Jun 30th, 2008, 10:47 AM
Help with Spring Security and CAS Logout Filter
I've been working on integrating Spring Security (2.0.3) and CAS, and have gotten single-sign-ON to work. We have configured two tomcat instances, one with CAS and SSL, and one with our application and SSL + in the clear. We are signing on secure and redirecting to clear-text for our applications. For both apps, single-sign-on works fine.
The issue is Single-Sign-Out. Apparently, CAS has a single-sign-out filter that you can implement if you're rolling your own security (SEC-748), which documented a potential change in the CasProcessingFilter and CasProcessingFilterEntryPoint which would add an Ehcache. The Ehcache would track additions and removals of the CasAuthenticationTickets (my understanding) and essentially remove the sessions of users when CAS sends the logout events to the given clients.
I've built the patch using renamed versions of the classes (so that they could be used instead of the existing classes). I've attached a zip of the maven build.
I'm having trouble wiring this all up. I built a maven project to configure the patch, and got it building, but I'm not 100% sure I'm doing things right. My first question for the group is, has anyone successfully integrated CAS and Spring Security 2.0.x with a Logout filter that performs single-sign-out? I see that this isn't yet built in, and since all I could come up with comes from wiki and blog entries, I'm not 100% comfortable with any approach.
My configuration is using the auto configuration approach. The snippet of the sign-on config as it stands is in autoconfig.txt.
I have attached the (non-working) snippet I'm attempting to use to configure the logout filter as ticketcache.txt.
While reading the JavaDoc of the patch, I saw that the JavaDoc of the CasProcessingFilter wanted me to mount it using FilterToBeanProxy, but it's deprecated. So I saw that it was replaced by the DelegatingFilterProxy, which is mounting our Spring Security. How would I hook this in? I was thinking the LogoutFilter above, which would hopefully replace the LOGOUT_FILTER position with the patched version.
I also became confused when I saw that there is a committed EhCache for Tickets, and wondered if this patch is duplicating functionality.
So, bottom line, I'm looking for steps in the right direction here, and am not sure exactly how to proceed. Any help would be apprecated, especially a functioning sample of CAS client authentication coupled with single-sign-out functionality.
Let me know if I can post more information, I'll sanitize and post what I have.
Jul 16th, 2008, 04:47 AM
I played around with the cas example from the Spring subversion repository. I got it to work fine as far as login against a CAS server is concerned, but single sign out does not work.
When I klick "Logout" on the JSP provided with the example, it goes to <myapp>/j_spring_security_logout, which results in the session being invalidated, but does not communicate to the CAS server for logout. This is a bit misleading, since I expected this to work in the example.
I am trying to figure out now how to configure
probably it solves the problem.
Jul 28th, 2008, 08:41 AM
CAS 3.2 introduced single sign out:
Originally Posted by krimple
"It also includes enhancements to enable/disable single sign out at the server level."
A work around if you use CAS 2 is to redirect to a hidden frame that contains the logout urls for all the apps you want to log out of. I posted an example of this on here a while back. See here:
Jul 28th, 2008, 08:52 AM
I also added CAS single sign-out to the sample application today, following the CAS-recommended approach. The application logout takes you to a page which informs you that you have been logged out of the application, but that you may still have an SSO session. It gives you a link to logout of CAS completely.
Jul 28th, 2008, 09:44 AM
That is more than handy, as I am looking into how to do that with SS2 at this very moment.
Originally Posted by Luke Taylor
Where can I check that out from Luke ?
Jul 28th, 2008, 11:50 AM
Details are on the project web site:
The sample app (client and server) is in samples/cas.
Tags for this Thread