I need to implement Sign Sign Out in Java using Spring Security. What CAS needs from my application is to access
https://www.home.com/cas/logout.cfm?service=myService&redirect=http://encoded.url.of.my.site
I put this URL to LogoutFilter’s constructor parameter (as logoutSuccessUrl), so when I click logout URL on my site, Spring Security clears the session and redirects me to that URL, which is over HTTPS. It does what is supposed to do and the tries to redirect me back to my website’s welcome address. However, this address is on HTTP protocol, not on HTTPS. So either because of sending some info in parameters when accessing that secure page, or because of redirecting back to non-secure, Firefox gives me a message:
Although this page is encrypted, the
information you have entered is to be
sent over an unencrypted connection
and could easily be read by a third
party.
OK, this is clear, but… How does logging using SSO work then? It essentially does the same thing. My website redirects to SSO’s login page over https, which on success redirects back to my site, which is over plain http. How can I get rid of that message?
OK, after some research I got the answer. Firefox throws this message only if there is some post data in the redirect, which occurs from HTTPS to HTTP. This message can’t be disabled, there is a corresponding comment in Firefox’es source code. The data that is posted (in form of XML) should allow to invalidate session. This also gives CAS an ability to invalidate session without any action from the user of the application (CAS posts data to that URL and application invalidates user’s session).
Logging in didn’t throw any messages because it was a simple redirect, without any data.