Additional: We have been seeing higher network utilization, which has manifested in the ³Too many open files² exceptions on the CAS server due to the HTTP connections being made and ³Connection broken / timed out² while transmitting logout requests.
QUESTION: If an exception occurs upon logging out, should we simply blow up or continue processing logout requests and log the issue? On 3/5/09 1:49 PM, "Andrew Feller" <[email protected]> wrote: > CONTEXT: > > We have deployed CAS within a mixed Lotus Domino / Java environment, which > requires us to marry the different SSO systems together. Currently, all of > the traffic for SSO is being routed for CAS, which signs users on to both > systems. Duration for SSO sessions for both systems has been set for 8 hours > regardless of activity. Whenever users login to CAS without specifying a > service, they are being redirected to our portal, which requires the Domino > SSO session created by logging into CAS. > > After logging into CAS and leaving the browser open for 8 hours, users are > caught in an infinite redirect loop because CAS will only check CASTGC for > validity when a ST is requested and Domino has been configured to make CAS the > primary SSO service. To fix this issue, we have implemented a custom SWF > action that will check whether a service has been provided by the user and > sets a default service if not available. This effectively causes CAS to > validate the CASTGC, however the application ignores the ST since it isn¹t CAS > protected and uses Domino SSO. > > Initially, we thought the additional wasted tickets would be negligible and > could let it ride, however we noticed a few issues: > > 1. TRIVIAL The default service couldn¹t depend upon a query string parameter > called ³ticket² > 2. INTERESTING The additional ticket would cause increased state replication > within high availability environment > 3. MORE INTERESTING CAS would transmit LogoutRequests to the non-CAS > application regardless of whether the ticket was validated > > SUGGESTIONS: > > 1. Provide ability to indicate that CAS should validate CASTGC cookies upon > login without service > 2. Refactor TGT implementation (org.jasig.cas.ticketTicketGrantingTicketImpl) > to transmit logout requests only to services that have had successfully > validated service tickets > > Thoughts? -- Andrew Feller, Analyst LSU University Information Services 200 Frey Computing Services Center Baton Rouge, LA 70803 Office: 225.578.3737 Fax: 225.578.6400 -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
