I'm using grails with spring security and the JA-SIG CAS spring security plugin.
One way I get this problem is when I have logged into the CAS server and I restart my application.
Another way is if I log into another application via the same CAS server and then when I access my application then spring reports me as being logged out. If I try and go to a secured page then the login controller sends the browser into the same redirect loop.
I can observer a stream of get requests to the cas server which is redirecting back to the application.
Basically the problem is that spring security isn't aware that I've already logged in to the CAS server, so bounces back to CAS server which says I'm logged in and bounces back to the app
I'm also using the single sign out. One workaround is to force a renew login when the application thinks someone is not logged in but it's not really a satisfactory solution.
