Hi Andrew, Thanks so much for the reply. I know most of the cases you are right. And I do agree with you that in common sense a single app's session timeout should not forces the user to logout of SSO.
In our case, we have a pretty complicated enterpise portal system which host applications with various security requirement. So I could not set a global cas session timeout (say 2 hours) for all the applications by specifying timeout parameter in ticketExpirationPolicy.xml. Instead, I need to set up session timeout for each individual applications implementing spring security in the application's web.xml file. Some of the sensitive ones are 30 minutes, some of them are 2 hours. So when a secured application with a 30-minute session timeout expires (no matter whether there are other active apps in different tabs in the same browser), the user has to be reauthenticated in order to get back to the app. In an CAS SSO system, the only way I could think of to force reauthentication of the user is to force the user to logout of the SSO first. Do you have better ways to implement this? Thanks again for sharing your opinion. -Xuejin Andrew Feller wrote: > > Xuejin, > > Whenever an application using the SSO expires a users' session, it doesn't > make sense that the application forces the user to logout of the SSO. The > application should either increase its session timeout to be that of the > SSO timeout or store the session information in something that survives > reboot. > > HTH, > A- > > -- > Andrew Feller, Analyst > LSU University Information Services > 200 Frey Computing Services Center > Baton Rouge, LA 70803 > Office: 225.578.3737 > Fax: 225.578.6400 > > > > -----Original Message----- > From: Xuejin Ruan [mailto:[email protected]] > Sent: Fri 6/12/2009 6:16 PM > To: [email protected] > Subject: Re: [cas-user] How to sign out of CAS when spring security app > session timeout? > > > oh well, I think I get it working. I set followServiceRedirects="true" in > logoutController in cas-servlet.xml. And then in the custom filter I > wrote, > when session timeout was detected, it will be redirect to cas logout url, > with current requestURL appended as service url. > > > > Xuejin Ruan wrote: >> >> I have an application implementing Spring Security. In web.xml, I set up >> HttpSessionEventPublisher listener, and configures session timeout as 5 >> minutes. When the application times out, how do I invalidate CAS single >> sign on session to force the user to relogin? >> >> I have tried to create a customized filter, which will redirect the user >> to cas logout link when the application times out. However, it doesn't >> work as I expected. Can anyone tell me how to do backend logout of CAS, >> instead of redirect url to cas logout page? >> > > -- > View this message in context: > http://www.nabble.com/How-to-sign-out-of-CAS-when-spring-security-app-session-timeout--tp24006847p24007413.html > Sent from the CAS Users mailing list archive at Nabble.com. > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- View this message in context: http://www.nabble.com/How-to-sign-out-of-CAS-when-spring-security-app-session-timeout--tp24006847p24007820.html Sent from the CAS Users mailing list archive at Nabble.com. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
