One reason CAS SSO cannot log out

Keywords: Java Apache xml network

One reason CAS SSO cannot log out

background

Our company has developed its internal SSO service based on CASSSO 4.x, temporarily named SSO-INTERN.
The following CAS SSO refers to the unmodified SSO, while SSO-INTERN refers to the SSO developed by our company.
After 2 SSO-INTERN came online, a very strange problem occurred: applications protected by SSO could not log out using SSO: click the logout button, and close the browser could not log out. But when developing tests locally, some applications can log out and some can't.
Our company's internal production network deployment patch diagram and test server patch diagram are as follows:

Try to solve

First attempt

First understand cas sso protocol, spring-webflow finally understand the general process. At google, it was found in official documents that:
Use of official document filter

       Order of Required Filters
        How to configure the filters is described on the pages above. This section details the order in which the filters should appear:
        1 SingleLogOutFilter (if you're using it)
        2 AuthenticationFilter
        3 TicketValidationFilter (whichever one is chosen)
        4 HttpServletRequestWrapperFilter
        5 AssertionThreadLocalFilter

According to the description in the document, put all relevant filter s at the front of web.xml, and all applications can be logged out locally.

So one possible reason for not being able to log out is that web.xml is not configured properly.
But it still can't log out after online testing! Only keep trying...

Second attempt

Because production servers are deployed separately, apache is used to reverse proxy. So I installed and configured apache locally to simulate the production environment. But the local environment can be logged out, which means that it is not the problem of apache reverse proxy.

Third attempt

Finding the cause process

Look at several astronomical files, code to continue to find the reason.
By adjusting the level output from the test server and the local server logger to debug, comparing the two loger files, it is found that the log of the test server always outputs fewer logs about notifying cas client to log out. This discovers the probable cause of the problem: the test server does not have it
Notify cas client to log out.

