CODEWITHSUNDEEP
javaspringcas
Aubergine
Aubergine

Reputation: 6042

CAS single logout callback hits 403(forbidden)

I rephrased question and deleted old one. Hopefully I will get answers now.

CAS server attempt to send a callback request on SLO to protected app:

<Error Sending message to url endpoint [http://localhost:8080/j_spring_cas_security_check]. Error is [Server returned HTTP response code: 403 for URL: http://localhost:8080/j_spring_cas_security_check]>

On debug the org.jasig.cas.client.session.SingleSignOutFilter never gets hit.

@Override
    public void configure(HttpSecurity http) throws Exception {
        http.
                addFilter(casFilter()).
                addFilterBefore(requestSingleLogoutFilter(), LogoutFilter.class).
                addFilterBefore(singleSignOutFilter(), CasAuthenticationFilter.class)
                .logout().permitAll().logoutSuccessUrl("http://localhost:8080/j_spring_cas_security_logout").invalidateHttpSession(true).and()
                .authorizeRequests().antMatchers("/home2").hasAuthority("USER").and()
                .exceptionHandling()
                .authenticationEntryPoint(casEntryPoint)
                .and()
                .httpBasic();
    }


Filter casFilter() {
    CasAuthenticationFilter casAuthenticationFilter = new CasAuthenticationFilter();
    casAuthenticationFilter.setServiceProperties(getServiceProperties());
    casAuthenticationFilter.setAuthenticationManager(getProviderManager());
    return casAuthenticationFilter;

}

LogoutFilter requestSingleLogoutFilter() {
    LogoutFilter logoutFilter = new LogoutFilter("http://localhost:8089/cas/logout",
            new SecurityContextLogoutHandler());
    logoutFilter.setFilterProcessesUrl("/j_spring_cas_security_logout");
    return logoutFilter;
}


SingleSignOutFilter singleSignOutFilter() {
    SingleSignOutFilter singleSignOutFilter = new SingleSignOutFilter();
    return singleSignOutFilter;
}

 @Override
public void onStartup(ServletContext servletContext) throws ServletException {
    servletContext.addListener(new   org.jasig.cas.client.session.SingleSignOutHttpSessionListener());
}

I have everything apart from the logout. Currently it invalidates the session thanks to LogoutFilter, destroys the ticket(on redirect to CAS) BUT if the SLO request would be sent from other protected application, obviously it will have no impact on this application(as sessionid will still be here).

Any suggestions?

Upvotes: 3

Views: 2142

Answers (1)

Mantas
Mantas

Reputation: 46

Had the same situation (403 status code) with CAS SLO, in my spring security log I found:

Invalid CSRF token found for http://localhost:8080/j_spring_cas_security_check

so I disabled csrf filter in my security config:

http.csrf().disable();

This might not be a good practice, just a quick solution that works for me now. Also I am not shure if I can get the right csrf token if SLO is initiated in other protected application.

Upvotes: 3

Related Questions