From 95b819ecf9420446b4ed6b59db137c3b0450c54b Mon Sep 17 00:00:00 2001
From: John Hsu <john.hsu@ubc.ca>
Date: Fri, 7 Feb 2014 17:42:34 -0800
Subject: [PATCH] Add CAS logout URL config in web.xml.

The CAS logout URL can now be configured in web.xml instead of being hard coded
in logout.jsp. This was done by adding a logout filter. Going to the url
/cat/auth/logout will now log you out of the application.

This also fixes a minor execution order bug on logout that leads to the session
persisting after the first logout. The execution flow in the original
logout.jsp goes: Application clears session, logout.jsp loads "My Courses"
page, logout.jsp goes to CAS logout page to clear CAS session. What happens in
our environment is that when logout.jsp loads "My Course", because its CAS
session hasn't been expired, it was able to reauthenticate and recreate the
application session. The workaround is to press logout again to truly logout.
The actual fix swaps the last two operations so that it goes: Application
clears session, redirects to CAS logout page to clear CAS session, redirects to
"My Courses".

Redirecting to "My Courses" needs to be done by the CAS server since the
browser was redirect to the CAS page. Luckily, there is a "service" parameter
that you can pass to the CAS logout url that tells the CAS server where to go
after logout.

Fixes #2
---
 conf/example.yourdomain.edu/web.xml           | 10 ++++
 src/ca/usask/ulc/filters/CasLogoutFilter.java | 60 +++++++++++++++++++
 web/js/global_lib.js                          |  6 --
 web/login.jsp                                 |  2 +-
 web/logout.jsp                                | 40 -------------
 5 files changed, 71 insertions(+), 47 deletions(-)
 create mode 100644 src/ca/usask/ulc/filters/CasLogoutFilter.java
 delete mode 100644 web/logout.jsp

diff --git a/conf/example.yourdomain.edu/web.xml b/conf/example.yourdomain.edu/web.xml
index 561f66c..1e8fec4 100644
--- a/conf/example.yourdomain.edu/web.xml
+++ b/conf/example.yourdomain.edu/web.xml
@@ -23,6 +23,15 @@
 	      <param-value>yourtomcatserver.yourdomain.edu</param-value><!-- name of the server to return to after successful authentication-->
 	    </init-param>
 	</filter>
+	<filter>
+	    <filter-name>CAS Logout Filter</filter-name>
+	    <filter-class>ca.usask.ulc.filters.CasLogoutFilter</filter-class>
+		<init-param>
+			<param-name>ca.usask.ulc.filters.CasLogoutFilter.url</param-name>
+			<!-- Logout URL can take a service parameter that contains the url to redirect to after logout -->
+			<param-value>https://cas.usask.ca/cas/logout?service=https%3A%2F%2Fyourtomcatserver.yourdomain.ca</param-value>
+		</init-param>
+	</filter>
 	<filter>
 	    <filter-name>Session Init Filter</filter-name>
 	    <filter-class>ca.usask.ulc.filters.InitSessionFilter</filter-class>
@@ -44,6 +53,7 @@
 	
 
  	<filter-mapping><filter-name>CAS Filter</filter-name><url-pattern>/auth/*</url-pattern> </filter-mapping>
+  <filter-mapping><filter-name>CAS Logout Filter</filter-name><url-pattern>/auth/logout</url-pattern> </filter-mapping>
  	
   <filter-mapping><filter-name>Session Init Filter</filter-name><url-pattern>/*</url-pattern> </filter-mapping>
 	
