I'm using CAS with three applications, when I try to logout from one of then, CAS kill the session from that application, but the session remains in the others applications. How do I kill all the sessions?
logouts from application A, remais logged in applications B and C.
I wasn't able to get all cookies, only from the application where the logout method is in.
Anyone can assist on this one?
Fundamental here is to logout out the local application sessions and then call the cas logout service. I would imagine this is how your application logout controller would look like
public ModelAndView logout(HttpServletRequest request) {
SecurityContextHolder.clearContext();
request.getSession(false).invalidate();
return new ModelAndView("redirect:/logout/cas");
}
when you redirect to /logout/cas the following entries in spring-security.xml will take care of single logout.
<!-- This filter handles a Single Logout Request from the CAS Server -->
<bean id="singleLogoutFilter" class="org.jasig.cas.client.session.SingleSignOutFilter">
<property name="artifactParameterName" value="SAMLart"></property>
</bean>
<!-- This filter redirects to the CAS Server to signal Single Logout should be performed -->
<bean id="requestSingleLogoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
<constructor-arg value="https://${cas.server.name}/cas/logout" />
<constructor-arg>
<bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
</constructor-arg>
<property name="filterProcessesUrl" value="/logout/cas" />
</bean>
Following link should be helpful, CAS Single Logout. Please note that this link is for CAS version 4.2.x.