Still logged in after logout

**bill comer** · Oct 15th, 2008, 06:33 AM

I am struggling to successfully log off from my application, unless I log fully off from the CAS server.
After attempting to log off from my app I can still see all pages. It is not until I go to https://localhost:8443/casldap/logout are the pages secured.

I am using spring-security-2.0.4, cas-client-3.1.3 and authenticating against a Cas server at 3.3

I login successfully to CAS. To logout I go to
http://localhost:7070/dfweb/j_spring_security_logout
or
http://localhost:7070/dfweb/logout.htm

This hits the LogoutController and then I am presented with the expected page which provides me with a link for Single Sign off: https://localhost:8443/casldap/logout

I have expanded my LogoutController with various gumpf all to no avail:

Code:

protected ModelAndView handleRequestInternal(HttpServletRequest aRequest,
      HttpServletResponse aResponse) throws Exception
  {
    Cookie terminate = new Cookie(TokenBasedRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY, null);
    terminate.setMaxAge(0);
    aResponse.addCookie(terminate);


    SecurityContext securityContext = SecurityContextHolder.getContext();
    securityContext.setAuthentication(null);
    HttpSession session = aRequest.getSession(false);
    if (session != null)
    {
        session.invalidate();
        //session.setMaxInactiveInterval(0);
    }
    SecurityContextHolder.clearContext();
    return new ModelAndView("logout");
  }

My security.xml is:

Code:

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:sec="http://www.springframework.org/schema/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">

    <sec:http entry-point-ref="casProcessingFilterEntryPoint" auto-config="true">
        <sec:intercept-url pattern="/dwr/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <sec:intercept-url pattern="/dfweb/**" access="ROLE_CLERK_BILLIN,ROLE_SYSADMIN" />
        <sec:intercept-url pattern="/**" access="ROLE_CLERK_BILLIN,ROLE_SYSADMIN" />
        <sec:logout logout-success-url="/logout.htm" invalidate-session="true"/>
    </sec:http>

    <sec:authentication-manager alias="authenticationManager"/>

    <bean id="casProcessingFilter" class="org.springframework.security.ui.cas.CasProcessingFilter">
        <sec:custom-filter after="CAS_PROCESSING_FILTER"/>
        <property name="authenticationManager" ref="authenticationManager"/>
        <property name="authenticationFailureUrl" value="/logout.htm"/>
        <property name="defaultTargetUrl" value="/"/>
        <property name="proxyGrantingTicketStorage" ref="proxyGrantingTicketStorage" />
    </bean>

    <bean id="casProcessingFilterEntryPoint" class="org.springframework.security.ui.cas.CasProcessingFilterEntryPoint">
        <property name="loginUrl" value="https://localhost:8443/casldap/login"/>
        <property name="serviceProperties" ref="serviceProperties"/>
    </bean>

    <bean id="casAuthenticationProvider" class="org.springframework.security.providers.cas.CasAuthenticationProvider">
        <sec:custom-authentication-provider />
    <property name="userDetailsService" ref="authenticationService" />
        <property name="serviceProperties" ref="serviceProperties" />
        <property name="ticketValidator">
          <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
            <constructor-arg index="0" value="https://localhost:8443/casldap" />
            <property name="proxyGrantingTicketStorage" ref="proxyGrantingTicketStorage" />
            <!--
            <property name="proxyCallbackUrl" value="https://localhost:8443/dfweb/receptor" />
             -->
            </bean>
        </property>
        <property name="key" value="an_id_for_this_auth_provider_only"/>
    </bean>

    <bean id="proxyGrantingTicketStorage" class="org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl" />

    <bean id="serviceProperties" class="org.springframework.security.ui.cas.ServiceProperties">
        <property name="service" value="https://localhost:8443/dfweb/j_spring_cas_security_check"/>
        <property name="sendRenew" value="false"/>
    </bean>

    <bean id="authenticationService" class="uk.co.formfill.dfcommon.service.AuthenticationServiceImpl">
      <constructor-arg ref="userDao" />
   </bean>

    <bean id="saltSource" class="org.springframework.security.providers.dao.salt.ReflectionSaltSource">
      <property name="userPropertyToUse" value="getUsername" />
   </bean>

   <bean id="passwordEncoder" class="org.springframework.security.providers.encoding.Md5PasswordEncoder" />
</beans>

my web.xml is:

Code:

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee/web-jsptaglibrary_2_0.xsd,
   http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">

  <!--  Spring Context Loaders -->
  <listener>
    <listener-class>
      org.springframework.web.context.ContextLoaderListener
    </listener-class>
  </listener>
  <context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
      /WEB-INF/dfweb-security.xml,classpath:config/dfcommon-services.xml,classpath:config/dfcommon-db.xml,classpath:config/dfcommon-dao.xml,/WEB-INF/dfweb-dwr-beans.xml
    </param-value>
  </context-param>

