I'm trying to understand how Spring Security handles Single Signout. I'm using a CAS server with multiple Grails apps. Here is my scenario:
App #1 & Login
- User navigates to Grails app #1.
- app #1 has no authentication data for the User, and checks the CAS server. The CAS server has no cookie data for the User, so CAS prompts the User to login.
- User logs in to CAS and gets a valid ticket. User is redirected back to the app #1 URL from step 1.
- In the first request after authentication, app #1 loads the CAS ticket into its SecurityContextHolder. Subsequent requests use the ticket data to verify the user is authenticated.
App #2 & Logout
- User navigates to Grails app #2.
- app #2 has no authentication data for the User, and checks the CAS server. The CAS server has cookie data for the User and uses this data to authenticate the User.
- In the first request after authentication, app #2 loads the CAS ticket into its SecurityContextHolder. Subsequent requests use the ticket data to verify the user is authenticated.
Logout
- User logs out of app #2 by hitting app #2's logout page. app #2 no longer has User data stored in SecurityContextHolder.
- User is redirected to the CAS server logout page. CAS no longer has a valid ticket for the User.
- Subsequent (protected) requests to app #2 will redirect the User to the CAS login page.
- Because app #1 still has CAS ticket data in its SecurityContextHolder, subsequent (protected) requests to app #1 will not redirect the user to login. The context must be cleared or expire somehow.
How am I supposed to keep the User from accessing protected URLs in app #1 ? Is there an expiration date I can set for the SecurityContextHolder ?