Help with Spring Security and CAS Logout Filter
Hello,
I've been working on integrating Spring Security (2.0.3) and CAS, and have gotten single-sign-ON to work. We have configured two tomcat instances, one with CAS and SSL, and one with our application and SSL + in the clear. We are signing on secure and redirecting to clear-text for our applications. For both apps, single-sign-on works fine.
The issue is Single-Sign-Out. Apparently, CAS has a single-sign-out filter that you can implement if you're rolling your own security (SEC-748), which documented a potential change in the CasProcessingFilter and CasProcessingFilterEntryPoint which would add an Ehcache. The Ehcache would track additions and removals of the CasAuthenticationTickets (my understanding) and essentially remove the sessions of users when CAS sends the logout events to the given clients.
I've built the patch using renamed versions of the classes (so that they could be used instead of the existing classes). I've attached a zip of the maven build.
I'm having trouble wiring this all up. I built a maven project to configure the patch, and got it building, but I'm not 100% sure I'm doing things right. My first question for the group is, has anyone successfully integrated CAS and Spring Security 2.0.x with a Logout filter that performs single-sign-out? I see that this isn't yet built in, and since all I could come up with comes from wiki and blog entries, I'm not 100% comfortable with any approach.
My configuration is using the auto configuration approach. The snippet of the sign-on config as it stands is in autoconfig.txt.
I have attached the (non-working) snippet I'm attempting to use to configure the logout filter as ticketcache.txt.
While reading the JavaDoc of the patch, I saw that the JavaDoc of the CasProcessingFilter wanted me to mount it using FilterToBeanProxy, but it's deprecated. So I saw that it was replaced by the DelegatingFilterProxy, which is mounting our Spring Security. How would I hook this in? I was thinking the LogoutFilter above, which would hopefully replace the LOGOUT_FILTER position with the patched version.
I also became confused when I saw that there is a committed EhCache for Tickets, and wondered if this patch is duplicating functionality.
So, bottom line, I'm looking for steps in the right direction here, and am not sure exactly how to proceed. Any help would be apprecated, especially a functioning sample of CAS client authentication coupled with single-sign-out functionality.
Let me know if I can post more information, I'll sanitize and post what I have.
Thank you,
Ken
Ken Rimple
Chariot Solutions
Originally Posted by krimple
