Additional: We have been seeing higher network utilization, which has
manifested in the ³Too many open files² exceptions on the CAS server due to
the HTTP connections being made and ³Connection broken / timed out² while
transmitting logout requests.

QUESTION: If an exception occurs upon logging out, should we simply blow up
or continue processing logout requests and log the issue?


On 3/5/09 1:49 PM, "Andrew Feller" <[email protected]> wrote:

> CONTEXT:
> 
> We have deployed CAS within a mixed Lotus Domino / Java environment, which
> requires us to marry the different SSO systems together.  Currently, all of
> the traffic for SSO is being routed for CAS, which signs users on to both
> systems.  Duration for SSO sessions for both systems has been set for 8 hours
> regardless of activity.  Whenever users login to CAS without specifying a
> service, they are being redirected to our portal, which requires the Domino
> SSO session created by logging into CAS.
> 
> After logging into CAS and leaving the browser open for 8 hours, users are
> caught in an infinite redirect loop because CAS will only check CASTGC for
> validity when a ST is requested and Domino has been configured to make CAS the
> primary SSO service.  To fix this issue, we have implemented a custom SWF
> action that will check whether a service has been provided by the user and
> sets a default service if not available.  This effectively causes CAS to
> validate the CASTGC, however the application ignores the ST since it isn¹t CAS
> protected and uses Domino SSO.
> 
> Initially, we thought the additional wasted tickets would be negligible and
> could let it ride, however we noticed a few issues:
> 
> 1. TRIVIAL ­ The default service couldn¹t depend upon a query string parameter
> called ³ticket² 
> 2. INTERESTING ­ The additional ticket would cause increased state replication
> within high availability environment
> 3. MORE INTERESTING ­ CAS would transmit LogoutRequests to the non-CAS
> application regardless of whether the ticket was validated
> 
> SUGGESTIONS:
> 
> 1. Provide ability to indicate that CAS should validate CASTGC cookies upon
> login without service
> 2. Refactor TGT implementation (org.jasig.cas.ticketTicketGrantingTicketImpl)
> to transmit logout requests only to services that have had successfully
> validated service tickets
> 
> Thoughts?

-- 
Andrew Feller, Analyst
LSU University Information Services
200 Frey Computing Services Center
Baton Rouge, LA 70803
Office: 225.578.3737
Fax: 225.578.6400


-- 
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-dev

Reply via email to