Wrong login after CAS logout redirect

[GoogleCodeExporter]

There is a problem after CAS logout redirect back to ZK webapp login.

 The scenario is the following:

     ZKwebapp (ZK: 5.0.2 
             ZKSpring: 3.0RC-FL-2010-05-20
             Spring Sec/Spring: 3.0.2.RELEASE) 
     CAS 3.3.5
     Os: linux: Ubunto - Debian
     JDK: 1.6

  The ZKwebapp uses CAS as authentication service. The problem is when I have to return to ZKwebapp login after logging out from CAS.

CAS Configuration:
 CAS the only change to CAS out of the box webapp is the following: 
  Edit the file {cas-webapp}/WEB-INF/cas-servlet.xml
  Add p:followServiceRedirects="true" to bean id="logoutController.
     e.g.:
    <bean id="logoutController" class="org.jasig.cas.web.LogoutController"
              ...
        p:ticketGrantingTicketCookieGenerator-ref="ticketGrantingTicketCookieGenerator" 
        p:followServiceRedirects="true"/>    

  This change allows to configure the user service to set a redirection URL after logout, CAS will logout and redirect the users browser to the received parameter: "server" 

ZKwebapp Configuration:
      Spring security logout redirects to CAS logout with "return to login" parameter 
      Add redirect service parameter to cas logout request:

       <security:http  entry-point-ref="casAuthenticationEntryPoint" 
                    access-decision-manager-ref="accessDecisionManager"
                ....                
                <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_REMEMBERED" /> 
        <security:logout logout-success-url="https://${cas.server.url}/logout?service=http://${ZKwebapp.url}" invalidate-session="true" />
        ...
    </security:http>

    When Spring security logouts call CAS logout and "configure" CAS  to redirect the user again to the ZK web app URL.

What steps will reproduce the problem?

1. Login to zk webapp: e.g. point the browser to  http://ZKwebapp.url
2. Spring security: Will redirect the browser to https://{cas.server.url}/login
3. CAS login page will be shown
4. login CAS (after success will redirect to http://ZKwebapp.url)
5.1  The browser address bar shows: http://${ZKwebapp.url}
5.2: the browser contents are:  index ZUL page contents 
6. logout ZKwebapp. e.g.: http://${ZKwebapp.url}/j_spring_security_logout
7. Spring security:Will redirect the browser to https://{cas.server.url}/logout
8. CAS: Will logout and redirect the browser to http://${ZKwebapp.url}
9. [SAME AS STEP 2] Spring security: Will redirect the browser to 
https://{cas.server.url}/login 
10 [SAME AS STEP 3]
11 [SAME AS STEP 4]
12.1  The browser address bar shows: 
http://${ZKwebapp.url}/zkau?dtid=zd_9r71&cmd_0=rmDesktop&opt_0=i
12.2  The browser contents are:  {"rs":[]}  

What is the expected output? What do you see instead?
STEPS 12.1 and 12.2 SHOULD BE equals to 5.1 and 5.2 

see attached file: Log (DEBUG) between step 6 and step 9 of ZK webapp

Original issue reported on code.google.com by fernando...@gmail.com on 2 Sep 2010 at 5:19

Attachments:

• ZKSPRING-CAS-LOG.txt

[GoogleCodeExporter]

Could you post a runnable example that reproduces this issue?

Original comment by ashish.dasnurkar on 1 Mar 2011 at 3:00

• Changed state: Accepted

[GoogleCodeExporter]

Hi Ashish,

   Here is the demo to reproduce the bug
   I attached a rar (in 4 parts) file including 2 war files:
      cas.war     : jasig cas server (http://www.jasig.org/cas/)
      hellozk.war : ZK + ZKSpring + Spring security + CAS client example:

 Steps to reproduce the bug:

    start the wars in a tomcat on port 8080 (the port is important beacuse its used in cas service params)

    1) open: http://localhost:8080/hellozk/
    2) You will be forwarded to cas (http://cas-server:8080/cas/login...)
    3) login cas server using usr/passwd:  admin/admin
    4) You will be forwarded to hellozk: You'll see the "Secure Page Hello World"
    5) press "logout" link

    6) same as step 2
    7) same as step 3
    8) You'll see:  {"rs":[]}

Please let me know if you need some help running this.

