasig.cas.web.flow.TerminateWebSessionListener .sessionStarted(TerminateWebSessionListener.java:1 )
at org.springframework.webflow.engine.impl.FlowExecut ionListeners.fireSessionStarted(FlowExecutionListe ners.java:126)
at org.springframework.webflow.engine.impl.FlowExecut ionImpl.start(FlowExecutionImpl.java:367)
at org.springframework.webflow.engine.impl.FlowExecut ionImpl.start(FlowExecutionImpl.java:225)
at org.springframework.webflow.executor.FlowExecutorI mpl.launchExecution(FlowExecutorImpl.java:140)
at org.springframework.webflow.mvc.servlet.FlowHandle rAdapter.handle(FlowHandlerAdapter.java:193)
at org.springframework.web.servlet.DispatcherServlet. doDispatch(DispatcherServlet.java:923)
at org.springframework.web.servlet.DispatcherServlet. doService(DispatcherServlet.java:852)
at org.springframework.web.servlet.FrameworkServlet.p rocessRequest(FrameworkServlet.java:882)
at org.springframework.web.servlet.FrameworkServlet.d oGet(FrameworkServlet.java:778)
at javax.servlet.http.HttpServlet.service(HttpServlet .java:617)
at javax.servlet.http.HttpServlet.service(HttpServlet .java:717)
at org.jasig.cas.web.init.SafeDispatcherServlet.servi ce_aroundBody2(SafeDispatcherServlet.java:128)
at org.jasig.cas.web.init.SafeDispatcherServlet.servi ce_aroundBody3$advice(SafeDispatcherServlet.java:5 7)
at org.jasig.cas.web.init.SafeDispatcherServlet.servi ce(SafeDispatcherServlet.java:1)
at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:206)
at org.springframework.web.filter.CharacterEncodingFi lter.doFilterInternal(CharacterEncodingFilter.java :88)
at org.springframework.web.filter.OncePerRequestFilte r.doFilter(OncePerRequestFilter.java:76)
at org.springframework.web.filter.DelegatingFilterPro xy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterPro xy.doFilter(DelegatingFilterProxy.java:259)
at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:206)
at com.github.inspektr.common.web.ClientInfoThreadLoc alFilter.doFilter(ClientInfoThreadLocalFilter.java :63)
at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invo ke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invo ke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke( StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke (ErrorReportValve.java:102)
at com.infosys.socialedge.tomcat.valves.SecureCookieV alve.invoke(SecureCookieValve.java:51)
at org.apache.catalina.core.StandardEngineValve.invok e(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.servic e(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11Processor.process(H ttp11Processor.java:857)
at org.apache.coyote.http11.Http11Protocol$Http11Conn ectionHandler.process(Http11Protocol.java:588)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run( JIoEndpoint.java:489)
at java.lang.Thread.run(Thread.java:636)
2012-12-19 00:01:53,538 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - <Reloading registered services.>

We can see CASTGC and CASPRIVACY cookie removed but ,what is the problem with this Illegal State exception. Is it because of this. ? what modification needs to be done as to avoid this. The spring config still remains the same as in the earlier posts.

Any pointers?

Thanks,
Mckenzie

[jleleu]

Hi,

The stack trace is pretty frightening, but it's just a DEBUG log, so I would ignore it.

We see that cookies are destroyed, but I'm worrying about the call of the https://APPURL/j_spring_cas_security_check url : what's the response for this url ? Where does it redirect you ? Isn't it a redirection to a protected url, which triggers a round-trip to CAS server ? which therefore will re-set CASTGC cookie ?

Best regards,
Jérôme

[mckenzie]

Hi Jerome,

We have configured the service URL as https://APPURL/j_spring_cas_security_check for ServiceProperties and refered by the casProcessingFilterEntryPoint.

This is redirected to the CAS Loginpage configured as the loginurl in the spring.xml.



A strange thing i notice is with the cookies in the Http Fox that shows calling of the /cas/logout as below
Cookie sent :

CASTGC TGT-8-nnnUWE4IytFrwJX6LZfmSHu3RF7CmBewwEJPOohCtexzRnTLAQ-cas01.example.org End Of Session

Cookie Recieved:

CASTGC TGT-8-nnnUWE4IytFrwJX6LZfmSHu3RF7CmBewwEJPOohCtexzRnTLAQ-cas01.example.org /cas-server-webapp-3.5.1 End Of Session

CASTGC "" /cas-server-webapp-3.5.1/ Thu, 01-Jan-1970 00:00:10 GMT

CASPRIVACY "" /cas-server-webapp-3.5.1/ Thu, 01-Jan-1970 00:00:10 GMT

There is a redirect to /login Page of CAS after this ,which shows existence of the CASTGC cookie still in the browser, which ideally should not be. I am not sure why this redirection to /login page happens and also I suppose this might be a cause of issue. To trace the flow , I debugged CAS and I could see the following exception
java.lang.IllegalStateException: No active FlowSession to access; this FlowExecution has ended

It looks like the InitialFlowSetupAction is either not setting the configured service in Flowscope or there is some problem due to the call of /login page which interrupts the flow. Any suggestions please.


Regards,
Mckenzie