Hi, The approach we took with the .NET CAS Client was to have a Service Ticket Manager (implemented by an interface) which stores the service ticket at the web application level after it is validated by the CAS server. It is treated as an authentication session identifier for the client.
We only have one implementation at this point where the service ticket is stored in memory on the application's web server (using the ASP.NET Cache implementation) but we plan on implementing the interface with a database or distributed-cache based back-end. The client presents the service ticket on each request (via an encrypted cookie) and the ticket is not considered valid unless it is still in the service ticket manager (the tickets are removed from the Service Ticket Manager automatically whenever they are set to expire). The entire concept is opt-in. If you don't configure a Service Ticket Manager, CAS authentication still works without the features below. Some of the benefits that come with this approach are: - enables load balanced or clustered web applications to support single-sign out (with a db or dist cache implementation). - allows site admins to invalidate service tickets explicitly (i.e., kick the user from the app) - allows site admins to see who is currently online - ability to detect or prevent multiple logins per user and/or per IP address - allow a second login per user, but automatically kick any previously outstanding tickets for that user (LIFO implementation prevents users from sharing their usernames & passwords to use the application simultaneously) - eliminates a cookie tampering attack vector (even though this is very difficult attack vector due to ticket & cookie encryption) I realize that the mechanics of the Java client are different due to architectural differences in the stack, but the concept might be something worth incorporating into other client implementations (at least for the clustering/load balanced/DNS round-robin single-sign out). http://www.ja-sig.org/wiki/display/CASC/.Net+Cas+Client https://www.ja-sig.org/svn/cas-clients/dotnet-client/trunk/ -ScottH > -----Original Message----- > From: Chad Wittrock [mailto:[email protected]] > Sent: Friday, April 09, 2010 10:21 AM > To: [email protected] > Subject: Re: [cas-user] Single Sign Out with Multiple OC4J Containers > > Thanks for the link to that thread. I haven't had much luck searching > the archive so far, but this gives me some leads. > > I was actually leaning towards modifying the CAS Single Sign Out > filters > to make them aware of the other JVMs and invalidating each of them. > > The idea I plan to use is to modify one of the CAS sign on filters to > write the ticket id to a file on the server. My custom sign-on filters > (used for authorization, demographic data loading to session, etc) will > check for that file before allowing the user into the application. I > will then modify the CAS single sign out filter to remove this file > when > it receives the single sign out message. Since this file is shared > server wide, each JVM will check for that file when the sign-on filters > run to validate the user is actually logged in. > > This is my plan, now to make it work... > > Thanks, > Chad > > On 4/9/2010 8:50 AM, Marvin Addison wrote: > >> When the single sign out message comes in, it > >> depends which JVM handles that request as to which application(s) > will > >> actually get logged out. Only application that have session in the > JVM will > >> be logged out. > > > > You've described a particular flavor of the clustered CAS client > > scenario, and we've discussed solutions to this recently. As Scott > > said it's not supported at present, but there are solutions depending > > on your deployment scenario. There are lots of threads on cas-user > > and cas-dev lists where we discuss options; > > http://n4.nabble.com/Problem-with-sessions-td1690919.html is one of > > the better ones. > > > > M > > > > -- > ----------------------------------------------------------------------- > ------- > Chad M Wittrock ([email protected]) > Systems Analyst/Web Apps > University of Northern Iowa > (319) 273-7437 > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see http://www.ja- > sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
