[cas-dev] CAS logout

Scott Battaglia scott_battaglia at rutgers.edu
Wed Jul 26 23:53:27 EDT 2006 

Jennifer,

The ticket issued at initial sign on is used to enable a single sign on 
session.  Each time an application is redirected to CAS, that ticket is 
used to grant ServiceTickets which individual applications validate to 
receive the principal. Service Tickets are one-time-use and are 
generated for a specific service. More information on our protocols and 
architecture can be found here:
http://www.ja-sig.org/products/cas/overview/index.html

Yes, it is possible to run CAS in non-SSL mode, though obviously we 
don't recommend that :-).  I believe the only thing you would be 
required to change is in the cas-servlet.xml.  There are two cookie 
generators that have their secure property set to true. These would need 
to be changed to false.  If you're doing proxying, then the 
HttpBasedServiceCredentialsAuthenticationHandler would also need a 
property set to false in order to allow proxy URLs without https.

-Scott


Jennifer Yang wrote:
> I must have used http.  I thought I tried https.  :-)
> It works with https.  Thank you!!
>
> Out of curiousity, how does CAS validate multiple apps?  Initially, I 
> thought it validated the ticket issued at initial sign on, but looking 
> at the log, it seems to issue different ticket for each app.  
>
> Another question.  Is there any way to run CAS in non-SSL mode?
>
> Thanks,
> --Jennifer
>
> On 7/26/06, *Scott Battaglia* < scott_battaglia at rutgers.edu 
> <mailto:scott_battaglia at rutgers.edu>> wrote:
>
>     Logging out of CAS is designed to kill your single sign on session
>     (not
>     your individual application sessions) so that if you try and access
>     another CASified application (that you haven't logged into yet)
>     you will
>     be prompted for your credentials again.
>
>     CAS uses secure cookies however, so if you access the Logout page via
>     http instead of https your cookie will not be destroyed as it was
>     never
>     sent to the server.
>
>     -Scott
>
>
>     Kris Melotte wrote:
>     > Is there a difference regarding logout when you are using http
>     versus
>     > https?
>     >
>     > I thought that the fact you can still login after the logout to an
>     > (authenticated) application is because the JA-SIG client does
>     not check
>     > anymore with the CAS server after validation of the initial ticket.
>     >
>     > As the authentication information is already in the session of
>     the SSO
>     > authenticated application, the filter will pass you through without
>     > checking again with the CAS server if the SSO is still valid.
>     >
>     > I thought that this behavior was the reason why the cas logout page
>     > mentions to "exit your browser for security reasons"?
>     >
>     > Regards,
>     > Kris
>     >
>     > -----Original Message-----
>     > From: cas-dev-bounces at tp.its.yale.edu
>     <mailto:cas-dev-bounces at tp.its.yale.edu>
>     > [mailto:cas-dev-bounces at tp.its.yale.edu
>     <mailto:cas-dev-bounces at tp.its.yale.edu>] On Behalf Of Scott
>     Battaglia
>     > Sent: Wednesday, July 26, 2006 2:16 PM
>     > To: Mailing list for CAS developers
>     > Subject: Re: [cas-dev] CAS logout
>     >
>     > Jennifer,
>     >
>     > Did you access the logout page via http or https?
>     >
>     > -Scott
>     >
>     > Jennifer Yang wrote:
>     >
>     >
>     >> Hello,
>     >>
>     >> I am trying to implement logout.
>     >>
>     >> I found the following thread, but I am not seeing the same
>     behavior.
>     >> http://tp.its.yale.edu/pipermail/cas/2005-February/001010.html
>     >>
>     >> According to this, hitting /cas/logout should prevent the
>     previously
>     >> authenticated user from accessing another webapp without signing on
>     >> again.  Here is what I tried and the behavior.
>     >>
>     >> I have two webapps (using jsp-examples and servlet-examples
>     supplied
>     >> by Tomcat) both setup to use CASFilter.
>     >>
>     >> 1. I enter one of the jsp-examples url in the browser.
>     >> 2. I get JA-SIG login page and I log in successfully.
>     >> 3. I get redirected to the jsp-examples I was trying access in
>     step 1.
>     >> 4. I logoff via /cas/logout and get a JA-SIG "successfully logged
>     >>
>     > off".
>     >
>     >> 5. I enter one of the servlet-examples (a different webapp from
>     step
>     >> 1).  I expected to get another JA-SIG login page, but I get my
>     >> servlet-examples without being re-authenticated.
>     >>
>     >> Am I missing something?
>     >>
>     >> Also, what is the best way to implement single-sign-out?
>     >>
>     >> Thanks very much!
>     >> --Jennifer
>     >>
>     >>
>     -----------------------------------------------------------------------
>     >>
>     > -
>     >
>     >> _______________________________________________
>     >> cas-dev mailing list
>     >> cas-dev at tp.its.yale.edu <mailto:cas-dev at tp.its.yale.edu>
>     >> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>     >>
>     >>
>     >>
>     > _______________________________________________
>     > cas-dev mailing list
>     > cas-dev at tp.its.yale.edu <mailto:cas-dev at tp.its.yale.edu>
>     > http://tp.its.yale.edu/mailman/listinfo/cas-dev
>     >
>     >
>     > _______________________________________________
>     > cas-dev mailing list
>     > cas-dev at tp.its.yale.edu <mailto:cas-dev at tp.its.yale.edu>
>     > http://tp.its.yale.edu/mailman/listinfo/cas-dev
>     >
>     _______________________________________________
>     cas-dev mailing list
>     cas-dev at tp.its.yale.edu <mailto:cas-dev at tp.its.yale.edu>
>     http://tp.its.yale.edu/mailman/listinfo/cas-dev
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>

More information about the cas-dev mailing list