Grails Spring Security Cas 2.0-RC1 Single Sign Out
Spring Security CAS 2.0-RC1はSpring Security Core 2.0-RC2に依存しているが、コンパイルが通らないためSpring Security Core 2.0-RC4を使用する。
grails-app/conf/BuildConfig.groovy
: grails.project.dependency.resolution = { : repositories { : mavenRepo "http://repo.spring.io/milestone/" } : plugins { : compile ":spring-security-core:2.0-RC4" compile ":spring-security-cas:2.0-RC1" } }
設定は以下の通り。
grails-app/conf/Config.groovy
: grails.plugin.springsecurity.cas.active = true grails.plugin.springsecurity.cas.serverUrlPrefix = 'http://localhost:8081/cas' // required grails.plugin.springsecurity.cas.serverUrlEncoding = 'UTF-8' grails.plugin.springsecurity.cas.loginUri = '/login' grails.plugin.springsecurity.cas.sendRenew = false grails.plugin.springsecurity.cas.serviceUrl = 'http://localhost:8080/myapp/j_spring_cas_security_check' // required grails.plugin.springsecurity.cas.key = 'myapp' // should be changed grails.plugin.springsecurity.cas.artifactParameter = 'ticket' grails.plugin.springsecurity.cas.serviceParameter = 'service' grails.plugin.springsecurity.cas.filterProcessesUrl = '/j_spring_cas_security_check' grails.plugin.springsecurity.cas.proxyCallbackUrl = 'http://localhost:8080/myapp/secure/receptor' // required grails.plugin.springsecurity.cas.proxyReceptorUrl = '/secure/receptor' // required // single sign out grails.plugin.springsecurity.cas.useSingleSignout = true grails.plugin.springsecurity.useSessionFixationPrevention = false // default true
重要なのはuseSessionFixationPreventionを設定するところ。
SessionFixationProtectionStrategyが有効だと、SingleSignOutHandlerのsessionMappingStorageにsessionを維持できないため、LogoutRequestをもらってもsessionを破棄できない。
https://jira.spring.io/browse/SEC-1658
https://issues.jasig.org/browse/CASC-216