Spring Security
  1. Spring Security
  2. SEC-748

Support and basic implementation for CAS single sign out protocol

    Details

    • Type: Improvement Improvement
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: 2.0.0 RC1
    • Fix Version/s: None
    • Component/s: CAS
    • Labels:
      None

      Description

      I've seen in SEC-601 you've added support for new cas single sign out protocol but I guess it's "just" new client dependency. I think it could be interesting to provide real support for this.

      I have some code I could clean up and submit including a needed filter for cas logout process requests supporting different logout strategies plus a default ehcache based implementation.

      If you are interested I'll try to post it as soon as I can (hope to make for 2.0 final...)

        Issue Links

          Activity

          Hide
          Martino Piccinato added a comment -

          My simple use case for this is having several LogoutHandler that must be called when a user is logging out (or is being logged out), releasing resources and logging the event. I have to pass an Authentication object in order to do this so what is missing is, basically a tiny integration mapping cas tickets and spring security Authentication objects (thing that is already provided for the login process) and providing out of the box a spring security aware cas single sign out filter.

          It seems to me that the use of LogoutHandler is an attempt of Spring Security to model a logout process so this should be the correct way to do that in Spring Security while If I'm not wrong CAS Single Sign Out filter and HttpSessionListener deal directly with the session simply invalidating it (and removing it from the session mapping storage).

          In my opinion it just make sense to provide out of the box this small cas single sign out integration to complete Spring Security CAS support and make it more coherent.

          Show
          Martino Piccinato added a comment - My simple use case for this is having several LogoutHandler that must be called when a user is logging out (or is being logged out), releasing resources and logging the event. I have to pass an Authentication object in order to do this so what is missing is, basically a tiny integration mapping cas tickets and spring security Authentication objects (thing that is already provided for the login process) and providing out of the box a spring security aware cas single sign out filter. It seems to me that the use of LogoutHandler is an attempt of Spring Security to model a logout process so this should be the correct way to do that in Spring Security while If I'm not wrong CAS Single Sign Out filter and HttpSessionListener deal directly with the session simply invalidating it (and removing it from the session mapping storage). In my opinion it just make sense to provide out of the box this small cas single sign out integration to complete Spring Security CAS support and make it more coherent.
          Hide
          Matthew Fleming added a comment -

          I think the confusion is how to add the logout filter to the XML configuration file. I think Martino thinks the current filter/listener combo isn't real because there aren't any examples of how to set it up with Spring Security on the CAS website. The real issue is that you need to have the logout filter come before the CAS filter in the security.xml or before the filter chain invocation in the web.xml. The way I do it is in the security.xml.

          Fine grained config:
          <bean id="securityFilter" class="org.springframework.security.util.FilterChainProxy">
          <sec:filter-chain pattern="/**" filters="channelProcessingFilter,httpSessionContextIntegrationFilter,logoutFilter,casSingleSignOutFilter,casProcessingFilter,securityContextHolderAwareRequestFilter,exceptionTranslationFilter,filterInvocationInterceptor"/>
          </bean>
          <bean id="casSingleSignOutFilter" class="org.jasig.cas.client.session.SingleSignOutFilter"/>

          Default config:
          <bean id="casSingleSignOutFilter" class="org.jasig.cas.client.session.SingleSignOutFilter">
          <sec:custom-filter before="CAS_PROCESSING_FILTER"/>
          </bean>

          Then you also need to add the listener to your web.xml. The listener maps the service tickets to the HttpSession.

          Hope this helps.

          -Matt

          Show
          Matthew Fleming added a comment - I think the confusion is how to add the logout filter to the XML configuration file. I think Martino thinks the current filter/listener combo isn't real because there aren't any examples of how to set it up with Spring Security on the CAS website. The real issue is that you need to have the logout filter come before the CAS filter in the security.xml or before the filter chain invocation in the web.xml. The way I do it is in the security.xml. Fine grained config: <bean id="securityFilter" class="org.springframework.security.util.FilterChainProxy"> <sec:filter-chain pattern="/**" filters="channelProcessingFilter,httpSessionContextIntegrationFilter,logoutFilter,casSingleSignOutFilter,casProcessingFilter,securityContextHolderAwareRequestFilter,exceptionTranslationFilter,filterInvocationInterceptor"/> </bean> <bean id="casSingleSignOutFilter" class="org.jasig.cas.client.session.SingleSignOutFilter"/> Default config: <bean id="casSingleSignOutFilter" class="org.jasig.cas.client.session.SingleSignOutFilter"> <sec:custom-filter before="CAS_PROCESSING_FILTER"/> </bean> Then you also need to add the listener to your web.xml. The listener maps the service tickets to the HttpSession. Hope this helps. -Matt
          Hide
          Scott Battaglia added a comment -

          Matt,

          Thanks for the configuration (somehow I missed that). I'll add that documentation as well as the specific Spring example (though you can also do it completely by putting stuff in the web.xml also IIRC).

          Cheers,
          Scott

          Show
          Scott Battaglia added a comment - Matt, Thanks for the configuration (somehow I missed that). I'll add that documentation as well as the specific Spring example (though you can also do it completely by putting stuff in the web.xml also IIRC). Cheers, Scott
          Hide
          Luke Taylor added a comment -

          I think the original request was to be able to add extra customization to the logout process, which isn't too easy with the SingleSignOutFilter. One possible way would be to decorate the SessionMappingStorage instance to customize the removal process. Alternatively, perhaps the filter could provide an additional hook. What do you think Scott?

          As Scott says, I'd prefer to avoid adding extra functionality into Spring Security which is already provided by the CAS client.

          Show
          Luke Taylor added a comment - I think the original request was to be able to add extra customization to the logout process, which isn't too easy with the SingleSignOutFilter. One possible way would be to decorate the SessionMappingStorage instance to customize the removal process. Alternatively, perhaps the filter could provide an additional hook. What do you think Scott? As Scott says, I'd prefer to avoid adding extra functionality into Spring Security which is already provided by the CAS client.
          Hide
          Rob Winch added a comment -

          Documentation and an example of how to support Single Logout with CAS has been implemented. This bug is still open because it still does not integrate with Spring Security's Authentication object.

          Show
          Rob Winch added a comment - Documentation and an example of how to support Single Logout with CAS has been implemented. This bug is still open because it still does not integrate with Spring Security's Authentication object.

            People

            • Assignee:
              Unassigned
              Reporter:
              Martino Piccinato
            • Votes:
              5 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated: