Fwd: SingleSignout Problems

Scott Battaglia scott.battaglia at gmail.com
Mon Apr 7 20:35:19 EDT 2008 

If you're using Tomcat, you won't see them unless you enable its access log
writing.

Essentially what should happen is that when you log out of CAS it will send
an HTTP POST to each application's service url indicating they should
destroy the session.

-Scott

---------- Forwarded message ----------
From: tedzo <tedzo2003 at yahoo.com>
Date: Mon, Apr 7, 2008 at 8:12 PM
Subject: Re: SingleSignout Problems
To: Yale CAS mailing list <cas at tp.its.yale.edu>


Thanks for your response.
I don't see any POST. But maybe I am not looking at the right place? I tried
catalina.out on the windowsXP setup where I am testing. Should I look
elsewhere?

Thanks for your time.

----- Original Message ----
From: Scott Battaglia <scott.battaglia at gmail.com>
To: Yale CAS mailing list <cas at tp.its.yale.edu>
Sent: Monday, April 7, 2008 1:43:54 PM
Subject: Re: SingleSignout Problems

Are you seeing POST calls in your Apache logs to the service url?  That
would indicate whether CAS is sending the Single Sign Out message or not.

-Scott

On Mon, Apr 7, 2008 at 3:06 PM, tedzo <tedzo2003 at yahoo.com> wrote:

