Fwd: SingleSignout Problems

Tue Apr 8 03:35:49 EDT 2008

Ok, big screw up from my side (I was logging into one server and logging out of another server :-B ). Everything is working as expected.

Thanks Scott (and others that answered), as always for your time and effort. Greatly appreciated.

----- Original Message ----
From: Scott Battaglia <scott.battaglia at gmail.com>
To: Yale CAS mailing list <cas at tp.its.yale.edu>
Sent: Monday, April 7, 2008 7:23:19 PM
Subject: Re: Fwd: SingleSignout Problems

Single Sign Out isn't going to do anything until your user goes to /cas/logout

-Scott

On Mon, Apr 7, 2008 at 9:28 PM, tedzo <tedzo2003 at yahoo.com> wrote:
I am not sure how to enable access log writing. I will look it up.

I am not sure I understand what you mean when you say
"..it will send an HTTP POST to each application's service url indicating they should destroy the session"

Say 
- I access /app1/page-1.jsp
- Then I access /app2/page2.jsp
- I hit logout from page2.jsp

I am going to get a POST to /app1/page-1.jsp and /app2/page2.jsp? And these apps are responsible for destroying the session? I thought the SignOutFilter would take care of destroying the session...

The only thing I see now are these (a few of them)-

2008-04-07 18:12:37,431 DEBUG [http-8080-3] authentication.AuthenticationFilter
99     - removing gateway attribute from session

Nothing else from CAS.  

Ideas?

Thank you for your time.

----- Original Message ----
From: Scott Battaglia <scott.battaglia at gmail.com>
To: Yale CAS mailing list <cas at tp.its.yale.edu>

Sent: Monday, April 7, 2008 5:35:19 PM
Subject: Fwd: SingleSignout Problems

If you're using Tomcat, you won't see them unless you enable its access log writing.

Essentially what should happen is that when you log out of CAS it will send an HTTP POST to each application's service url indicating they should destroy the session.

-Scott

---------- Forwarded message ----------
From: tedzo <tedzo2003 at yahoo.com>
Date: Mon, Apr 7, 2008 at 8:12 PM
Subject: Re: SingleSignout Problems
To: Yale CAS mailing list <cas at tp.its.yale.edu>

Thanks for your response.
I don't see any POST. But maybe I am not looking at the right place? I tried catalina.out on the windowsXP setup where I am testing. Should I look elsewhere?

Thanks for your time.

----- Original Message ----
From: Scott Battaglia <scott.battaglia at gmail.com>
To: Yale CAS mailing list <cas at tp.its.yale.edu>

Sent: Monday, April 7, 2008 1:43:54 PM
Subject: Re: SingleSignout Problems

Are you seeing POST calls in your Apache logs to the service url?  That would indicate whether CAS is sending the Single Sign Out message or not.

-Scott

On Mon, Apr 7, 2008 at 3:06 PM, tedzo <tedzo2003 at yahoo.com> wrote:
I renamed the subject line to better describe the question.

I looked through a document pointed to by another poster (Adam)- http://www.ja-sig.org/wiki/display/CASUM/Single+Sign+Out. This document talks about "a callback to each of the services that are registered..." Where/How do I register? As of now I have-
1. Added the SingleSignOut filter to the web.xml of each webapp (before the other 3 filters- Authentication, Validation, Wrapper).
2. Added the HttpSessionListener to each webapp's web.xml (before all the filters are defined).
3. I redirect the user to https://<server>:8443/cas/logout during logout.

Do I need to register for the callback explicitly? I am not sure even if the SignOutFilter is being invoked because if I don't call session.invalidate() before redirecting to /cas/logout, the session continues to be valid. I am missing something here. What is it?

Thanks for your time.

----- Original Message ----
From: tedzo <tedzo2003 at yahoo.com>
To: Yale CAS mailing list <cas at tp.its.yale.edu>
Sent: Sunday, April 6, 2008 10:48:31 PM
Subject: Re: How to get the username (netID)?

