Issue 12508

SingleSignOutFilter is not invalidating the session, so "currentUser" (BaseAction) is going to be still valid even when we have logged out from CAS

Reporter: jcuadra
Assignee: jcuadra
Type: Bug
Summary: SingleSignOutFilter is not invalidating the session, so "currentUser" (BaseAction) is going to be still valid even when we have logged out from CAS
Priority: Major
Resolution: Fixed
Status: Closed
Created: 2012-12-06 17:31:27.317
Updated: 2013-08-29 14:44:17.991
Resolved: 2013-01-17 14:01:53.162
Description: On the Portal Listener (, we are using the SingleSignOutFilter to make it easy for us to logout from CAS as well from the portal web application, but this is not happening. Reason:

1. For logging out we do a simple

which logs out from the CAS service but our portal session remains valid, and our BaseAction class has

   * @return the currently logged in user.
  public User getCurrentUser() {
    return (User) session.get(Constants.SESSION_USER);

where in our default.ftl we have:

        <#if currentUser??>
        View your account
        <@s.text name="menu.logout"/>
        <@s.text name="menu.login"/> or
        <@s.text name="menu.register"/>

So from this, currentUser will never be empty, the "VIEW ACCOUNT" - "LOGOUT" links are always showing, even when we logged out from CAS.

Next, in the SingleSignOutFilter, there is:

    public void doFilter(final ServletRequest servletRequest, final ServletResponse servletResponse, final FilterChain filterChain) throws IOException, ServletException {
        final HttpServletRequest request = (HttpServletRequest) servletRequest;

        if (handler.isTokenRequest(request)) {
        } else if (handler.isLogoutRequest(request)) {
            // Do not continue up filter chain
        } else {
            log.trace("Ignoring URI " + request.getRequestURI());

        filterChain.doFilter(servletRequest, servletResponse);

where the isLogoutRequest will never return true in our case:

    public boolean isLogoutRequest(final HttpServletRequest request) {
        return "POST".equals(request.getMethod()) && !isMultipartRequest(request) &&
            CommonUtils.isNotBlank(CommonUtils.safeGetParameter(request, this.logoutParameterName));

so in summary, "handler.destroySession(request)" never gets called.


1) Extend the SingleSignOutFilter to handle the way we are logging out from the web application.

2) Logout the way SingleSignOutFilter mandates.

3) Do some magic on the LoginInterceptor to detect when the user has logged out from CAS and invalidate manually the session.]]>

Comment: If we can Id leave CAS as it was designed and use a POST instead to logout
Created: 2012-12-07 10:29:36.371
Updated: 2012-12-07 10:29:36.371

Comment: I don't mind really, but yeah 2) seems the easiest way around. I would like to keep the logout link style though, so I would just add some piece of jquery to override the default onclick behaviour of the LOGOUT link, by doing a POST request instead.
Created: 2012-12-07 10:34:32.188
Updated: 2012-12-07 10:34:32.188

Comment: There might be cross domain issues in posting via jquery, especially since this is https. Might be better to create a logout action that does this under the hood?
Created: 2012-12-07 11:43:39.375
Updated: 2012-12-07 11:43:39.375

Comment: All my tests where done using my local copy at localhost. This problem is not present at staging which I didn't test.
Created: 2013-01-17 14:01:53.191
Updated: 2013-01-17 14:01:53.191