On Tue, Feb 9, 2010 at 10:41 AM, Dallas <[email protected]> wrote: > > I've been stepping through the CAS authentication and validation filters in > the CAS client (3.1.6). It appears that after the authentication filter and > the ST validation filter fire, and the Assertion object is put in session, > the service app is then decoupled from the CAS server. i.e. Once the > Assertion object is in the session, as you navigate around the pages of an > app, you won't redirect to CAS server for a login prompt (which makes > sense), but you also won't attempt to validate a service ticket since there > is no service ticket on the request. Perhaps this is the desired behavior > but I would have expected that after the initial login and validation step, > as you navigate around the app, that the validation filter would request a > service ticket from the CAS server if a service ticket was not on the > request in order to verify with CAS that the user's session continues to be > authenticated. Is the behavior I'm seeing correct or am I missing something?
The behavior you are seeing is correct. CAS is not a Session Manager in the sense you are describing. Once the user is authenticated (i.e. service ticket validated, assertion accepted by the app), CAS is essentially out of the picture from the perspective of the application. It's the apps responsibility to deal with any application session management that is needed. In addition there is the CAS SSO session which is a fixed window where the TGT remains valid. This only comes in to play when requesting new Service Tickets, usually for access to other applications. Hope this helps. Bill -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