Ok, so I am looking at the SingleSignOutFilter and SingleSignOutHttpSessionListener and these are per webapp (i.e, defined in every webapp's web.xml). Also, the code indicates that the filter invalidates the session in the webapp where the user attempted to logout. So, I am not sure I understand how this can cause the same user's sessions in other webapps to also be destroyed. In short, how can this work?

I am guessing I don't understand how a HttpSessionListener works...

Thanks.

----- Original Message ----
From: tedzo <tedzo2003 at yahoo.com>
To: Yale CAS mailing list <cas at tp.its.yale.edu>
Sent: Sunday, April 6, 2008 9:53:37 PM
Subject: Re: How to get the username (netID)?

Scott,
Thank you for your response.

Actually, it turned out that I needed to include the other filters too (not just the authentication filter, unlike the Yale Client I was used to). After I included the ValidationFilter, it worked just fine.

I have now included the SingleZSignoutFilter and the SessionListener in order to get SingleSignout working and its not? I added the filter and listener to web.xml of 2 webapps. I invalidate the session and redirect to /cas/logout when the user chooses to logout in one of the webapps. The logout page displays. I assumed at this point that I would be logged out of the other webapp too. Thats not hapenning. What am I missing? (I admit, I haven't yet searched the archives for mails detailing similar problems...)

Thanks for your time.

Av.

----- Original Message ----
From: Scott Battaglia <scott.battaglia at gmail.com>
To: Yale CAS mailing list <cas at tp.its.yale.edu>
Sent: Sunday, April 6, 2008 6:27:01 PM
Subject: Re: How to get the username (netID)?

Hi,

What order are your filters in?  Our wiki page (which I think you were looking at) shows the order they should appear in.  If they're in that order, they should work.  At least we haven't noticed any problems so far :-)

-Scott

On Sat, Apr 5, 2008 at 2:01 PM, tedzo <tedzo2003 at yahoo.com> wrote:
Thank you Calcutta for your response.

After reading the document a bit more I too realized that I would need the HttpServletRequestWrapper. So, I added that. However I am hitting a weird NullPointerException when I try to get the RemoteUser- Apparantly, getUserPrincipal() is null within HttpServletRequestWrapperFilter.

I am not sure what the cause of that would be. Is there an issue with the SSL certificate or something? I was successfully using server 3.06 and Yale client 2.1.1 on this machine and I replaced both with newer versions (3.1.2 and 3.1.1 client). So, I assumed everything should just start working...

Exception Status Code : 500
Resource : /DXX/login.jsp
Error : org.apache.jasper.JasperException: An exception occurred processing JSP
page /login.jsp at line 85

82:     System.out.println("2222*****************");
83:         String ticket = request.getParameter("ticket");
84:     System.out.println("3333*****************");
85:         String user = request.getRemoteUser();
86:     System.out.println("4444*****************");
87:         int ec = -1;
88:

Stacktrace:
org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper
.java:524)
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:435)
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:320)
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:266)
javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
root cause: [java.lang.NullPointerException] :: null
org.jasig.cas.client.util.HttpServletRequestWrapperFilter$CasHttpServletRequestW
rapper.getRemoteUser(HttpServletRequestWrapperFilter.java:80)
org.apache.jsp.login_jsp._jspService(login_jsp.java:1098)
org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:393)

GET Query : rdir=%2FDXX%2Fmain.jsp%3Bjsessionid%3D10FA876D949F2C47D450E6055A2DB8
79%3Fticket%3DST-1-bL1W1fQcus4ak3PDc9wi&error=7&ticket=ST-2-c5icFZJZe0LMbAaOATNc

2008-04-05 10:42:38,428 DEBUG [http-8080-2] authentication.AuthenticationFilter:
81     - no ticket and no assertion found
2008-04-05 10:42:38,428 DEBUG [http-8080-2] util.CommonUtils :195     - serviceU
rl generated: http://ani.dxx.com:8080/DXX/login.jsp?rdir=%2FDXX%2FW
EB-INF%2Fapplication%2Ferror%2Fexception.jsp%3Frdir%3D%252FDXX%252Fmain.jsp%253B
jsessionid%253D10FA876D949F2C47D450E6055A2DB879%253Fticket%253DST-1-bL1W1fQcus4a

Thank you for your time.

