Add CAS logout URL config in web.xml. #5
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The CAS logout URL can now be configured in web.xml instead of being hard coded in logout.jsp. This was done by adding a logout filter. Going to the url /cat/auth/logout will now log you out of the application. This also fixes a minor execution order bug on logout that leads to the session persisting after the first logout. The execution flow in the original logout.jsp goes: Application clears session, logout.jsp loads "My Courses" page, logout.jsp goes to CAS logout page to clear CAS session. What happens in our environment is that when logout.jsp loads "My Course", because its CAS session hasn't been expired, it was able to reauthenticate and recreate the application session. The workaround is to press logout again to truly logout. The actual fix swaps the last two operations so that it goes: Application clears session, redirects to CAS logout page to clear CAS session, redirects to "My Courses". Redirecting to "My Courses" needs to be done by the CAS server since the browser was redirect to the CAS page. Luckily, there is a "service" parameter that you can pass to the CAS logout url that tells the CAS server where to go after logout. Fixes usaskulc#2
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The CAS logout URL can now be configured in web.xml instead of being hard coded
in logout.jsp. This was done by adding a logout filter. Going to the url
/cat/auth/logout will now log you out of the application.
This also fixes a minor execution order bug on logout that leads to the session
persisting after the first logout. The execution flow in the original
logout.jsp goes: Application clears session, logout.jsp loads "My Courses"
page, logout.jsp goes to CAS logout page to clear CAS session. What happens in
our environment is that when logout.jsp loads "My Course", because its CAS
session hasn't been expired, it was able to reauthenticate and recreate the
application session. The workaround is to press logout again to truly logout.
The actual fix swaps the last two operations so that it goes: Application
clears session, redirects to CAS logout page to clear CAS session, redirects to
"My Courses".
Redirecting to "My Courses" needs to be done by the CAS server since the
browser was redirect to the CAS page. Luckily, there is a "service" parameter
that you can pass to the CAS logout url that tells the CAS server where to go
after logout.
Fixes #2