问题描述

我有单点登录工作，但单点退出不起作用。

I have single sign on working beautifully, but single sign-out is not working.

情况如下：

1. 打开webapp1并重定向到CAS登录页面


2. 输入详细信息并登录


3. 打开webapp2它也使用CAS。当用户已登录时自动登录。


4. 退出webapp1


5. 尝试打开webapp1或webapp2（在另一个标签页中）重定向您返回登录页面。


6. 但是，步骤3中的webapp2会话未关闭，用户仍然可以毫无问题地使用该应用程序。如何在用户退出时自动使会话无效？

1. Open webapp1 and get redirected to CAS login page
2. Enter details and login
3. Open webapp2 which also uses CAS. Automatically logs in, as the user already signed in.
4. Log out of webapp1
5. Try to open webapp1 or webapp2 (in another tab) redirects you back to the login page.
6. However, the session to webapp2 in step 3 is not closed and the user can still use the application without any problems. How do I automatically invalidate the session when the user signs out?

两个应用程序的注销按钮首先调用 session.invalidate（）然后重定向到 https：// localhost：8443 / cas / logout

The log off button for both applications first call session.invalidate() and then redirects to https://localhost:8443/cas/logout

单点登出过滤器是web.xml文件中的第一个过滤器。我在web.xml中也有 SingleSignOutHttpSessionListener 。

The single sign out filter is the first filter in the web.xml file. I also have the SingleSignOutHttpSessionListener in web.xml.

以下是我的web.xml摘录

Following is the extract from my web.xml

<!-- CAS settings -->
<!-- Use filter init-param if your container does not support context params.
    CAS Authentication Filter and CAS Validation Filter need a serverName init-param
    in lieu of a context-param definition. -->
<context-param>
    <param-name>serverName</param-name>
    <param-value>https://localhost:8443</param-value>
</context-param>

  <!-- Facilitates CAS single sign-out -->
  <listener>
        <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
  </listener>

  <!--
  CAS client filters
  Single sign-out filter MUST come first since it needs to be evaluated
  before other filters.
  -->
  <filter>
        <filter-name>CAS Single Sign Out Filter</filter-name>
        <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
  </filter>

  <filter>
        <filter-name>CAS Authentication Filter</filter-name>
        <!--
        IMPORTANT:
        Use Saml11AuthenticationFilter for version 3.1.12 and later.
        Use org.jasig.cas.client.authentication.AuthenticationFilter for previous
        versions.
        -->
        <filter-class>
              org.jasig.cas.client.authentication.Saml11AuthenticationFilter</filter-class>
        <init-param>
              <param-name>casServerLoginUrl</param-name>
              <param-value>https://localhost:8443/cas/login</param-value>
        </init-param>
        <init-param>
        <param-name>service</param-name>
        <param-value>https://localhost:8443/JAdaptiv/default.action</param-value>
    </init-param>
  </filter>

  <filter>
        <filter-name>CAS Validation Filter</filter-name>
        <filter-class>
              org.jasig.cas.client.validation.Saml11TicketValidationFilter</filter-class>
        <init-param>
              <param-name>casServerUrlPrefix</param-name>
              <param-value>https://localhost:8443/cas</param-value>
        </init-param>
        <init-param>
              <param-name>redirectAfterValidation</param-name>
              <param-value>true</param-value>
        </init-param>
        <init-param>
              <!-- Leniency of time checking in ms when validating SAML assertions. Consider
                    setting this parameter more liberally if you anticipate system clock drift
                    on your application servers relative to the CAS server. The default is 1000
                    (1s) and at least one person had problems with drift at that small a tolerance
                    value. A good approach is to start low and then increase by 1000 as needed
                    until problems stop. Note that increasing this value may have negative security
                    implications. Consider fixing clock drift problems as an alternative. -->
              <param-name>tolerance</param-name>
              <param-value>1000</param-value>
        </init-param>
  </filter>

  <filter>
        <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
        <filter-class>
              org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
  </filter>

  <filter>
        <filter-name>CAS Assertion Thread Local Filter</filter-name>
        <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
  </filter>

  <filter-mapping>
        <filter-name>CAS Single Sign Out Filter</filter-name>
        <url-pattern>/*</url-pattern>
  </filter-mapping>

  <filter-mapping>
        <filter-name>CAS Authentication Filter</filter-name>
        <url-pattern>/*</url-pattern>
  </filter-mapping>

  <filter-mapping>
        <filter-name>CAS Validation Filter</filter-name>
        <url-pattern>/*</url-pattern>
  </filter-mapping>

  <filter-mapping>
        <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
        <url-pattern>/*</url-pattern>
  </filter-mapping>

  <filter-mapping>
    <filter-name>CAS Assertion Thread Local Filter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

推荐答案

我遇到了同样的问题。我们有一个java和一个PHP客户端。当我去 http：// mycasserver / logout 时，只有java客户端退出。

I had the same problem. We had a java and a php client. When I went to http://mycasserver/logout only the java client logged out.

单点登录要在php客户端工作，你必须改变：

For the single sign out to work in the php client, you have to change:

phpCAS::handleLogoutRequests();

phpCAS::handleLogoutRequests(false);

和Voila！
请参阅

这篇关于JASIG CAS：单点登出不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！