----- Original Message ----
From: Oh Calcutta <ohcalcutta at gmail.com>
To: Yale CAS mailing list <cas at tp.its.yale.edu>

Sent: Friday, April 4, 2008 11:42:35 PM
Subject: Re: How to get the username (netID)?

- If you enable HttpServletRequestWrapper filter, then you can do asimple request.getRemoteUser() to get the NetId.

tedzo wrote:      Someprogress in my quest to use JA-SIG client 3.1.1 and eventually theSingleSignOutFilter...
I am trying to get a hold of the username (netId) but have been unableto. It seems that I should be able to get to it usingsession.getAttribute("_const_cas_assertion_") from my jsp. But thatdoesn't seem to work.

What am I missing?

Thanks.

  -----Original Message ----
From: tedzo <tedzo2003 at yahoo.com>
To: Yale CAS mailing list <cas at tp.its.yale.edu>
Sent: Friday, April 4, 2008 10:48:29 PM
Subject: Re: Which version of cas to use for SingleSignOut feature?

    Ok,I found 
  http://www.ja-sig.org/wiki/display/CASC/Configuring+the+JA-SIG+CAS+Client+for+Java+in+the+web.xml

That document describes 6 different filters (AuthenticationFilter,HttpServletRequestWrapper and so on). I am not sure if I need toconfigure all the filters or can I get away with just theAuthenticationFilter? In the Yale version I configured just the onefilter (CASFilter) for authentication.

Any pointers?

Thanks.

  -----Original Message ----
From: tedzo <tedzo2003 at yahoo.com>
To: Yale CAS mailing list <cas at tp.its.yale.edu>
Sent: Friday, April 4, 2008 10:22:55 PM
Subject: Re: Which version of cas to use for SingleSignOut feature?

    Thatwill be a problem :( I guess I will have to move to the newer versions.

Is using JA-SIG Java client similar to using the Yale Client? I waslooking for a tutorial of some sort that explains configuring/using theJA-SIG Java Client and didn't find any. This doesn't seem to work http://www.ja-sig.org/products/cas/client/client-java/index.html.

I am seeing references to cas-client.properites etc and I am not surehow to proceed.
For the Yale Java client, I just added the filter info in web.xml and Iwas off and running....

Your help is appreciated.

Thanks.

  -----Original Message ----
From: Adam Rybicki <arybicki at unicon.net>
To: Yale CAS mailing list <cas at tp.its.yale.edu>
Sent: Friday, April 4, 2008 4:38:01 PM
Subject: Re: Which version of cas to use for SingleSignOut feature?

  Hi,

The versions you are using do not support SSOut.  You need CAS Server3.1.1 or 3.1.2 if you must use a "release" version or 3.2.1-RC1 if youare OK with using a "release candidate" version.

Yale CAS client does not support SSOut, but perhaps someone willcontribute it.  The JA-SIG CAS Client version 3.1.1 supports SSOut, andthat's the latest version available.

The earliest versions that should correctly support SSOut are 3.1.1 forCAS Server and 3.1 for JA-SIG CAS Client.

Adam

tedzo wrote:          Helloall,
I am trying to find out which versions of cas server and cas javaclient I need to use in order to be able to use the SingleSignOutfeature. I currently have cas server 3.0.6 and Yale client 2.1.1. 

- Does it matter which version of client I use?
- What are the earliest versions that support the said feature?

Thanks.

    You rock. That's why Blockbuster's offering you one
month of Blockbuster Total Access, No Cost.    
_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas

  You rock. That's why Blockbuster's offering you one
month of Blockbuster Total Access, No Cost.

  You rock. That's why Blockbuster's offering you one
month of Blockbuster Total Access, No Cost.  
_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas

      You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.

_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas

-- 
-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia

      You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.

      You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.

      You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.

_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas

-- 
-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia

      You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.

_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas

-- 
-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia

      You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.

_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas

-- 
-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia

      ____________________________________________________________________________________
You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.  
http://tc.deals.yahoo.com/tc/blockbuster/text5.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20080408/9d386660/attachment-0001.html 