CAS Single Sign Out solution idea

Larry Symms lsymms at gmail.com
Sun Apr 13 20:03:45 EDT 2008 

I agree that that is not a perfect solution.  What I am currently 
implementing is a distributed session management system integrated into 
the AGECI filter chain.  In our case this will solve a multitude of 
problems associated with authN and authZ which I won't go into here.  
The basic idea is to have a DB backed session that can be accessed via a 
client API, or a service call to determine which active methods of 
authentication the requester has used to authenticate themselves.  Each 
request will pole that data.  Logout simply clears data for that 
requester cutting off all applications.  While this may seem like a lot 
of network traffic, it seems necessary.

Scott Battaglia wrote:
> Axel,
>
> We looked into something like this but ultimately we decided against 
> it.  One bad client could break the entire process (or one client that 
> doesn't support the log out protocol).
>
> -Scott
>
> On Fri, Apr 11, 2008 at 6:20 PM, Axel Mendoza Pupo 
> <apupo at estudiantes.uci.cu <mailto:apupo at estudiantes.uci.cu>> wrote:
>
>     i have found a solution to Single Sign Out and i want to share to
>     upgrade it
>     The solution involve the org.jasig.cas.web.LogoutController to
>     send redirect view to each logout url on webapp.
>     To do this I configure an LogoutRegistry to set the webapps logout
>     urls and get the next url logout to redirect.
>     in each web app I handle the logout url with a controller which
>     get the session invalidated and redirect to CAS /logout who
>     iterate by each logout url
>     I not test this yet because my web apps isn't ready but I think
>     this may work even when the user close the browser during logout
>     request.
>     Look the code and discuss about it.
>     /****************************************************************
>      public class UrlLogout {
>          private String url;
>
>          public String getUrl() {
>               return url;
>          }
>
>          public void setUrl(String url) {
>               this.url = url;
>          }
>      }
>     /****************************************************************
>      public class LogoutRegistry {
>
>          private List<UrlLogout> urlsLogout;
>          private Map sessionStateLogout =
>     Collections.synchronizedMap(new HashMap());
>
>          public String nextLogout(String sessionId){
>               String url = null;
>               Object v = sessionStateLogout.get(sessionId);
>               int index = 0;
>
>               if(v != null)
>                    index = (Integer)v;
>
>               if(index < urlsLogout.size())
>                    url = ((UrlLogout) F.get(index)).getUrl();
>
>               index++;
>               sessionStateLogout.put(sessionId,index);
>
>               return url;
>          }
>
>          public void removeSessionState(String sessionId){
>               sessionStateLogout.remove(sessionId);
>          }
>
>          public void setUrlsLogout(List<UrlLogout> urls){
>               urlsLogout = urls;
>          }
>      }
>     /****************************************************************
>      public class CASLogoffController implements Controller{
>
>          private CentralAuthenticationService
>     centralAuthenticationService;
>          /** CookieGenerator for TGT Cookie */
>          @NotNull
>          private CookieRetrievingCookieGenerator
>     ticketGrantingTicketCookieGenerator;
>          /** CookieGenerator for Warn Cookie */
>          @NotNull
>          private CookieRetrievingCookieGenerator warnCookieGenerator;
>          /** Logout view name. */
>          @NotNull
>          private String logoutView;
>
>          private LogoutRegistry logoutRegistry;
>
>          public ModelAndView handleRequest(HttpServletRequest request,
>     HttpServletResponse response) throws Exception {
>               final String ticketGrantingTicketId =
>     this.ticketGrantingTicketCookieGenerator.retrieveCookieValue(request);
>               final String service = request.getParameter("service");
>
>               if (ticketGrantingTicketId != null) {
>                    this.centralAuthenticationService
>                    destroyTicketGrantingTicket(ticketGrantingTicketId);
>                  
>      this.ticketGrantingTicketCookieGenerator.removeCookie(response);
>                    this.warnCookieGenerator.removeCookie(response);
>               }
>
>               String sessionId = request.getSession().getId();
>
>               String url = logoutRegistry.nextLogout(sessionId);
>
>               if(url != null)
>                    return new ModelAndView(new RedirectView(url));
>
>               logoutRegistry.removeSessionState(sessionId);
>
>               return new ModelAndView(this.logoutView);
>          }
>
>          public void setTicketGrantingTicketCookieGenerator(final
>     CookieRetrievingCookieGenerator ticketGrantingTicketCookieGenerator) {
>               this.ticketGrantingTicketCookieGenerator =
>     ticketGrantingTicketCookieGenerator;
>          }
>
>          public void setWarnCookieGenerator(final
>     CookieRetrievingCookieGenerator warnCookieGenerator) {
>               this.warnCookieGenerator = warnCookieGenerator;
>          }
>          /**
>          * @param centralAuthenticationService The
>     centralAuthenticationService to
>          * set.
>          */
>          public void setCentralAuthenticationService(final
>     CentralAuthenticationService centralAuthenticationService) {
>               this.centralAuthenticationService =
>     centralAuthenticationService;
>          }
>
>          public void setLogoutView(final String logoutView) {
>               this.logoutView = logoutView;
>          }
>
>          public void setLogoutRegistry(LogoutRegistry logoutRegistry) {
>               this.logoutRegistry = logoutRegistry;
>          }
>      }
>     /****************************************************************
>      <bean id="logoutController" class="CASLogoffController"
>      p:centralAuthenticationService-ref="centralAuthenticationService"
>      p:logoutView="casLogoutView"
>      p:warnCookieGenerator-ref="warnCookieGenerator"
>      p:ticketGrantingTicketCookieGenerator-ref="ticketGrantingTicketCookieGenerator"
>      p:logoutRegistry-ref="logoutRegistry"/>
>
>      <bean id="logoutRegistry" class="LogoutRegistry">
>           <property name="urlsLogout">
>                <list>
>                    <bean class="UrlLogout"
>     p:url="http://localhost:8080/webapp1/logoff.htm"/>
>                    <bean class="UrlLogout"
>     p:url="http://localhost:8080/webapp2/logoff.htm"/>
>                </list>
>           </property>
>      </bean>
>
>     _______________________________________________
>     Yale CAS mailing list
>     cas at tp.its.yale.edu <mailto:cas at tp.its.yale.edu>
>     http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
>
> -- 
> -Scott Battaglia
> PGP Public Key Id: 0x383733AA
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
> ------------------------------------------------------------------------
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>

More information about the cas mailing list