I'm very new to grails and I'm developing an app with Spring-Security-Core and Spring-Security-CAS plugins.
The single sign on is working as expected, but I'm in trouble with the single sign out.
I have two applications, and when I log in in cas or in anyone of the apps, I can access the 2 applications without any problems. But when I try to logout using app1/logout or app2/logout only the cas and the application session that is calling the /logout are closed and I'm still able to navigate though the other app.
example: log app1 through cas login log app2 through cas ticket validation logout from app1 -> app1 and cas session are closed but app2 is still logged in (it should be logged out here)
Anyone has an idea on how to fix it?
UPDATING
when I'm logged in my two apps and try to logout from one, I can sees these posts calls in localhost_access_log.txt:
127.0.0.1 - - [10/Apr/2014:14:36:05 -0300] "GET /app/logout/index HTTP/1.1" 302 -
127.0.0.1 - - [10/Apr/2014:14:36:05 -0300] "GET /app/j_spring_security_logout HTTP/1.1" 302 -
0:0:0:0:0:0:0:1 - - [10/Apr/2014:14:36:05 -0300] "GET /cas/logout?service=http://localhost:8090/app/logout/afterLogout HTTP/1.1" 200 2039
127.0.0.1 - - [10/Apr/2014:14:36:05 -0300] "POST /app2/j_spring_cas_security_check HTTP/1.1" 200 -
127.0.0.1 - - [10/Apr/2014:14:36:05 -0300] "POST /app/j_spring_cas_security_check HTTP/1.1" 200 -
0:0:0:0:0:0:0:1 - - [10/Apr/2014:14:36:05 -0300] "GET /cas/images/confirm.gif HTTP/1.1" 200 958
0:0:0:0:0:0:0:1 - - [10/Apr/2014:14:36:05 -0300] "GET /cas/favicon.ico HTTP/1.1" 200 170
I believe that it should be enough to logout from my two apps but app2 isnt logging out, only app1 (app)
any advice would be welcome =D
thanks
Apparently there's an obscure feature in spring-security-core Grails plugin that conflicts with Single sign-out, as implemented in the CAS Java client.
This is documented in a bug from Jan 2011 which apparently nobody is interested in solving.
There is a simple workaround, just disable the obscure feature in your Config: