Thanks Marvin, For step2(logon to app1 use 'renew' through CAS again, get TGC2 (user2)), is CAS single sign out TGC1 for all applications?
If not, there is a security hole there. For example, this following scenario: a. logon to app1 though CAS, get TGC1 (user1) b. go to app2 (protected by CAS), get user1 authorized info. c. logon to app1 use 'renew' through CAS again, get TGC2 (user2). d. go to app3 (protected by CAS), get user2 authorized info. e. single sign out. ( will kill TGC2(app1, app3)) f. app2(user1) is still alive. app2 is still alive because the session is out of TGC2 control. Thanks, Qingfeng Zhang 2009/9/15 Marvin Addison <[email protected]> > > I have tested the scenario on 'renew' function: > > 1. logon to app1 though CAS, get TGC1 (user1) > > 2. logon to app1 use 'renew' through CAS again, get TGC2 (user2). > > 3. go to app2 (protected by CAS), get user2 authorized info. > > > > The TGC2 will replace the first TGC1 in browser cookie. > > > > Is that the proper behavior for 'renew' function? > > The behavior you described is correct, but it's not the renew > workflow. For renew, you re-enter the credentials for user1, in which > case you will _not_ be issued a new TGT. Regardless of the renew > parameter, every time you authenticate with new credentials you will > be issued a new TGT. This explains the new TGT when you authenticated > as user2. > > M > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
