[Geoserver-devel] [jira] (GEOS-6189) The GS logout fails when CAS server sends a Single Sign Out signal coming from third party applications

Nazzareno Sileno created BugGEOS-6189
The GS logout fails when CAS server sends a Single Sign Out signal coming from third party applications

Issue Type:

BugBug

Affects Versions:

2.4.2

Assignee:

Andrea Aime

Attachments:

CAS3dyLogoutIssue.patch, recordSessionOnLogoutIssue.patch

Components:

Security

Created:

25/Nov/13 1:10 PM

Description:

Looking at code on GeoServerCasAuthenticationFilter seems that there is an issue destroying the session.
This piece of code on doFilter method, near row 186:
… if (handler.isLogoutRequest(httpReq)) {
if (singleSignOut)

{ // do we participate LOGGER.info(“Single Sign Out received from CAS server –> starting log out”); handler.destroySession(httpReq); LogoutFilterChain logOutChain = (LogoutFilterChain) getSecurityManager().getSecurityConfig().getFilterChain().getRequestChainByName(“webLogout”); logOutChain.doLogout(getSecurityManager(), httpReq, httpRes,getName()); }

else …

destroys the session before calling the chain logout that probably needs to work using the session. The solution is to postpone the destroy instruction, in this way it seems to work.

Another issue is that if a third party applications executes logout switching between different users more than twice the GS at third attempt is not capable to recognize the new logged user but it logs in the previous user.
To solve this issue I removed the record session instruction (as in the second patch):

if (session Unable to render embedded object: File (=null && session.getAttribute(GeoServerCasConstants.CAS_ASSERTION_KEY)) not found.=null && singleSignOut)

{ //getHandler().recordSession(httpReq); if (LOGGER.isLoggable(Level.INFO))… }

Can someone explain to me the utility of this code? Why we need to record the session after logout operation?

Environment:

Linux Mint Petra

Fix Versions:

2.4.2

Project:

GeoServer

Labels:

cas

Priority:

MajorMajor

Reporter:

Nazzareno Sileno

This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: [http://www.atlassian.com/software/jira](http://www.atlassian.com/software/jira)