On Mon, Feb 9, 2009 at 5:10 AM, sol myr <[email protected]> wrote: > Hi, > > We are evaluating CAS SOO, and were wondering how it handles HTTP sessions: > > Suppose a user is browsing through several pages of the same > web-application ("page1.jsp", "page2.jsp", "page3.jsp"), all within the > same HTTP session. > Obviously, when accessing "page1" he'll be asked to log in, with the help > of the CAS server and tickets. > But what happens next, for "page2" and "page3" ? > > 1) Am I correct in assuming that usually, the AuthenticationFilter will > note that user is already logged in, and no further action is required? > So, in terms of load/performance, the CAS server will be involved only when > first accessing "page1", but it won't be bothered for "page2" and "page3" ?
That is correct, unless their application session has expired. Then they'll be sent to CAS. > > > 2) Now, suppose we are extremely paranoid. Can we configure credentials to > be re-checked for every page, even "page2" and "page3"? > (Obviously this assumes the browser can automatically send credentials, > without asking the user to re-type them - for example, extract credentials > from a smartcard or from Windows login). You could but you're probably better off just setting a short session time. -Scott > > > Thanks very much. > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
