You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@shiro.apache.org by psfung <ps...@clustertech.com> on 2012/11/26 03:42:30 UTC

CAS single sign out exception

I followed http://shiro.apache.org/cas.html to integrate Shiro 1.2.1 with CAS
server 3.5.1. The single sign out appears to work - when a user refreshes a
page after logout in CAS server, he is redirected to CAS login page. But
there is exception when CAS server post the sign out callback to Shiro.

from Tomcat access log
192.168.129.118 - - [26/Nov/2012:10:16:49 +0800] "POST /shiro-cas HTTP/1.1"
500 4090

from application log
10:16:49 [org.apache.shiro.realm.AuthenticatingRealm] [DEBUG] Looked up
AuthenticationInfo [null] from doGetAuthenticationInfo
10:16:49 [org.apache.shiro.realm.AuthenticatingRealm] [DEBUG] No
AuthenticationInfo found for submitted AuthenticationToken
[org.apache.shiro.cas.CasToken@1e8809ce].  Returning null.
10:16:49 [org.apache.shiro.web.servlet.SimpleCookie] [DEBUG] Added
HttpServletResponse Cookie [rememberMe=deleteMe; Path=/; Max-Age=0;
Expires=Sun, 25-Nov-2012 02:16:49 GMT]
10:16:49 [org.apache.shiro.web.servlet.AdviceFilter] [DEBUG] Filter
execution resulted in an unexpected Exception (not IOException or
ServletException as the Filter API recommends).  Wrapping in
ServletException and propagating.



--
View this message in context: http://shiro-user.582556.n2.nabble.com/CAS-single-sign-out-exception-tp7577991.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: CAS single sign out exception

Posted by psfung <ps...@clustertech.com>.

Hi Jérôme,

My fault. The CAS server and the app are running on 2 instances of Tomcat
(with different ports) in the same host. The JESSIONID cookies are
interfering each other.

I shall set up a correct environment and test again.

thanks,
Samuel



--
View this message in context: http://shiro-user.582556.n2.nabble.com/CAS-single-sign-out-exception-tp7577991p7578009.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: CAS single sign out exception

Posted by psfung <ps...@clustertech.com>.

Hi Jérôme,

> Then, I can still access a protected area in my Shiro application :
> http://localhost:8080/app/user/index.jsp and my Shiro session is still
> valid
My app differs. It requires login again.

The only difference between my app and your app is that my app doesn't set
casRealm.validationProtocol = SAML

In fact I have difficulty setting up SAML. Shiro-cas 1.2.1 depends on
opensaml 1.1, but cas-server 3.5.1 depends on opensaml 2.5.1-1, are they
compatible?

thanks,
Samuel



--
View this message in context: http://shiro-user.582556.n2.nabble.com/CAS-single-sign-out-exception-tp7577991p7578008.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: CAS single sign out exception

Posted by jleleu <le...@gmail.com>.

Hi,

It's pretty strange : with just Shiro + CAS, the application logout does not
work (as it was not designed to).

I use a demo I created to test CAS support in Shiro :
https://github.com/leleuj/cas-shiro-demo.

I go to the application, try to access a protected area :
http://localhost:8080/app/user/index.jsp, I'm redirected to CAS server, I
authenticate and I'm redirected back to the Shiro application. I can see
that my session has been created on Shiro application side and the Shiro
principal is the username from CAS server.

If I call the CAS logout : http://localhost:8080/cas/logout, I'm hopefully
logged out from CAS and the Shiro application receives a CAS logout :
/CAS SHIRO DEMO APP 2012/11/29 11:08:33,253 DEBUG [qtp18397504-36]
org.apache.shiro.realm.AuthenticatingRealm - Looked up AuthenticationInfo
[null] from doGetAuthenticationInfo
CAS SHIRO DEMO APP 2012/11/29 11:08:33,253 DEBUG [qtp18397504-36]
org.apache.shiro.realm.AuthenticatingRealm - No AuthenticationInfo found for
submitted AuthenticationToken [org.apache.shiro.cas.CasToken@180d48a]. 
Returning null.
CAS SHIRO DEMO APP 2012/11/29 11:08:33,254 DEBUG [qtp18397504-36]
org.apache.shiro.web.servlet.SimpleCookie - Added HttpServletResponse Cookie
[rememberMe=deleteMe; Path=/app; Max-Age=0; Expires=Wed, 28-Nov-2012
10:08:33 GMT]/

Which is in fact ignored by the Shiro application as the CAS support for
Shiro does not handle CAS logout.

Then, I can still access a protected area in my Shiro application :
http://localhost:8080/app/user/index.jsp and my Shiro session is still valid
: the CAS logout has not been taken into account.

The web session is initialized in Shiro with a first round-trip to the CAS
server, it happens just once, after that you're authenticated in your Shiro
application (without any communication with CAS) until a tilmeout occurs.

Best regards,
Jérôme




--
View this message in context: http://shiro-user.582556.n2.nabble.com/CAS-single-sign-out-exception-tp7577991p7578007.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: CAS single sign out exception

Posted by psfung <ps...@clustertech.com>.

Hi Jérôme,

I used pure Shiro + CAS; I didn't add SingleSignOutFilter on top of that.

>From user's point of view, it actually works. The only problem is that Shiro
returns 302 to CAS server's sign out callback, not the expected 200.

After tracing codes, I think Shiro doesn't need to handle the callback. The
callback is to clear client application's local session. But Shiro doesn't
rely on local session, it validates very request by TGC. Am I correct?

thanks,
Samuel



--
View this message in context: http://shiro-user.582556.n2.nabble.com/CAS-single-sign-out-exception-tp7577991p7578006.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: CAS single sign out exception

Posted by jleleu <le...@gmail.com>.

Hi,

Sorry, I missed your first post. I didn't design the CAS support for Shiro
to handle CAS logout callback (it's certainly a lack).

Just to be sure I understand everything right : you configured CAS support
in Shiro and added the CAS SingleSignOutFilter to your Shiro application.
And it doesn't work, does it ?

Thanks,
Jérôme




--
View this message in context: http://shiro-user.582556.n2.nabble.com/CAS-single-sign-out-exception-tp7577991p7578003.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: CAS single sign out exception

Posted by psfung <ps...@clustertech.com>.

The exception is because casFilter.failureUrl is not set. After it is set,
the sign out callback from CAS server results in 302 redirect to the failure
URL.

Shiro follows the standard flow and asks CAS server to authenticate itself.
But https://wiki.jasig.org/display/CASC/Configuring+Single+Sign+Out says
SingleSignOutFilter must come before the other filters, so that the sign out
callback can skip the flow.

Can I conclude that Shiro doesn't support CAS single sign out?



--
View this message in context: http://shiro-user.582556.n2.nabble.com/CAS-single-sign-out-exception-tp7577991p7578002.html
Sent from the Shiro User mailing list archive at Nabble.com.