Hi. We're using CAS, and we've made some extensions to it that I'd like to document for anyone else who comes along after us desiring to solve similar problems.
First, we were asked to allow CAS to limit users to a single IP address at a time. That is, if the same user signs on from a new IP address, revoke any TGTs they still have outstanding that were created when they had a different address. Second, we were asked to provide some means by which the TGT idle timer could be "tickled" by a user simply staying in a single application without switching out to some other place, which would "use" the TGT and thus reset the timer. For the first solution, we did it this way: 1. We made our own class that extended UsernamePasswordCredentials to add an InetAddress field, and use that class for the credentials object in the login-webflow. We created a CredentialsBinder implementation that accepted our overload and set the InetAddress from the remote address in the HttpServletRequest, and set that on the authenticationViaFormAction bean. 2. We created an AuthenticationMetaDataProvider implementation that recognized our extended credential and turned it into an InetAddress attribute of the Authentication object. 3. In our private copy of AuthenticationViaFormAction, we modified submit() to run through the ticketRegistry to look at all TGTs where the principal was the same as the principal being logged in, and whose InetAddress Authentication attribute did not match the instant one. In those cases, that TGT's expire() method is invoked. For the second, we created a "transparent GIF" servlet vendor which takes a serviceTicket parameter. We look the service ticket up in the ticketRegistry, then get that ticket's issuing TGT. We then ask the TGT to issue a service ticket for a "null" service - That is, a private implementation of the Service interface (matches() returns false, getId() returns "", getAttributes() returns Collections.emptyMap(), logOutOfService() returns false and setPrincipal() does nothing), and a "null" expiration policy (isExpired() returns true()). We then just throw that away. This was the only way we could find to update the "last used" time of the TGT. As an unfortunate side effect, it affects the use count, but we're not using that. I can provide code for any of the above, if there's any interest. -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