diff --git a/src/ca/usask/ulc/filters/CasLogoutFilter.java b/src/ca/usask/ulc/filters/CasLogoutFilter.java
new file mode 100644
index 0000000..aab03c4
--- /dev/null
+++ b/src/ca/usask/ulc/filters/CasLogoutFilter.java
@@ -0,0 +1,60 @@
+package ca.usask.ulc.filters;
+
+import java.io.IOException;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.RequestDispatcher;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpSession;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.log4j.Logger;
+
+
+public final class CasLogoutFilter implements Filter
+{
+	private FilterConfig filterConfig=null;
+	
+	private static Logger logger = Logger.getLogger( CasLogoutFilter.class );
+
+	
+	public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException
+	{
+		HttpServletRequest local=(HttpServletRequest)request;
+		HttpSession session=local.getSession(true);
+		// clear local session 
+		session.removeAttribute("edu.yale.its.tp.cas.client.filter.user");
+
+		session.removeAttribute("userIsSysadmin");
+		session.removeAttribute("userHasAccessToOfferings");
+		session.removeAttribute("userHasAccessToOrganizations");
+		session.removeAttribute("userHasAccessToOrganizations");
+
+		session.removeAttribute("sessionInitialized");
+		session.removeAttribute("JSESSIONID");
+		
+		// goto CAS logout url to clear CAS session
+		String url = filterConfig.
+			getInitParameter("ca.usask.ulc.filters.CasLogoutFilter.url");
+		HttpServletResponse httpResponse = (HttpServletResponse) response;
+		httpResponse.sendRedirect(url);
+		return;
+	}
+	
+	
+	public void destroy()
+	{
+		this.filterConfig=null;
+	}
+	
+	public void init(FilterConfig filterConfig)
+	{
+		this.filterConfig=filterConfig;
+	}
+	 
+}
diff --git a/web/js/global_lib.js b/web/js/global_lib.js
index abcf204..a9a2df8 100644
--- a/web/js/global_lib.js
+++ b/web/js/global_lib.js
@@ -242,12 +242,6 @@ function logout()
 	window.open("/cat/logout.jsp");
 	setTimeout('document.location="/cat/logout.jsp"',1000);
 }
-function updateLoginStatusAfterlogout()
-{
-	window.location="/cat/auth/myCourses.jsp";
-	//window.location.reload(); 
-	//loadURLIntoId("/cat/login.jsp","#loginStatus");
-}
 function openEdit()
 {
 	var text = "";
diff --git a/web/login.jsp b/web/login.jsp
index 4e2cf62..24b5551 100644
--- a/web/login.jsp
+++ b/web/login.jsp
@@ -23,7 +23,7 @@
 String userid=(String)session.getAttribute("edu.yale.its.tp.cas.client.filter.user");
 if (userid != null)
 {
-	%>You are logged in as <%=userid%>. <a href="javascript:logout();">Log out</a>
+	%>You are logged in as <%=userid%>. <a href="/cat/auth/logout">Log out</a>
 	<%
 }
 else
diff --git a/web/logout.jsp b/web/logout.jsp
deleted file mode 100644
index 3c29267..0000000
--- a/web/logout.jsp
+++ /dev/null
@@ -1,40 +0,0 @@
-<%-- 
-    Copyright 2012, 2013 University of Saskatchewan
-
-    This file is part of the Curriculum Alignment Tool (CAT).
-
-    CAT is free software: you can redistribute it and/or modify
-    it under the terms of the GNU Lesser General Public License as published by
-    the Free Software Foundation, either version 3 of the License, or
-    (at your option) any later version.
-
-    CAT is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU Lesser General Public License for more details.
-
-    You should have received a copy of the GNU Lesser General Public License
-    along with CAT.  If not, see <http://www.gnu.org/licenses/>.
---%>
-
-
-<%@ page import="java.util.*,java.net.*,ca.usask.gmcte.*,ca.usask.ocd.ldap.*"%> 
-<%
-session.removeAttribute("edu.yale.its.tp.cas.client.filter.user");
-
-session.removeAttribute("userIsSysadmin");
-session.removeAttribute("userHasAccessToOfferings");
-session.removeAttribute("userHasAccessToOrganizations");
-session.removeAttribute("userHasAccessToOrganizations");
-
-session.removeAttribute("sessionInitialized");
-session.removeAttribute("JSESSIONID");
-//session.invalidate();
-
-
-%>
-<script  type="text/javascript">
-//setTimeout("window.opener.parent.updateLoginStatusAfterlogout();",2000);
-window.opener.parent.updateLoginStatusAfterlogout();
-document.location="https://cas.usask.ca/cas/logout;"
-</script>