CAS Single LogOut(SLO) not working - CAS 4.2.3

1
votes

I am having issues with Single LogOut in CAS. I am using CAS server 4.2.3 and Spring 3.2. My client casified applications are configured on spring security. Followed the following documentation, http://docs.spring.io/spring-security/site/docs/3.2.9.RELEASE/reference/htmlsingle/#cas-singlelogout

I have 2 cas client web application. When I logout from one of the cas client web application, and refresh the page in the 2nd cas client application which I already logged in (in the same browser in a different tab), I would think that the login page would show up as I already did a single LogOut from the 1st cas client application. But it doesn't work.

I am not sure what I am missing. I have posted the code snippet of web.xml, spring-security.xml, logout.jsp and cas.log

Any help or pointers is greatly appreciated.

web.xml

<filter>
    <filter-name>characterEncodingFilter</filter-name>
    <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
    <init-param>
        <param-name>encoding</param-name>
        <param-value>UTF-8</param-value>
    </init-param>
</filter>

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>characterEncodingFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<listener>
    <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>

<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

spring-security.xml

<bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">
    <property name="service" value="https://<hostname>:8444/WebApp3/j_spring_cas_security_check" />
    <property name="sendRenew" value="false" />
</bean>

<sec:http use-expressions="true" entry-point-ref="casEntryPoint">
    <sec:intercept-url pattern="/login/*" access="permitAll()" />
    <sec:intercept-url pattern="/lib/**" access="permitAll()" />
    <sec:intercept-url pattern="/**" access="isAuthenticated()" />
    <sec:form-login login-page="/ingress.do" default-target-url="/ingress.do" always-use-default-target="false"
        authentication-failure-url="/login.jsp" />

    <sec:logout logout-success-url="/logout.jsp" />
    <sec:custom-filter ref="requestSingleLogoutFilter" before="LOGOUT_FILTER" />
    <sec:custom-filter ref="singleLogoutFilter" before="CAS_FILTER" />
    <sec:custom-filter position="CAS_FILTER" ref="casFilter" />

</sec:http>

<bean id="singleLogoutFilter" class="org.jasig.cas.client.session.SingleSignOutFilter" />

<bean id="requestSingleLogoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
    <constructor-arg value="https://<hostname>/cas/logout" />
    <constructor-arg>
        <bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
    </constructor-arg>
    <property name="filterProcessesUrl" value="/logout/cas" />
</bean>

<bean id="casFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter">
    <property name="authenticationManager" ref="authenticationManager" />
</bean>

<bean id="casEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
    <property name="loginUrl" value="https://<hostname>/cas/login" />
    <property name="serviceProperties" ref="serviceProperties" />
</bean>

<sec:authentication-manager alias="authenticationManager">
    <sec:authentication-provider ref="casAuthenticationProvider" />
</sec:authentication-manager>

<bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
    <property name="authenticationUserDetailsService">
        <bean class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
            <constructor-arg ref="userService" />
        </bean>
    </property>
    <property name="serviceProperties" ref="serviceProperties" />
    <property name="ticketValidator">
        <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
            <constructor-arg index="0" value="https://<hostname>/cas" />
        </bean>
    </property>
    <property name="key" value="an_id_for_this_auth_provider_only" />
</bean>

<bean id="userService" class="org.hpi.iris.services.CustomUserDetailsService" />

<bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
    <constructor-arg value="/" />
    <constructor-arg>
        <list>
            <bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
        </list>
    </constructor-arg>
</bean>

<bean id="servletContext" class="org.springframework.web.context.support.ServletContextFactoryBean" />

<bean id="etf" class="org.springframework.security.web.access.ExceptionTranslationFilter">
    <property name="authenticationEntryPoint" ref="casEntryPoint" />
</bean>

