What you might experience is some kind of nasty overlap of local sessions vs. CAS (TGT Sesssion) and maybe disabled sso for the service ? A "normal" casified application will not refresh your cas-authenticated session unless you trigger ist manually (renew=true). The "client session" is not really dependent on any existing CAS session and is created during the initial login process for the client application. It's also depends on your casified application itself that might have their own session handling.
The only way a dependency between the CAS session and the "client-session" can be created is a working single sign-out connector between your cas server and your local applications. Destroying a CAS session will then kill _all_ session casified apps that have single sign-out enabled.
Switching with single sign-out would then work like this: - hit app1 - redirect to cas login as user1 - work as user 1 - hit the /logout url - CAS server broadcasts the logout to all apps- all cas clients that habe a single sign-out implemented kill local sessions
- you can hit any cas app - redirect to cas and login as user2Another solution without single sign-out is closing the browser as a quick and dirty solution since cas default cookies are only session cookies. This might only be a problem if some of your apps have persistent cookies that cache the authentication.
Cheers, Joachim Am 28.06.2010 15:47, schrieb Bryan Wooten:
Yes, I understand that Firefox shares cookies between tabs (and instances) while IE only shares cookies between tabs. The behavior I described below is quite disconcerting to our testers. So is this test: 1. Login into CAS as user1 and goto Application 2. Open new tab 3. Login into CAS as user2 4. Goto application in new tab – you are still user one! 5. This is true for both IE and Firefox. This behavior will be a show stopper for us. It is imperative we maintain the behavior our users expect. If I do the same test logging into our Peoplesoft portal the application will always see the user as the second login. This is the behavior I also would expect. (i.e. last login wins) Is something mis-configured on our CAS server? I thought I could change this behavior by setting “useSession = false” in the Cas20ProxyReceivingTicketValidationFilter but that completely broke the application. Firefox detected an endless redirect loop and stopped. In IE I could the endless loop in my log files. Thanks for any help on this. Here is my web.xml: <filter> <filter-name>CAS Authentication Filter</filter-name> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> <init-param> <param-name>casServerLoginUrl</param-name> <param-value>https://xxx.utah.edu/cas/login</param-value> </init-param> <init-param> <param-name>service</param-name> <param-value>https://guide/uofu/stu/GraduateTracking</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>https://guide</param-value> </init-param> <init-param> <param-name>artifactParameterName</param-name> <param-value>ticket</param-value> </init-param> </filter> <filter> <filter-name>CAS Validation Filter</filter-name> <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>https://xxx.utah.edu/cas</param-value> </init-param> <init-param> <param-name>service</param-name> <param-value>https://guide/uofu/stu/GraduateTracking</param-value> </init-param> <init-param> <param-name>serverName</param-name> <param-value>https://guide</param-value> </init-param> <!--<init-param> <param-name>useSession</param-name> <param-value>false</param-value> </init-param>--> </filter> <filter> <filter-name>CAS Wrapper Filter</filter-name> <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> </filter> Bryan Wooten UIT Systems Administrator University of Utah [email protected] Work: 801.585.9323 Cell: 801.414.3593 *From:* Scott Battaglia [mailto:[email protected]] *Sent:* Thursday, June 24, 2010 8:13 PM *To:* [email protected] *Subject:* Re: [cas-user] Question about CAS login/logout Browsers share state between tabs. If you've logged into one and then attempt to log into a second, its most likely that it read the cookie and used that session. On Thu, Jun 24, 2010 at 3:11 PM, Bryan Wooten <[email protected] <mailto:[email protected]>> wrote: Hi all, I am seeing some behavior I can’t quite explain or understand. Using Firefox I login into a CASified application (hitting the app directly and then redirected to CAS login page). I then open a second tab and login as a different user using the CAS login page. On the second tab I then hit the CASified application. On the second tab I still have the identity of the first login. Why don’t I get the identity of the second login? Does this make sense? Bryan Wooten UIT Systems Administrator University of Utah [email protected] <mailto:[email protected]> Work: 801.585.9323 Cell: 801.414.3593 -- You are currently subscribed [email protected] <mailto:[email protected]> as:[email protected] <mailto:[email protected]> To unsubscribe, change settings or access archives, seehttp://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
-- Joachim Fritschi Hochschulrechenzentrum (HRZ) L1|01 Raum 248 Petersenstr. 30 64287 Darmstadt Tel. +49 6151 16-5638 Fax. +49 6151 16-3050 E-Mail: [email protected]
smime.p7s
Description: S/MIME Cryptographic Signature