> I renamed the subject line to better describe the question.
>
> I looked through a document pointed to by another poster (Adam)-
> http://www.ja-sig.org/wiki/display/CASUM/Single+Sign+Out. This document
> talks about "a callback to each of the services that are registered..."
> Where/How do I register? As of now I have-
> 1. Added the SingleSignOut filter to the web.xml of each webapp (before
> the other 3 filters- Authentication, Validation, Wrapper).
> 2. Added the HttpSessionListener to each webapp's web.xml (before all the
> filters are defined).
> 3. I redirect the user to https://<server>:8443/cas/logout during logout.
>
> Do I need to register for the callback explicitly? I am not sure even if
> the SignOutFilter is being invoked because if I don't call
> session.invalidate() before redirecting to /cas/logout, the session
> continues to be valid. I am missing something here. What is it?
>
> Thanks for your time.
>
> ----- Original Message ----
> From: tedzo <tedzo2003 at yahoo.com>
> To: Yale CAS mailing list <cas at tp.its.yale.edu>
> Sent: Sunday, April 6, 2008 10:48:31 PM
> Subject: Re: How to get the username (netID)?
>
> Ok, so I am looking at the SingleSignOutFilter and
> SingleSignOutHttpSessionListener and these are per webapp (i.e, defined in
> every webapp's web.xml). Also, the code indicates that the filter
> invalidates the session in the webapp where the user attempted to logout.
> So, I am not sure I understand how this can cause the same user's sessions
> in other webapps to also be destroyed. In short, how can this work?
>
> I am guessing I don't understand how a HttpSessionListener works...
>
> Thanks.
>
> ----- Original Message ----
> From: tedzo <tedzo2003 at yahoo.com>
> To: Yale CAS mailing list <cas at tp.its.yale.edu>
> Sent: Sunday, April 6, 2008 9:53:37 PM
> Subject: Re: How to get the username (netID)?
>
> Scott,
> Thank you for your response.
>
> Actually, it turned out that I needed to include the other filters too
> (not just the authentication filter, unlike the Yale Client I was used to).
> After I included the ValidationFilter, it worked just fine.
>
> I have now included the SingleZSignoutFilter and the SessionListener in
> order to get SingleSignout working and its not? I added the filter and
> listener to web.xml of 2 webapps. I invalidate the session and redirect to
> /cas/logout when the user chooses to logout in one of the webapps. The
> logout page displays. I assumed at this point that I would be logged out of
> the other webapp too. Thats not hapenning. What am I missing? (I admit, I
> haven't yet searched the archives for mails detailing similar problems...)
>
> Thanks for your time.
>
> Av.
>
> ----- Original Message ----
> From: Scott Battaglia <scott.battaglia at gmail.com>
> To: Yale CAS mailing list <cas at tp.its.yale.edu>
> Sent: Sunday, April 6, 2008 6:27:01 PM
> Subject: Re: How to get the username (netID)?
>
> Hi,
>
> What order are your filters in?  Our wiki page (which I think you were
> looking at) shows the order they should appear in.  If they're in that
> order, they should work.  At least we haven't noticed any problems so far
> :-)
>
> -Scott
>
> On Sat, Apr 5, 2008 at 2:01 PM, tedzo <tedzo2003 at yahoo.com> wrote:
>
> > Thank you Calcutta for your response.
> >
> > After reading the document a bit more I too realized that I would need
> > the HttpServletRequestWrapper. So, I added that. However I am hitting a
> > weird NullPointerException when I try to get the RemoteUser- Apparantly,
> > getUserPrincipal() is null within HttpServletRequestWrapperFilter.
> >
> > I am not sure what the cause of that would be. Is there an issue with
> > the SSL certificate or something? I was successfully using server 3.06 and
> > Yale client 2.1.1 on this machine and I replaced both with newer versions
> > (3.1.2 and 3.1.1 client). So, I assumed everything should just start
> > working...
> >
> > Exception Status Code : 500
> > Resource : /DXX/login.jsp
> > Error : org.apache.jasper.JasperException: An exception occurred
> > processing JSP
> > page /login.jsp at line 85
> >
> > 82:     System.out.println("2222*****************");
> > 83:         String ticket = request.getParameter("ticket");
> > 84:     System.out.println("3333*****************");
> > 85:         String user = request.getRemoteUser();
> > 86:     System.out.println("4444*****************");
> > 87:         int ec = -1;
> > 88:
> >
> >
> > Stacktrace:
> >
> > org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper
> > .java:524)
> >
> > org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:435)
> > org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:320)
> > org.apache.jasper.servlet.JspServlet.service(JspServlet.java:266)
> > javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
> > root cause: [java.lang.NullPointerException] :: null
> >
> > org.jasig.cas.client.util.HttpServletRequestWrapperFilter$CasHttpServletRequestW
> > rapper.getRemoteUser(HttpServletRequestWrapperFilter.java:80)
> > org.apache.jsp.login_jsp._jspService(login_jsp.java:1098)
> > org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
> > javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
> >
> > org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:393)
> >
> > GET Query :
> > rdir=%2FDXX%2Fmain.jsp%3Bjsessionid%3D10FA876D949F2C47D450E6055A2DB8
> >
> > 79%3Fticket%3DST-1-bL1W1fQcus4ak3PDc9wi&error=7&ticket=ST-2-c5icFZJZe0LMbAaOATNc
> >
> >
> > 2008-04-05 10:42:38,428 DEBUG [http-8080-2]
> > authentication.AuthenticationFilter:
> > 81     - no ticket and no assertion found
> > 2008-04-05 10:42:38,428 DEBUG [http-8080-2] util.CommonUtils :195     -
> > serviceU
> > rl generated: http://ani.dxx.com:8080/DXX/login.jsp?rdir=%2FDXX%2FW<http://ani.dxx.com:8080/DMM/login.jsp?rdir=%2FDMM%2FW>
> >
> > EB-INF%2Fapplication%2Ferror%2Fexception.jsp%3Frdir%3D%252FDXX%252Fmain.jsp%253B
> >
> > jsessionid%253D10FA876D949F2C47D450E6055A2DB879%253Fticket%253DST-1-bL1W1fQcus4a
> >
> > Thank you for your time.
> >
> >
> > ----- Original Message ----
> > From: Oh Calcutta <ohcalcutta at gmail.com>
> > To: Yale CAS mailing list <cas at tp.its.yale.edu>
> > Sent: Friday, April 4, 2008 11:42:35 PM
> > Subject: Re: How to get the username (netID)?
> >
> >
