CAS Single Sign Out solution idea

Sun Apr 13 13:31:12 EDT 2008

Axel,

We looked into something like this but ultimately we decided against it.
One bad client could break the entire process (or one client that doesn't
support the log out protocol).

-Scott

On Fri, Apr 11, 2008 at 6:20 PM, Axel Mendoza Pupo <apupo at estudiantes.uci.cu>
wrote:

> i have found a solution to Single Sign Out and i want to share to upgrade
> it
> The solution involve the org.jasig.cas.web.LogoutController to send
> redirect view to each logout url on webapp.
> To do this I configure an LogoutRegistry to set the webapps logout urls
> and get the next url logout to redirect.
> in each web app I handle the logout url with a controller which get the
> session invalidated and redirect to CAS /logout who iterate by each logout
> url
> I not test this yet because my web apps isn't ready but I think this may
> work even when the user close the browser during logout request.
> Look the code and discuss about it.
> /****************************************************************
>  public class UrlLogout {
>      private String url;
>
>      public String getUrl() {
>           return url;
>      }
>
>      public void setUrl(String url) {
>           this.url = url;
>      }
>  }
> /****************************************************************
>  public class LogoutRegistry {
>
>      private List<UrlLogout> urlsLogout;
>      private Map sessionStateLogout = Collections.synchronizedMap(new
> HashMap());
>
>      public String nextLogout(String sessionId){
>           String url = null;
>           Object v = sessionStateLogout.get(sessionId);
>           int index = 0;
>
>           if(v != null)
>                index = (Integer)v;
>
>           if(index < urlsLogout.size())
>                url = ((UrlLogout) urlsLogout.get(index)).getUrl();
>
>           index++;
>           sessionStateLogout.put(sessionId,index);
>
>           return url;
>      }
>
>      public void removeSessionState(String sessionId){
>           sessionStateLogout.remove(sessionId);
>      }
>
>      public void setUrlsLogout(List<UrlLogout> urls){
>           urlsLogout = urls;
>      }
>  }
> /****************************************************************
>  public class CASLogoffController implements Controller{
>
>      private CentralAuthenticationService centralAuthenticationService;
>      /** CookieGenerator for TGT Cookie */
>      @NotNull
>      private CookieRetrievingCookieGenerator
> ticketGrantingTicketCookieGenerator;
>      /** CookieGenerator for Warn Cookie */
>      @NotNull
>      private CookieRetrievingCookieGenerator warnCookieGenerator;
>      /** Logout view name. */
>      @NotNull
>      private String logoutView;
>
>      private LogoutRegistry logoutRegistry;
>
>      public ModelAndView handleRequest(HttpServletRequest request,
> HttpServletResponse response) throws Exception {
>           final String ticketGrantingTicketId =
> this.ticketGrantingTicketCookieGenerator.retrieveCookieValue(request);
>           final String service = request.getParameter("service");
>
>           if (ticketGrantingTicketId != null) {
>                this.centralAuthenticationService
>                destroyTicketGrantingTicket(ticketGrantingTicketId);
>
>  this.ticketGrantingTicketCookieGenerator.removeCookie(response);
>                this.warnCookieGenerator.removeCookie(response);
>           }
>
>           String sessionId = request.getSession().getId();
>
>           String url = logoutRegistry.nextLogout(sessionId);
>
>           if(url != null)
>                return new ModelAndView(new RedirectView(url));
>
>           logoutRegistry.removeSessionState(sessionId);
>
>           return new ModelAndView(this.logoutView);
>      }
>
>      public void setTicketGrantingTicketCookieGenerator(final
> CookieRetrievingCookieGenerator ticketGrantingTicketCookieGenerator) {
>           this.ticketGrantingTicketCookieGenerator =
> ticketGrantingTicketCookieGenerator;
>      }
>
>      public void setWarnCookieGenerator(final
> CookieRetrievingCookieGenerator warnCookieGenerator) {
>           this.warnCookieGenerator = warnCookieGenerator;
>      }
>      /**
>      * @param centralAuthenticationService The
> centralAuthenticationService to
>      * set.
>      */
>      public void setCentralAuthenticationService(final
> CentralAuthenticationService centralAuthenticationService) {
>           this.centralAuthenticationService =
> centralAuthenticationService;
>      }
>
>      public void setLogoutView(final String logoutView) {
>           this.logoutView = logoutView;
>      }
>
>      public void setLogoutRegistry(LogoutRegistry logoutRegistry) {
>           this.logoutRegistry = logoutRegistry;
>      }
>  }
> /****************************************************************
>  <bean id="logoutController" class="CASLogoffController"
>  p:centralAuthenticationService-ref="centralAuthenticationService"
>  p:logoutView="casLogoutView"
>  p:warnCookieGenerator-ref="warnCookieGenerator"
>
>  p:ticketGrantingTicketCookieGenerator-ref="ticketGrantingTicketCookieGenerator"
>  p:logoutRegistry-ref="logoutRegistry"/>
>
>  <bean id="logoutRegistry" class="LogoutRegistry">
>       <property name="urlsLogout">
>            <list>
>                <bean class="UrlLogout" p:url="
> http://localhost:8080/webapp1/logoff.htm"/>
>                <bean class="UrlLogout" p:url="
> http://localhost:8080/webapp2/logoff.htm"/>
>            </list>
>       </property>
>  </bean>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>

-- 
-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20080413/c51c11a9/attachment.html 