The CAS logout URL can now be configured in web.xml instead of being hard coded
in logout.jsp. This was done by adding a logout filter. Going to the url
/cat/auth/logout will now log you out of the application.
This also fixes a minor execution order bug on logout that leads to the session
persisting after the first logout. The execution flow in the original
logout.jsp goes: Application clears session, logout.jsp loads "My Courses"
page, logout.jsp goes to CAS logout page to clear CAS session. What happens in
our environment is that when logout.jsp loads "My Course", because its CAS
session hasn't been expired, it was able to reauthenticate and recreate the
application session. The workaround is to press logout again to truly logout.
The actual fix swaps the last two operations so that it goes: Application
clears session, redirects to CAS logout page to clear CAS session, redirects to
"My Courses".
Redirecting to "My Courses" needs to be done by the CAS server since the
browser was redirect to the CAS page. Luckily, there is a "service" parameter
that you can pass to the CAS logout url that tells the CAS server where to go
after logout.
The CAS logout URL can now be configured in web.xml instead of being hard coded in logout.jsp. This was done by adding a logout filter. Going to the url /cat/auth/logout will now log you out of the application.
This also fixes a minor execution order bug on logout that leads to the session persisting after the first logout. The execution flow in the original logout.jsp goes: Application clears session, logout.jsp loads "My Courses" page, logout.jsp goes to CAS logout page to clear CAS session. What happens in our environment is that when logout.jsp loads "My Course", because its CAS session hasn't been expired, it was able to reauthenticate and recreate the application session. The workaround is to press logout again to truly logout. The actual fix swaps the last two operations so that it goes: Application clears session, redirects to CAS logout page to clear CAS session, redirects to "My Courses".
Redirecting to "My Courses" needs to be done by the CAS server since the browser was redirect to the CAS page. Luckily, there is a "service" parameter that you can pass to the CAS logout url that tells the CAS server where to go after logout.
Fixes #2