I implement CAS server 4.0 for SSO. I have 3 apps (Spring web MVC with Spring CAS security) connect to CAS server. I configure CAS server to manage ticket by JPA and check authentication in CAS by username. Currently I'm creating forgot-password function for my apps, my issue now is how to invalidate user cookie/session on CAS server (or logout them) after password has been reset (noted that they can log in by a user and execute forgot password for another user). Can we do it with CAS? Any help will be great appreciate. Thank you guys.
1 Answers
0
votes
I have cas 3.1 implemented and here is what I do:
Controller Method
@RequestMapping(value = "/onCompletePasswordReset.html", method = RequestMethod.GET)
public String completeResetLicense() {
return "redirect:j_spring_security_logout";
}
Spring Security
<http auto-config='true' entry-point-ref="casEntryPoint">
<intercept-url pattern="/**" access="ROLE_ADMINISTRATORS" />
<custom-filter position="CAS_FILTER" ref="casFilter" />
<logout logout-success-url="/j_spring_cas_security_logout" />
<custom-filter ref="requestSingleLogoutFilter" before="LOGOUT_FILTER" />
<custom-filter ref="singleLogoutFilter" before="CAS_FILTER" />
</http>
<beans:bean id="singleLogoutFilter"
class="org.jasig.cas.client.session.SingleSignOutFilter" />
<beans:bean id="requestSingleLogoutFilter"
class="org.springframework.security.web.authentication.logout.LogoutFilter">
<beans:constructor-arg value="https://cas_server:8443/cas/logout" />
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
</beans:constructor-arg>
<beans:property name="filterProcessesUrl" value="/j_spring_cas_security_logout" />
</beans:bean>
