Still logged in after logout

[bill comer]

I am struggling to successfully log off from my application, unless I log fully off from the CAS server.
After attempting to log off from my app I can still see all pages. It is not until I go to https://localhost:8443/casldap/logout are the pages secured.

I am using spring-security-2.0.4, cas-client-3.1.3 and authenticating against a Cas server at 3.3

I login successfully to CAS. To logout I go to
http://localhost:7070/dfweb/j_spring_security_logout
or
http://localhost:7070/dfweb/logout.htm

This hits the LogoutController and then I am presented with the expected page which provides me with a link for Single Sign off: https://localhost:8443/casldap/logout

I have expanded my LogoutController with various gumpf all to no avail:

Code:

protected ModelAndView handleRequestInternal(HttpServletRequest aRequest,
      HttpServletResponse aResponse) throws Exception
  {
    Cookie terminate = new Cookie(TokenBasedRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY, null);
    terminate.setMaxAge(0);
    aResponse.addCookie(terminate);


    SecurityContext securityContext = SecurityContextHolder.getContext();
    securityContext.setAuthentication(null);
    HttpSession session = aRequest.getSession(false);
    if (session != null)
    {
        session.invalidate();
        //session.setMaxInactiveInterval(0);
    }
    SecurityContextHolder.clearContext();
    return new ModelAndView("logout");
  }

My security.xml is:

Code:

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:sec="http://www.springframework.org/schema/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">

    <sec:http entry-point-ref="casProcessingFilterEntryPoint" auto-config="true">
        <sec:intercept-url pattern="/dwr/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <sec:intercept-url pattern="/dfweb/**" access="ROLE_CLERK_BILLIN,ROLE_SYSADMIN" />
        <sec:intercept-url pattern="/**" access="ROLE_CLERK_BILLIN,ROLE_SYSADMIN" />
        <sec:logout logout-success-url="/logout.htm" invalidate-session="true"/>
    </sec:http>

    <sec:authentication-manager alias="authenticationManager"/>

    <bean id="casProcessingFilter" class="org.springframework.security.ui.cas.CasProcessingFilter">
        <sec:custom-filter after="CAS_PROCESSING_FILTER"/>
        <property name="authenticationManager" ref="authenticationManager"/>
        <property name="authenticationFailureUrl" value="/logout.htm"/>
        <property name="defaultTargetUrl" value="/"/>
        <property name="proxyGrantingTicketStorage" ref="proxyGrantingTicketStorage" />
    </bean>

    <bean id="casProcessingFilterEntryPoint" class="org.springframework.security.ui.cas.CasProcessingFilterEntryPoint">
        <property name="loginUrl" value="https://localhost:8443/casldap/login"/>
        <property name="serviceProperties" ref="serviceProperties"/>
    </bean>

    <bean id="casAuthenticationProvider" class="org.springframework.security.providers.cas.CasAuthenticationProvider">
        <sec:custom-authentication-provider />
    <property name="userDetailsService" ref="authenticationService" />
        <property name="serviceProperties" ref="serviceProperties" />
        <property name="ticketValidator">
          <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
            <constructor-arg index="0" value="https://localhost:8443/casldap" />
            <property name="proxyGrantingTicketStorage" ref="proxyGrantingTicketStorage" />
            <!--
            <property name="proxyCallbackUrl" value="https://localhost:8443/dfweb/receptor" />
             -->
            </bean>
        </property>
        <property name="key" value="an_id_for_this_auth_provider_only"/>
    </bean>

    <bean id="proxyGrantingTicketStorage" class="org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl" />

    <bean id="serviceProperties" class="org.springframework.security.ui.cas.ServiceProperties">
        <property name="service" value="https://localhost:8443/dfweb/j_spring_cas_security_check"/>
        <property name="sendRenew" value="false"/>
    </bean>

    <bean id="authenticationService" class="uk.co.formfill.dfcommon.service.AuthenticationServiceImpl">
      <constructor-arg ref="userDao" />
   </bean>

    <bean id="saltSource" class="org.springframework.security.providers.dao.salt.ReflectionSaltSource">
      <property name="userPropertyToUse" value="getUsername" />
   </bean>

   <bean id="passwordEncoder" class="org.springframework.security.providers.encoding.Md5PasswordEncoder" />
</beans>

my web.xml is:

Code:

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee/web-jsptaglibrary_2_0.xsd,
   http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">

  <!--  Spring Context Loaders -->
  <listener>
    <listener-class>
      org.springframework.web.context.ContextLoaderListener
    </listener-class>
  </listener>
  <context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
      /WEB-INF/dfweb-security.xml,classpath:config/dfcommon-services.xml,classpath:config/dfcommon-db.xml,classpath:config/dfcommon-dao.xml,/WEB-INF/dfweb-dwr-beans.xml
    </param-value>
  </context-param>

  <!-- Spring Security -->


  <filter>
     <filter-name>CAS Single Sign Out Filter</filter-name>
     <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
  </filter>

  <filter-mapping>
     <filter-name>CAS Single Sign Out Filter</filter-name>
     <url-pattern>/*</url-pattern>
  </filter-mapping>

  <listener>
    <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
  </listener>

    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
      <filter-name>springSecurityFilterChain</filter-name>
      <url-pattern>/*</url-pattern>
    </filter-mapping>