  <!-- Spring Security -->


  <filter>
     <filter-name>CAS Single Sign Out Filter</filter-name>
     <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
  </filter>

  <filter-mapping>
     <filter-name>CAS Single Sign Out Filter</filter-name>
     <url-pattern>/*</url-pattern>
  </filter-mapping>

  <listener>
    <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
  </listener>

    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
      <filter-name>springSecurityFilterChain</filter-name>
      <url-pattern>/*</url-pattern>
    </filter-mapping>

  <!--  Spring Dispatcher Servlet -->
  <servlet>
    <servlet-name>dfweb</servlet-name>
    <servlet-class>
      org.springframework.web.servlet.DispatcherServlet
    </servlet-class>
    <load-on-startup>1</load-on-startup>
  </servlet>
  <servlet-mapping>
    <servlet-name>dfweb</servlet-name>
    <url-pattern>/j_acegi_cas_security_check</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>dfweb</servlet-name>
    <url-pattern>*.htm</url-pattern>
  </servlet-mapping>

  <!-- DWR Servlet -->
  <servlet>
    <servlet-name>dwr-servlet</servlet-name>
    <servlet-class>uk.ltd.getahead.dwr.DWRServlet</servlet-class>
    <init-param>
       <param-name>debug</param-name>
       <param-value>true</param-value>
    </init-param>
  </servlet>
  <servlet-mapping>
     <servlet-name>dwr-servlet</servlet-name>
     <url-pattern>/dwr/*</url-pattern>
  </servlet-mapping>

  <!-- Welcome File List -->
  <welcome-file-list>
    <welcome-file>index.htm</welcome-file>
  </welcome-file-list>

  <!-- JSTL tag libraries -->
  <taglib>
    <taglib-uri>http://java.sun.com/jstl/core</taglib-uri>
    <taglib-location>/WEB-INF/taglibs/c-1_0.tld</taglib-location>
  </taglib>
  <taglib>
    <taglib-uri>http://java.sun.com/jstl/core_rt</taglib-uri>
    <taglib-location>/WEB-INF/taglibs/c-1_0-rt.tld</taglib-location>
  </taglib>
  <taglib>
    <taglib-uri>http://java.sun.com/jstl/fmt</taglib-uri>
    <taglib-location>/WEB-INF/taglibs/fmt-1_0.tld</taglib-location>
  </taglib>
  <taglib>
    <taglib-uri>http://java.sun.com/jstl/fmt_rt</taglib-uri>
    <taglib-location>
      /WEB-INF/taglibs/fmt-1_0-rt.tld
    </taglib-location>
  </taglib>
  <taglib>
    <taglib-uri>http://java.sun.com/jstl/fn</taglib-uri>
    <taglib-location>/WEB-INF/taglibs/fn.tld</taglib-location>
  </taglib>
  <taglib>
    <taglib-uri>http://java.sun.com/jstl/sql</taglib-uri>
    <taglib-location>/WEB-INF/taglibs/sql-1_0.tld</taglib-location>
  </taglib>
  <taglib>
    <taglib-uri>http://java.sun.com/jstl/sql_rt</taglib-uri>
    <taglib-location>
      /WEB-INF/taglibs/sql-1_0-rt.tld
    </taglib-location>
  </taglib>
  <taglib>
    <taglib-uri>http://java.sun.com/jstl/xml</taglib-uri>
    <taglib-location>/WEB-INF/taglibs/x-1_0.tld</taglib-location>
  </taglib>
  <taglib>
    <taglib-uri>http://java.sun.com/jstl/xml_rt</taglib-uri>
    <taglib-location>/WEB-INF/taglibs/x-1_0-rt.tld</taglib-location>
  </taglib>
  <!-- Tiles Tag Libraries -->
  <taglib>
    <taglib-uri>/tags/struts-tiles</taglib-uri>
    <taglib-location>
      /WEB-INF/taglibs/struts-tiles.tld
    </taglib-location>
  </taglib>
  <taglib>
    <taglib-uri>/tags/struts-tiles-el</taglib-uri>
    <taglib-location>
      /WEB-INF/taglibs/struts-tiles-el.tld
    </taglib-location>
  </taglib>
  <!-- Spring Tag Library -->
  <taglib>
    <taglib-uri>/tags/spring</taglib-uri>
    <taglib-location>/WEB-INF/taglibs/spring.tld</taglib-location>
  </taglib>


</web-app>

Thread: Still logged in after logout

Thread Tools

Display

Threaded View

Still logged in after logout

Tags for this Thread

Posting Permissions