Here is the normal exit log

-------------------------logout-----------
[2017-02-17 11:01:43.512] [DEBUG] [web-container-thread-10] [org.jasig.cas.CentralAuthenticationServiceImpl] - Removing ticket [TGT-1-j0dF1y3EBzGLK1YducqU7eoEwmyZDcdrZcurxR0o2REXPc3g5b-localhost] from registry.
[2017-02-17 11:01:43.513] [DEBUG] [web-container-thread-10] [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to retrieve ticket [TGT-1-j0dF1y3EBzGLK1YducqU7eoEwmyZDcdrZcurxR0o2REXPc3g5b-localhost]
[2017-02-17 11:01:43.515] [DEBUG] [web-container-thread-10] [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Ticket [TGT-1-j0dF1y3EBzGLK1YducqU7eoEwmyZDcdrZcurxR0o2REXPc3g5b-localhost] found in registry.
[2017-02-17 11:01:43.516] [DEBUG] [web-container-thread-10] [org.jasig.cas.CentralAuthenticationServiceImpl] - Ticket found. Processing logout requests and then deleting the ticket...
[2017-02-17 11:01:43.523] [DEBUG] [web-container-thread-10] [org.jasig.cas.logout.SamlCompliantLogoutMessageCreator] - Generated logout message: [<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-1-LqgqPlBrB7CrtmnKiwfxSV61cSqPqol4Spj" Version="2.0" IssueInstant="2017-02-17T11:01:43Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex>ST-1-SZyXvbgesbuWz26Ts3Bg-localhost</samlp:SessionIndex></samlp:LogoutRequest>]
[2017-02-17 11:01:43.525] [DEBUG] [web-container-thread-10] [org.jasig.cas.logout.LogoutManagerImpl] - Sending logout request for: [http://localhost/upwxs-mgm/]
[2017-02-17 11:01:43.530] [DEBUG] [web-container-thread-10] [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Removing ticket [TGT-1-j0dF1y3EBzGLK1YducqU7eoEwmyZDcdrZcurxR0o2REXPc3g5b-localhost] from registry
[2017-02-17 11:01:43.530] [DEBUG] [pool-6-thread-1] [org.jasig.cas.util.SimpleHttpClient] - Attempting to access http://localhost/upwxs-mgm/
[2017-02-17 11:01:43.536] [DEBUG] [web-container-thread-10] [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - Removed cookie with name [CASTGC]
[2017-02-17 11:01:43.539] [DEBUG] [web-container-thread-10] [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - Removed cookie with name [CASPRIVACY]
[2017-02-17 11:01:43.564] [DEBUG] [pool-6-thread-1] [org.jasig.cas.util.SimpleHttpClient] - Finished sending message to http://localhost/upwxs-mgm/
[2017-02-17 11:01:43.596] [DEBUG] [web-container-thread-20] [org.jasig.cas.web.support.CasArgumentExtractor] - Extractor generated service for: http://localhost/upwxs-mgm/
[2017-02-17 11:01:43.598] [DEBUG] [web-container-thread-20] [org.jasig.cas.web.flow.InitialFlowSetupAction] - Placing service in FlowScope: http://localhost/upwxs-mgm/
[2017-02-17 11:01:43.603] [DEBUG] [web-container-thread-20] [org.jasig.cas.web.flow.GenerateLoginTicketAction] - Generated login ticket LT-2-Oqfl3fdrP9t5Wkppn5DH440BznSb15-localhost
[2017-02-17 11:01:43.617] [DEBUG] [web-container-thread-20] [org.jasig.cas.web.support.CasArgumentExtractor] - Extractor generated service for: http://localhost/upwxs-mgm/
[2017-02-17 11:01:43.626] [DEBUG] [web-container-thread-20] [org.jasig.cas.web.view.CasReloadableMessageBundle] - Examining language bundle [classpath:custom_messages_zh] for the code [screen.welcome.label.netid.accesskey]
[2017-02-17 11:01:43.628] [DEBUG] [web-container-thread-20] [org.jasig.cas.web.view.CasReloadableMessageBundle] - Examining language bundle [classpath:messages_zh] for the code [screen.welcome.label.netid.accesskey]
[2017-02-17 11:01:43.629] [WARN] [web-container-thread-20] [org.jasig.cas.web.view.CasReloadableMessageBundle] - The code [screen.welcome.label.netid.accesskey] cannot be found in the language bundle for the locale [zh_CN]
[2017-02-17 11:01:43.635] [DEBUG] [web-container-thread-20] [org.jasig.cas.web.view.CasReloadableMessageBundle] - Examining language bundle [classpath:custom_messages_zh] for the code [screen.welcome.label.password.accesskey]
[2017-02-17 11:01:43.637] [DEBUG] [web-container-thread-20] [org.jasig.cas.web.view.CasReloadableMessageBundle] - Examining language bundle [classpath:messages_zh] for the code [screen.welcome.label.password.accesskey]
[2017-02-17 11:01:43.639] [WARN] [web-container-thread-20] [org.jasig.cas.web.view.CasReloadableMessageBundle] - The code [screen.welcome.label.password.accesskey] cannot be found in the language bundle for the locale [zh_CN]
[2017-02-17 11:01:43.645] [DEBUG] [web-container-thread-20] [org.jasig.cas.web.view.CasReloadableMessageBundle] - Examining language bundle [classpath:custom_messages_zh] for the code [screen.welcome.label.accesskey]
[2017-02-17 11:01:43.647] [DEBUG] [web-container-thread-20] [org.jasig.cas.web.view.CasReloadableMessageBundle] - Examining language bundle [classpath:messages_zh] for the code [screen.welcome.label.accesskey]
[2017-02-17 11:01:43.648] [WARN] [web-container-thread-20] [org.jasig.cas.web.view.CasReloadableMessageBundle] - The code [screen.welcome.label.accesskey] cannot be found in the language bundle for the locale [zh_CN]
[2017-02-17 11:01:49.041] [DEBUG] [scheduler_Worker-2] [org.quartz.core.JobRunShell] - Calling execute on job DEFAULT.serviceRegistryReloaderJobDetail
[2017-02-17 11:01:49.046] [INFO] [scheduler_Worker-2] [org.jasig.cas.services.DefaultServicesManagerImpl] - Reloading registered services.
[2017-02-17 11:01:49.048] [DEBUG] [scheduler_Worker-2] [org.jasig.cas.services.DefaultServicesManagerImpl] - Adding registered service ^(http?|https?)://.*
[2017-02-17 11:01:49.049] [INFO] [scheduler_Worker-2] [org.jasig.cas.services.DefaultServicesManagerImpl] - Loaded 1 services.
[2017-02-17 11:21:49.010] [DEBUG] [scheduler_Worker-3] [org.quartz.core.JobRunShell] - Calling execute on job DEFAULT.serviceRegistryReloaderJobDetail
[2017-02-17 11:21:49.011] [INFO] [scheduler_Worker-3] [org.jasig.cas.services.DefaultServicesManagerImpl] - Reloading registered services.
[2017-02-17 11:21:49.012] [DEBUG] [scheduler_Worker-3] [org.jasig.cas.services.DefaultServicesManagerImpl] - Adding registered service ^(http?|https?)://.*
[2017-02-17 11:21:49.013] [INFO] [scheduler_Worker-3] [org.jasig.cas.services.DefaultServicesManagerImpl] - Loaded 1 services.

Here is the log that cannot be logged out on the test server

2017-02-17 11:19:04,033 [web-container-thread-7] DEBUG org.jasig.cas.ticket.registry.DefaultTicketRegistry.deleteTicket(DefaultTicketRegistry.java:94) - Removing ticket [ST-1-tbMal7icRJI623l9lNUU-upwxs.unionpay.com] from registry
2017-02-17 11:19:04,055 [web-container-thread-7] DEBUG org.jasig.cas.web.ServiceValidateController.handleRequestInternal(ServiceValidateController.java:177) - Successfully validated service ticket ST-1-tbMal7icRJI623l9lNUU-upwxs.unionpay.com for service [http://172.17.140.22:11000/upwxs-mgm/]
2017-02-17 11:19:17,262 [web-container-thread-1] DEBUG org.springframework.web.util.CookieGenerator.removeCookie(CookieGenerator.java:215) - Removed cookie with name [CASTGC]
2017-02-17 11:19:17,263 [web-container-thread-1] DEBUG org.springframework.web.util.CookieGenerator.removeCookie(CookieGenerator.java:215) - Removed cookie with name [CASPRIVACY]

You can see that there is no similar one on the test server
Attempting to access http://localhost/upwxs-mgm/Finished send message to http://localhost/upwxs-mgm/that is, cas sso server did not notify sso client to log out.

Reasons for not being able to log out

From the log comparison above, we can see that the reason is that cas sso server did not notify sso client to log out.

Solve the problem

Looking carefully at the source code of cas sso server, we found such a piece of code:

// TODO Attaches Code Tomorrow

Posted by Whitestripes9805 on Wed, 17 Apr 2019 15:21:33 -0700

Hot Keywords

©2024 Programmer Group