  <!--  Spring Dispatcher Servlet -->
  <servlet>
    <servlet-name>dfweb</servlet-name>
    <servlet-class>
      org.springframework.web.servlet.DispatcherServlet
    </servlet-class>
    <load-on-startup>1</load-on-startup>
  </servlet>
  <servlet-mapping>
    <servlet-name>dfweb</servlet-name>
    <url-pattern>/j_acegi_cas_security_check</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>dfweb</servlet-name>
    <url-pattern>*.htm</url-pattern>
  </servlet-mapping>

  <!-- DWR Servlet -->
  <servlet>
    <servlet-name>dwr-servlet</servlet-name>
    <servlet-class>uk.ltd.getahead.dwr.DWRServlet</servlet-class>
    <init-param>
       <param-name>debug</param-name>
       <param-value>true</param-value>
    </init-param>
  </servlet>
  <servlet-mapping>
     <servlet-name>dwr-servlet</servlet-name>
     <url-pattern>/dwr/*</url-pattern>
  </servlet-mapping>

  <!-- Welcome File List -->
  <welcome-file-list>
    <welcome-file>index.htm</welcome-file>
  </welcome-file-list>

  <!-- JSTL tag libraries -->
  <taglib>
    <taglib-uri>http://java.sun.com/jstl/core</taglib-uri>
    <taglib-location>/WEB-INF/taglibs/c-1_0.tld</taglib-location>
  </taglib>
  <taglib>
    <taglib-uri>http://java.sun.com/jstl/core_rt</taglib-uri>
    <taglib-location>/WEB-INF/taglibs/c-1_0-rt.tld</taglib-location>
  </taglib>
  <taglib>
    <taglib-uri>http://java.sun.com/jstl/fmt</taglib-uri>
    <taglib-location>/WEB-INF/taglibs/fmt-1_0.tld</taglib-location>
  </taglib>
  <taglib>
    <taglib-uri>http://java.sun.com/jstl/fmt_rt</taglib-uri>
    <taglib-location>
      /WEB-INF/taglibs/fmt-1_0-rt.tld
    </taglib-location>
  </taglib>
  <taglib>
    <taglib-uri>http://java.sun.com/jstl/fn</taglib-uri>
    <taglib-location>/WEB-INF/taglibs/fn.tld</taglib-location>
  </taglib>
  <taglib>
    <taglib-uri>http://java.sun.com/jstl/sql</taglib-uri>
    <taglib-location>/WEB-INF/taglibs/sql-1_0.tld</taglib-location>
  </taglib>
  <taglib>
    <taglib-uri>http://java.sun.com/jstl/sql_rt</taglib-uri>
    <taglib-location>
      /WEB-INF/taglibs/sql-1_0-rt.tld
    </taglib-location>
  </taglib>
  <taglib>
    <taglib-uri>http://java.sun.com/jstl/xml</taglib-uri>
    <taglib-location>/WEB-INF/taglibs/x-1_0.tld</taglib-location>
  </taglib>
  <taglib>
    <taglib-uri>http://java.sun.com/jstl/xml_rt</taglib-uri>
    <taglib-location>/WEB-INF/taglibs/x-1_0-rt.tld</taglib-location>
  </taglib>
  <!-- Tiles Tag Libraries -->
  <taglib>
    <taglib-uri>/tags/struts-tiles</taglib-uri>
    <taglib-location>
      /WEB-INF/taglibs/struts-tiles.tld
    </taglib-location>
  </taglib>
  <taglib>
    <taglib-uri>/tags/struts-tiles-el</taglib-uri>
    <taglib-location>
      /WEB-INF/taglibs/struts-tiles-el.tld
    </taglib-location>
  </taglib>
  <!-- Spring Tag Library -->
  <taglib>
    <taglib-uri>/tags/spring</taglib-uri>
    <taglib-location>/WEB-INF/taglibs/spring.tld</taglib-location>
  </taglib>


</web-app>

[Luke Taylor]

Isn't that just what you would expect - CAS is a single sign-on solution, so until you logout of CAS you will be able to access everything?

Presumably you have a new session when you re-enter the application?

[bill comer]

I do indeed have a new session Luke.

I think my problem is that I was going down a route and I had forgotten the destination.

Is there a way for an indevidual application to sign out completely from CAS so accessing that again requires log in to CAS again?

[Luke Taylor]

Applications don't really sign out of CAS, users do - so the recommended pattern on logging out of an application is to inform the user that they may still be logged into the SSO system and offer them the CAS logout URL to logout fully. You'll find more on this on the CAS site.

[bill comer]

Sorry that is my dyslexia. I meant user when I said an indevidual application to sign out.

Yep I have already doe that. Thanks.

[robertoschwald]

Usign the org.jasig.cas.client.session.SingleSignOutFilter which listens on /j_spring_security_logout, it should be possible to singleSignOut.
[EDIT]
The SingleSignOutFilter is only responsible for logout request reception from your cas server (e.g. to invalidate the session).

By using your own (additional) logout filter, which redirects the user to the cas server's /logout url, it should be possible to initiate a singleSignOut.
If you provide your apps service url as a parameter, the user has the chance to be redirected back to where he was in your application if he decides to relogin.