<bean id="wrappingFilter" class="org.jasig.cas.client.util.HttpServletRequestWrapperFilter" />

logout.jsp

<a href="logout/cas">Logout of in all applications</a>

cas.log

2016-09-19 15:47:09,995 DEBUG [org.jasig.cas.logout.SamlCompliantLogoutMessageCreator] - Generated logout message: [<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-1-qFurZ54zaXVbviIalCkZ93lDbYuBAT6m5qE" Version="2.0" IssueInstant="2016-09-19T15:47:09Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex>ST-2-Ag6SgNIyvMUGT9mKNkEo-<hostname></samlp:SessionIndex></samlp:LogoutRequest>]
2016-09-19 15:47:09,995 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - Sending logout request for: [https://<hostname>:8444/WebApp3/j_spring_cas_security_check]
2016-09-19 15:47:10,000 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - Prepared logout message to send is [org.jasig.cas.logout.LogoutManagerImpl$LogoutHttpMessage@1771cadc[url=https://<hostname>:8444/WebApp3/j_spring_cas_security_check,message=<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-1-qFurZ54zaXVbviIalCkZ93lDbYuBAT6m5qE" Version="2.0" IssueInstant="2016-09-19T15:47:09Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex>ST-2-Ag6SgNIyvMUGT9mKNkEo-<hostname></samlp:SessionIndex></samlp:LogoutRequest>,asynchronous=true,contentType=application/x-www-form-urlencoded]]
2016-09-19 15:47:10,068 DEBUG [org.jasig.cas.logout.LogoutManagerImpl] - Captured logout request [org.jasig.cas.logout.DefaultLogoutRequest@655231e3[ticketId=ST-2-Ag6SgNIyvMUGT9mKNkEo-<hostname>,service=https://<hostname>:8444/WebApp3/j_spring_cas_security_check,status=SUCCESS]]
2016-09-19 15:47:10,069 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to retrieve ticket [TGT-**********************************************lfaFE4hhow-<hostname>]
2016-09-19 15:47:10,071 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Ticket [TGT-**********************************************lfaFE4hhow-<hostname>] found in registry.
2016-09-19 15:47:10,072 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Removing children of ticket [TGT-**********************************************lfaFE4hhow-<hostname>] from the registry.
2016-09-19 15:47:10,084 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Removing ticket [TGT-**********************************************lfaFE4hhow-<hostname>] from the registry.
2016-09-19 15:47:10,099 DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] - Publishing org.jasig.cas.support.events.CasTicketGrantingTicketDestroyedEvent@b348523[ticketGrantingTicket=TGT-**********************************************lfaFE4hhow-<hostname>]
2016-09-19 15:47:10,100 DEBUG [org.jasig.cas.audit.spi.AssertionAsReturnValuePrincipalResolver] - Trying to see if target's return value is instance of [Assertion]...
2016-09-19 15:47:10,100 DEBUG [org.jasig.cas.audit.spi.AssertionAsReturnValuePrincipalResolver] - Resolving principal from the delegate principal resolver: [org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver@3d5cf9c4]...
2016-09-19 15:47:10,100 DEBUG [org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver] - Resolving argument [String] for audit
2016-09-19 15:47:10,100 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to retrieve ticket [TGT-**********************************************lfaFE4hhow-<hostname>]
2016-09-19 15:47:10,101 DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] - Ticket [TGT-**********************************************lfaFE4hhow-<hostname>] by type [Ticket] cannot be found in the ticket registry.
2016-09-19 15:47:10,109 DEBUG [org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver] - Could not locate ticket [TGT-**********************************************lfaFE4hhow-<hostname>] in the registry
2016-09-19 15:47:10,110 DEBUG [org.jasig.cas.audit.spi.AssertionAsReturnValuePrincipalResolver] - Meaningful principal id could not be resolved by [org.jasig.cas.audit.spi.AssertionAsReturnValuePrincipalResolver@4dafaeaa]. Returning [audit:unknown]...
2016-09-19 15:47:10,110 DEBUG [org.jasig.cas.web.support.TGCCookieRetrievingCookieGenerator] - Removed cookie with name [TGC]
2016-09-19 15:47:10,110 DEBUG [org.jasig.cas.web.WarningCookieRetrievingCookieGenerator] - Removed cookie with name [CASPRIVACY]
2016-09-19 15:47:10,118 DEBUG [org.jasig.cas.services.web.RegisteredServiceThemeBasedViewResolver] - View resolved: /WEB-INF/view/jsp/default/ui/casLogoutView.jsp
2016-09-19 15:47:10,179 DEBUG [org.jasig.cas.authentication.FileTrustStoreSslSocketFactory] - Connecting socket to <hostname>/<hostip>:8444 with timeout 5000
2016-09-19 15:47:10,181 DEBUG [org.jasig.cas.authentication.FileTrustStoreSslSocketFactory] - Enabled protocols: [TLSv1, TLSv1.1, TLSv1.2]
2016-09-19 15:47:10,181 DEBUG [org.jasig.cas.authentication.FileTrustStoreSslSocketFactory] - Enabled cipher suites:[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
2016-09-19 15:47:10,181 DEBUG [org.jasig.cas.authentication.FileTrustStoreSslSocketFactory] - Starting handshake
2016-09-19 15:47:10,205 DEBUG [org.jasig.cas.authentication.FileTrustStoreSslSocketFactory] - Secure session established
2016-09-19 15:47:10,206 DEBUG [org.jasig.cas.authentication.FileTrustStoreSslSocketFactory] -  negotiated protocol: TLSv1.2
2016-09-19 15:47:10,206 DEBUG [org.jasig.cas.authentication.FileTrustStoreSslSocketFactory] -  negotiated cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
2016-09-19 15:47:10,206 DEBUG [org.jasig.cas.authentication.FileTrustStoreSslSocketFactory] -  peer principal: CN=<hostname>, OU=HPI, O=HP, L=Bloomington, ST=MN, C=US
2016-09-19 15:47:10,206 DEBUG [org.jasig.cas.authentication.FileTrustStoreSslSocketFactory] -  issuer principal: CN=<hostname>, OU=HPI, O=HP, L=Bloomington, ST=MN, C=US
2016-09-19 15:47:31,024 DEBUG [org.jasig.cas.util.CasSpringBeanJobFactory] - Created job org.jasig.cas.services.DefaultServicesManagerImpl$ServiceRegistryReloaderJob@4340fcf7 for bundle org.quartz.spi.TriggerFiredBundle@8f5988b
1
javaspring-securitylogoutcasjasig

