On May 13, 2009, at 7:45 AM, rrakesh wrote:
Thanks for the detailed explanation Lucas and Scott.
I got couple clarifications to be made:
1. The ticket expiration I was talking about was if user stays on a
secured
page after logging in for a while and the when user trying to access
the
another secure page then we need show the login page. Can this be
done by
specifying the expiration time for the bean
""grantingTicketExpirationPolicy" the
declared in "ticketExpirationPolicies.xml", right.
If I understand you correctly, yes. If you are trying to get a service
ticket for a service and your TGT has expired, then CAS will force you
to log in again, and you will be given a new TGT. The likelihood that
you will have to authenticate again goes up as the TGT lifetime goes
down, i.e., if you set a TGT lifetime of 60 minutes, then someone will
have to authenticate more often then if the TGT lifetime is 10 hours.
2. After this time span if the user trying to access a secured page
being
inactive for a while, does the application (which is cassified)
contacts the
CAS about it,
No. The application has to know when to send a user back to CAS, and
it can not find out this information by asking CAS for it. It is up to
the application to maintain state and to determine if the time is
right to send the user back to CAS. If the user is sent back to CAS
and the user's TGT is not expired, then this process will be
transparent to the user, unless you are either using renew=true or
forcing re-authentication using the service registry.
-lucas
I don't see the client contacting the CAS server on every
secured page access. so, some kind is maintained by the
CASAuthenitcationProvider which it getting access for the previous
authentication.
I did not specifically put in any cache in place.
Is my understanding right about this or am I missing any configuration
point.
Thanks
RR
scott_battaglia wrote:
CAS sessions work as follows:
When you first authenticate to an application, CAS creates a single
sign
on
session for you. This allows you to seamlessly authenticate to other
applications without re-entering credentials.
These sessions have an expiration policy, generally something like 6
hours.
At the end of the 6 hours, you would need to re-enter your
credentials.
We also offer SLO, when you explicitly log out of the CAS server
(so going
to /logout). Our recommendation has always been to have your
applications
logout page let the user know they have logged out the application
and how
they can log out of all applications.
We do not send logout requests if the SSO session expires. There's
a few
technical reasons why we haven't done it yet but there's also the
issue of
application independence from SSO session. If your SSO session is
only 6
hours but you've been using an application for six hours and one
minute,
there is no reason you should have to reauthenticate to that
application.
Cheers,
Scott
On Tue, May 12, 2009 at 10:21 AM, Lucas Rockwell <[email protected]>
wrote:
On May 12, 2009, at 12:33 PM, rrakesh wrote:
Thanks for posting your thoughts and answers to the questions.
Isn't the ticket expiration should work the same way as Single
Sing Out,
meaning cas-server sends message back to the services with
"logoutrequest",
right.
But I am not seeing it on the CAS-SERVER side logs.
Or May be I misunderstood the way the ticket expiration works.
From what I understand, the single sign out part has nothing to do
with
the
time limit on the TGT. In order to invoke single sign out, you
actually
have
to go to the /logout URL using the browser that has the CASTGC (or
present
the TGT via the web service).
The time limit of the TGT just keeps new STs from being granted
using
that
TGT if the time limit is expired.
-lucas
Johan Reinalda wrote:
If I understand what you're saying, then this is not a CAS
problem, but
the
behaviour of your APP1.
It has it's own 'session', probably a browser cookie, that needs
to
time
out
before it will ask you to login again (and than direct you to
the cas
login
page.)
Simply leaving the APP1 page and coming back doesn't seem to do
that
(unless
you add some mechanism to force logout upon leaving the site.)
Johan
----- Original Message -----
From: "rrakesh" <[email protected]>
To: <[email protected]>
Sent: Tuesday, May 12, 2009 10:29 AM
Subject: [cas-user] Setting grantingTicketExpirationPolicy, does
not
expire
the session
I got two applications App1 and App2 which are casified. Login
in one
application does sso into other application and the same thing
with
the
sign
out functionality, logging out of APP1 or APP2 logs me out from
the
other
application APP2 or APP1 respectively.
Now I am trying to configure the
"grantingTicketExpirationPolicy" the
bean
declared in "ticketExpirationPolicies.xml" to 5 seconds. And
after
log-in
in
APP1 and sitting on a secured page for a while and trying to
accessing
the
APP2 secured page shows me log-in page. But at the same if I can
travel
back
tot my APP1 secured page which does not show me log-in page
instead it
gives
me access to the secured page.
Am I missing some thing here form the configuration point while
setting
the
expiration, the reason becase Single Sign out works file
between two
applications and CAS server.
Thanks
RR
--
View this message in context:
http://www.nabble.com/Setting-grantingTicketExpirationPolicy%2C-does-not-expire-the-session-tp23506700p23506700.html
Sent from the CAS Users mailing list archive at Nabble.com.
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
View this message in context:
http://www.nabble.com/Setting-grantingTicketExpirationPolicy%2C-does-not-expire-the-session-tp23506700p23508914.html
Sent from the CAS Users mailing list archive at Nabble.com.
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
View this message in context:
http://www.nabble.com/Setting-grantingTicketExpirationPolicy%2C-does-not-expire-the-session-tp23506700p23523241.html
Sent from the CAS Users mailing list archive at Nabble.com.
--
You are currently subscribed to [email protected] as: [email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