> > - If you enable HttpServletRequestWrapper filter, then you can do a
> > simple request.getRemoteUser() to get the NetId.
> >
> >
> > tedzo wrote:
> >
> >  Some progress in my quest to use JA-SIG client 3.1.1 and eventually the
> > SingleSignOutFilter...
> > I am trying to get a hold of the username (netId) but have been unable
> > to. It seems that I should be able to get to it using
> > session.getAttribute("_const_cas_assertion_") from my jsp. But that doesn't
> > seem to work.
> >
> > What am I missing?
> >
> > Thanks.
> >
> >
> > ----- Original Message ----
> > From: tedzo <tedzo2003 at yahoo.com> <tedzo2003 at yahoo.com>
> > To: Yale CAS mailing list <cas at tp.its.yale.edu> <cas at tp.its.yale.edu>
> > Sent: Friday, April 4, 2008 10:48:29 PM
> > Subject: Re: Which version of cas to use for SingleSignOut feature?
> >
> >  Ok, I found
> >
> > http://www.ja-sig.org/wiki/display/CASC/Configuring+the+JA-SIG+CAS+Client+for+Java+in+the+web.xml
> >
> > That document describes 6 different filters (AuthenticationFilter,
> > HttpServletRequestWrapper and so on). I am not sure if I need to configure
> > all the filters or can I get away with just the AuthenticationFilter? In the
> > Yale version I configured just the one filter (CASFilter) for
> > authentication.
> >
> > Any pointers?
> >
> > Thanks.
> >
> > ----- Original Message ----
> > From: tedzo <tedzo2003 at yahoo.com> <tedzo2003 at yahoo.com>
> > To: Yale CAS mailing list <cas at tp.its.yale.edu> <cas at tp.its.yale.edu>
> > Sent: Friday, April 4, 2008 10:22:55 PM
> > Subject: Re: Which version of cas to use for SingleSignOut feature?
> >
> >  That will be a problem :( I guess I will have to move to the newer
> > versions.
> >
> > Is using JA-SIG Java client similar to using the Yale Client? I was
> > looking for a tutorial of some sort that explains configuring/using the
> > JA-SIG Java Client and didn't find any. This doesn't seem to work
> > http://www.ja-sig.org/products/cas/client/client-java/index.html.
> >
> > I am seeing references to cas-client.properites etc and I am not sure
> > how to proceed.
> > For the Yale Java client, I just added the filter info in web.xml and I
> > was off and running....
> >
> > Your help is appreciated.
> >
> > Thanks.
> >
> > ----- Original Message ----
> > From: Adam Rybicki <arybicki at unicon.net> <arybicki at unicon.net>
> > To: Yale CAS mailing list <cas at tp.its.yale.edu> <cas at tp.its.yale.edu>
> > Sent: Friday, April 4, 2008 4:38:01 PM
> > Subject: Re: Which version of cas to use for SingleSignOut feature?
> >
> > Hi,
> >
> > The versions you are using do not support SSOut.  You need CAS Server
> > 3.1.1 or 3.1.2 if you must use a "release" version or 3.2.1-RC1 if you are
> > OK with using a "release candidate" version.
> >
> > Yale CAS client does not support SSOut, but perhaps someone will
> > contribute it.  The JA-SIG CAS Client version 3.1.1 supports SSOut, and
> > that's the latest version available.
> >
> > The earliest versions that should correctly support SSOut are 3.1.1 for
> > CAS Server and 3.1 for JA-SIG CAS Client.
> >
> > Adam
> >
> > tedzo wrote:
> >
> >  Hello all,
> > I am trying to find out which versions of cas server and cas java client
> > I need to use in order to be able to use the SingleSignOut feature. I
> > currently have cas server 3.0.6 and Yale client 2.1.1.
> >
> > - Does it matter which version of client I use?
> > - What are the earliest versions that support the said feature?
> >
> > Thanks.
> >
> > ------------------------------
> > You rock. That's why Blockbuster's offering you one month of Blockbuster
> > Total Access<http://us.rd.yahoo.com/evt=47523/*http://tc.deals.yahoo.com/tc/blockbuster/text5.com>,
> > No Cost.
> >
> > ------------------------------
> >
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
> >
> >
> >
> > ------------------------------
> > You rock. That's why Blockbuster's offering you one month of Blockbuster
> > Total Access<http://us.rd.yahoo.com/evt=47523/*http://tc.deals.yahoo.com/tc/blockbuster/text5.com>,
> > No Cost.
> >
> >
> > ------------------------------
> > You rock. That's why Blockbuster's offering you one month of Blockbuster
> > Total Access<http://us.rd.yahoo.com/evt=47523/*http://tc.deals.yahoo.com/tc/blockbuster/text5.com>,
> > No Cost.
> >
> >
> > ------------------------------
> > You rock. That's why Blockbuster's offering you one month of Blockbuster
> > Total Access<http://us.rd.yahoo.com/evt=47523/*http://tc.deals.yahoo.com/tc/blockbuster/text5.com>,
> > No Cost.
> >
> > ------------------------------
> >
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
> >
> >
> >
> >
> > ------------------------------
> > You rock. That's why Blockbuster's offering you one month of Blockbuster
> > Total Access<http://us.rd.yahoo.com/evt=47523/*http://tc.deals.yahoo.com/tc/blockbuster/text5.com>,
> > No Cost.
> >
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
> >
>
>
> --
> -Scott Battaglia
> PGP Public Key Id: 0x383733AA
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
>
>
> ------------------------------
> You rock. That's why Blockbuster's offering you one month of Blockbuster
> Total Access<http://us.rd.yahoo.com/evt=47523/*http://tc.deals.yahoo.com/tc/blockbuster/text5.com>,
> No Cost.
>
>
> ------------------------------
> You rock. That's why Blockbuster's offering you one month of Blockbuster
> Total Access<http://us.rd.yahoo.com/evt=47523/*http://tc.deals.yahoo.com/tc/blockbuster/text5.com>,
> No Cost.
>
>
> ------------------------------
> You rock. That's why Blockbuster's offering you one month of Blockbuster
> Total Access<http://us.rd.yahoo.com/evt=47523/*http://tc.deals.yahoo.com/tc/blockbuster/text5.com>,
> No Cost.
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>


-- 
-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia


------------------------------
You rock. That's why Blockbuster's offering you one month of Blockbuster
Total Access<http://us.rd.yahoo.com/evt=47523/*http://tc.deals.yahoo.com/tc/blockbuster/text5.com>,
No Cost.

_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas




-- 
-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20080407/91b91c6b/attachment.html

More information about the cas mailing list