1 Answers

2
votes

Apparently I figured out an answer for the question where I logout out of one CAS client, the other CAS client doesn't get logged out. For this to happen, CAS server needs to understand all the registered services.

I thought that CAS service management tool was responsible for doing this. However, that did not work for me. It looks like CAS management service doesn't do it. In spite of installing a service management tool and linking it to my CAS server did not work.

I had to go a step further and add few configuration files related to RegexRegisteredService. Thought this configuration is present in service management tool, CAS server doesn't seem to recognize that, like I mentioned before. Hence, I had to copy those files from service management tool to CAS server. In CAS server, i placed it in the following location, ../WEB-INF/classes/services. The file name is usually like AppName-UniqueID.json

The json file would look something like this,

{
"@class" : "org.jasig.cas.services.RegexRegisteredService",
"serviceId" : "https://<hostname>/AppName/j_spring_cas_security_check",
"name" : "App Name",
"id" : 7042148554761,
"logoutType" : "BACK_CHANNEL",
"logoutUrl" : "https://<hostname>/AppName/<Logout URL>"
}

Remember, you need to have separate file for each cas client application.

Once I did this step, I was able to see the response from CAS server, when i logout from 1 CAS client, in other CAS client console. Now, the rest of the work needs to be done in the CAS client side to recognize this logout action from CAS and logout the local session, which is what I am working on now.

I am new to CAS. In my experience, I found the CAS documentation little vague. It probably needs little more clarity.