Hi Axel, Thanks for your input. The problem of rejecting any login if there is still one session active in CAS is, if someone login to a service from his friend machine and he forget to logout, and in the night he is trying to access the service from his home but CAS rejecting his login because his session from his friend machine is still active. There is no way for him to access his service until the ticket expired or he gain access to his friend computer.
So instead of saying blocking the login, I'd better say to allow the last login and kill all previous active session. And I think the only different is in Spring Security implementation, and I still be able to use one of three option you mentioned to store information. Regards, Sukma On Thu, Apr 16, 2009 at 1:30 PM, Axel Mendoza Pupo <[email protected]>wrote: > I have implemented that feature using Acegi Security/Spring Security > approach in my authentication handler implementation, this is the first step > that you need to do, and there are three options: > > 1- store sessions information like Acegi Security/Spring Security thats in > a Map > > 2- traverse the ticket registry finding the user session previous > authenticated > > 3- store sessions information in a database table > > > > The three options need a clean user logout because the feature you are > looking for are blocking multiple authentications and if you not delete > sessions information your users cannot login in your app and you would need > to have an session management to kill user sessions > > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