Thanks in advance,
Fernando

Original comment by fernando...@gmail.com on 4 Mar 2011 at 2:49

Attachments:

• webapps.part1.rar

[GoogleCodeExporter]

attachement part 2 of 4

Original comment by fernando...@gmail.com on 4 Mar 2011 at 2:55

Attachments:

• webapps.part2.rar

[GoogleCodeExporter]

attachment part 3 of 4

Original comment by fernando...@gmail.com on 4 Mar 2011 at 2:58

Attachments:

• webapps.part3.rar

[GoogleCodeExporter]

attachment last part

Original comment by fernando...@gmail.com on 4 Mar 2011 at 3:00

Attachments:

• webapps.part4.rar

[GoogleCodeExporter]

Hi!
I've encountered  the same problem. I think the problem is zk - immediately 
after session has become invalid -  makes a call to some internal servlet, and 
Spring Security, after user login, tries to make the same call again.

I partially solved this issue using a link to a jsp page when user clicks the 
logout button, and this jsp page forwards to /j_spring_security_logout using an 
html meta. (this works for logout done by users, but not for session timeout)

The only thing that solved this issue was granting anonimous access to /zkau/** 
in spring security configuration.
I don't know if it's a bad idea or not, in my case I don't need to care much 
about, but I think in many situations this is not a valid solution!

Original comment by marco.gu...@gmail.com on 7 Mar 2011 at 9:12

[GoogleCodeExporter]

Hi !

I am stuck ! How can I get rid of this problem ? (the {"rs":[]} showing up in 
my browser)

Thanks in advance for your help.

Mawane.

Original comment by marwane....@gmail.com on 18 Jul 2011 at 12:53

[GoogleCodeExporter]

Hi marwane:

   I had to apply marco.gu's workaround (comment 6), because we haven't got any response for this issue. 

   I´ve configured spring security filters this way:

    <security:http  entry-point-ref="casAuthenticationEntryPoint" 
                    access-decision-manager-ref="accessDecisionManager"
                    auto-config="true">

        <security:intercept-url pattern="/zkau/**" filters="none" />
                ...
    </security:http>

place /zkau/**" as first filter in the list 

Original comment by fernando...@gmail.com on 28 Jul 2011 at 1:57

[GoogleCodeExporter]

Hi! After further investigation, I think this is not at issue at all, at least 
not strictly speaking.

A possible solution, more elegant than the above posted work-around, could be:

        <s:form-login login-page="/login.jsp" always-use-default-target="true" authentication-failure-url="/login_fail.jsp" />

setting always-use-default-target to true.

This is certainly a clearer way than the previous, I hope it can help!

Original comment by marco.gu...@gmail.com on 1 Aug 2011 at 7:35

[GoogleCodeExporter]

Original comment by hawkc...@potix.com on 5 Sep 2011 at 6:41

• Changed state: Done

[GoogleCodeExporter]

I have confirmed with Ashish that this is a configuration issue.

Original comment by hawkc...@potix.com on 5 Sep 2011 at 6:43

[GoogleCodeExporter]

hello every one can anyone explain exactily for me how to make the true 
configration between spring security and zk framwork coz i have the same issue 
here . 
  my app zk java code from scratch so i logout and lofgin using java code no tags zk in my web appliction . so from java how to kill spring sesion ans zk session ant same time 
plus of that how to solve rs[]{} error !!!!!!!!

Original comment by progbish...@gmail.com on 14 Mar 2013 at 1:03

[GoogleCodeExporter]

Any new about this issue?

Original comment by eddu.mel...@gmail.com on 19 Jul 2013 at 7:34