If an administrator disables a service from proxying, he expects that disabling to immediately take effect. If he doesn't want to stop it from proxying, he wouldn't be disabling it. He wants to interrupt the user's proxying experiences. If users are presently proxying via an application that shouldn't be proxying (such that the admin is disabling it from proxying), that's more likely to be a problem than to be a valid user experience.

Applications using PGTs already need to cope with PGTs expiring or otherwise becoming invalid (e.g. CAS server failure or accidental but explicit user logout from the CAS server). I'd think expiration or accidental user logout would expose the user to this user experience interruption far more frequently than would tightening up this edge case.

I think toggling a service's ability to proxy in the services registry should cause its already granted PTs if any to become invalid, should cause its already granted PGTs if any to become invalid, and should cause it to be unable to acquire PGTs going forward (that much is current behavior). This is just what it naturally means for a service to be unable to proxy. A UX note advising that things don't work as one would expect is less helpful than just making them work as expected.

In short, yes, I think this deserves a JIRA and should be addressed, though I agree it's a fringe edge case and doesn't warrant a critical immediate fix.

> I suppose there could be an option for a hard/soft set.

Please no.

I considered (and rejected) an argument for not addressing this edge case because it would increase cas server code complexity more than is justified. I reject this argument for just the reason you articulate, that the present behavior is too surprising and should be made to align with expectations.

But adding the behavior and then making it toggled by additional configuration? Let's not add the complexity of more configuration for this.

I just don't see a plausible use case for wanting a service to continue its existing proxying but be disabled from proxying going forward -- a real usage of this feature would involve first retiring use of proxied services from the application being disabled from proxying. If an application's still legitimately relying on proxying, you wouldn't be disabling it.

Andrew

On 08/01/2011 11:15 PM, William G. Thompson, Jr. wrote:
For me I think it comes down to expectations.  I was surprise, and
confused for a bit, when I set the Can't Proxy option, yet was still
getting proxy tickets.

If you setting this option against a live services, I imagine that
folks would expect the user experience to get interrupted.

I suppose there could be and option for a hard/soft set.

Bill



On Mon, Aug 1, 2011 at 9:28 PM, Scott Battaglia
<[email protected]>  wrote:
I'm on the fence on this. On the one hand, you'll interrupt the user's
experience.  On the other hand, its probably technically more correct to
disable it (or at least put a note that says that these items take affect
going forward and do not affect existing sessions)

On Mon, Aug 1, 2011 at 5:16 PM, William G. Thompson, Jr.<[email protected]>
wrote:
Folks,

Ran into what may be an edge case, but likely easy to fix.   Would
like to get your thoughts prior to filing a jira.

I'm using a sample CasApp that can get a PGT and PT for targetService.
  Everything working fine.

* enable Services Management with proper config, everything still working
fine.

Test Case  (edge case?):
* Login in to CasApp (get PGT), then disallow proxy on CasApp via
Services Management.
* (haven't logged out of CasApp yet), still fetching PTs with the
previously received PGT.

Should CAS stop issuing PTs for a PGT from a service that has been
marked as not allowed to proxy in Services Management?

Bill

--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-dev
--
You are currently subscribed to [email protected] as: [email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-dev


--
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-dev

Reply via email to