1

I implement CAS server 4.0 for SSO. I have 3 apps (Spring web MVC with Spring CAS security) connect to CAS server. I configure CAS server to manage ticket by JPA and check authentication in CAS by username. Currently I'm creating forgot-password function for my apps, my issue now is how to invalidate user cookie/session on CAS server (or logout them) after password has been reset (noted that they can log in by a user and execute forgot password for another user). Can we do it with CAS? Any help will be great appreciate. Thank you guys.

Quan M Le
  • 73
  • 2
  • 8

1 Answers1

0

I have cas 3.1 implemented and here is what I do:

Controller Method

@RequestMapping(value = "/onCompletePasswordReset.html", method = RequestMethod.GET)
public String completeResetLicense() {
    return "redirect:j_spring_security_logout";
}

Spring Security

<http auto-config='true' entry-point-ref="casEntryPoint">
        <intercept-url pattern="/**" access="ROLE_ADMINISTRATORS" />
        <custom-filter position="CAS_FILTER" ref="casFilter" />
        <logout logout-success-url="/j_spring_cas_security_logout" />
        <custom-filter ref="requestSingleLogoutFilter" before="LOGOUT_FILTER" />
        <custom-filter ref="singleLogoutFilter" before="CAS_FILTER" />
    </http>
    <beans:bean id="singleLogoutFilter"
        class="org.jasig.cas.client.session.SingleSignOutFilter" />
    <beans:bean id="requestSingleLogoutFilter"
        class="org.springframework.security.web.authentication.logout.LogoutFilter">
        <beans:constructor-arg value="https://cas_server:8443/cas/logout" />
        <beans:constructor-arg>
            <beans:bean
                class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
        </beans:constructor-arg>
        <beans:property name="filterProcessesUrl" value="/j_spring_cas_security_logout" />
    </beans:bean>
James Jithin
  • 10,183
  • 5
  • 36
  • 51
  • Thanks James, but problem is after reset they don't want to redirect – Quan M Le Sep 14 '15 at 10:34
  • @QuanMLe, then don't redirect. Just trigger an ajax call in the background with logout. – James Jithin Sep 14 '15 at 10:37
  • Ok thks James, I'm trying your solution. – Quan M Le Sep 14 '15 at 10:38
  • Sorry it didn't work, because they can log with a user id and execute forgot password for another user id. – Quan M Le Sep 14 '15 at 11:23
  • How do you handle it in a default spring web application without CAS? In my application, access to the application login page or reset or anything will detect the session and move them to the home page. – James Jithin Sep 14 '15 at 14:07
  • In this situation I will provide a function to invalidate session/cookie of username parameter. With CAS having a bit of difficult because CAS take care every ticket for user authentication. – Quan M Le Sep 15 '15 at 02:39