Thanks for reply. The testers get the login the second time by simply going to
the CAS login page directly. Yes the login page recognizes the previous login,
so they do an logout and then login as the second user.
I have added the following to my web.xml:
<!-- CAS:START - Java Client Single Sign Out Listener -->
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<!-- CAS:END -->
<filter>
<filter-name>CasSingleSignOutFilter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CasSingleSignOutFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
But the test yields the same results.
Our CAS server is 3.2.? Do we need to upgrade the CAS server?
Thanks for you help.
Bryan Wooten
UIT Systems Administrator
University of Utah
[email protected]
Work: 801.585.9323
Cell: 801.414.3593
-----Original Message-----
From: Joachim Fritschi [mailto:[email protected]]
Sent: Monday, June 28, 2010 8:22 AM
To: [email protected]
Subject: Re: [cas-user] Question about CAS login/logout - Show stopper
How do you get to login a second time? If i hit the CAS server a second
time while i still habe a valid CAS session i will never see a prompt
but just the message "Log In Successful" or the usual sso autologin for
any casified app. To change my identity i have to /logout and then hit a
new /login page.
What you might experience is some kind of nasty overlap of local
sessions vs. CAS (TGT Sesssion) and maybe disabled sso for the service ?
A "normal" casified application will not refresh your cas-authenticated
session unless you trigger ist manually (renew=true). The "client
session" is not really dependent on any existing CAS session and is
created during the initial login process for the client application.
It's also depends on your casified application itself that might have
their own session handling.
The only way a dependency between the CAS session and the
"client-session" can be created is a working single sign-out connector
between your cas server and your local applications. Destroying a CAS
session will then kill _all_ session casified apps that have single
sign-out enabled.
Switching with single sign-out would then work like this:
- hit app1
- redirect to cas login as user1
- work as user 1
- hit the /logout url
- CAS server broadcasts the logout to all apps
- all cas clients that habe a single sign-out implemented kill local
sessions
- you can hit any cas app
- redirect to cas and login as user2
Another solution without single sign-out is closing the browser as a
quick and dirty solution since cas default cookies are only session
cookies.
This might only be a problem if some of your apps have persistent
cookies that cache the authentication.
Cheers,
Joachim
Am 28.06.2010 15:47, schrieb Bryan Wooten:
> Yes, I understand that Firefox shares cookies between tabs (and
> instances) while IE only shares cookies between tabs.
>
> The behavior I described below is quite disconcerting to our testers. So
> is this test:
>
> 1. Login into CAS as user1 and goto Application
>
> 2. Open new tab
>
> 3. Login into CAS as user2
>
> 4. Goto application in new tab - you are still user one!
>
> 5.
>
> This is true for both IE and Firefox. This behavior will be a show
> stopper for us. It is imperative we maintain the behavior our users
> expect. If I do the same test logging into our Peoplesoft portal the
> application will always see the user as the second login. This is the
> behavior I also would expect. (i.e. last login wins)
>
> Is something mis-configured on our CAS server?
>
> I thought I could change this behavior by setting "useSession = false"
> in the Cas20ProxyReceivingTicketValidationFilter but that completely
> broke the application. Firefox detected an endless redirect loop and
> stopped. In IE I could the endless loop in my log files.
>
> Thanks for any help on this.
>
> Here is my web.xml:
>
> <filter>
>
> <filter-name>CAS Authentication Filter</filter-name>
>
> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
>
> <init-param>
>
> <param-name>casServerLoginUrl</param-name>
>
> <param-value>https://xxx.utah.edu/cas/login</param-value>
>
> </init-param>
>
> <init-param>
>
> <param-name>service</param-name>
>
> <param-value>https://guide/uofu/stu/GraduateTracking</param-value>
>
> </init-param>
>
> <init-param>
>
> <param-name>serverName</param-name>
>
> <param-value>https://guide</param-value>
>
> </init-param>
>
> <init-param>
>
> <param-name>artifactParameterName</param-name>
>
> <param-value>ticket</param-value>
>
> </init-param>
>
> </filter>
>
> <filter>
>
> <filter-name>CAS Validation Filter</filter-name>
>
> <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
>
> <init-param>
>
> <param-name>casServerUrlPrefix</param-name>
>
> <param-value>https://xxx.utah.edu/cas</param-value>
>
> </init-param>
>
> <init-param>
>
> <param-name>service</param-name>
>
> <param-value>https://guide/uofu/stu/GraduateTracking</param-value>
>
> </init-param>
>
> <init-param>
>
> <param-name>serverName</param-name>
>
> <param-value>https://guide</param-value>
>
> </init-param>
>
> <!--<init-param>
>
> <param-name>useSession</param-name>
>
> <param-value>false</param-value>
>
> </init-param>-->
>
> </filter>
>
> <filter>
>
> <filter-name>CAS Wrapper Filter</filter-name>
>
> <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
>
> </filter>
>
> Bryan Wooten
>
> UIT Systems Administrator
>
> University of Utah
>
> [email protected]
>
> Work: 801.585.9323
>
> Cell: 801.414.3593
>
> *From:* Scott Battaglia [mailto:[email protected]]
> *Sent:* Thursday, June 24, 2010 8:13 PM
> *To:* [email protected]
> *Subject:* Re: [cas-user] Question about CAS login/logout
>
> Browsers share state between tabs. If you've logged into one and then
> attempt to log into a second, its most likely that it read the cookie
> and used that session.
>
> On Thu, Jun 24, 2010 at 3:11 PM, Bryan Wooten <[email protected]
> <mailto:[email protected]>> wrote:
>
> Hi all,
>
> I am seeing some behavior I can't quite explain or understand.
>
> Using Firefox I login into a CASified application (hitting the app
> directly and then redirected to CAS login page). I then open a second
> tab and login as a different user using the CAS login page. On the
> second tab I then hit the CASified application. On the second tab I
> still have the identity of the first login. Why don't I get the identity
> of the second login?
>
> Does this make sense?
>
> Bryan Wooten
>
> UIT Systems Administrator
>
> University of Utah
>
> [email protected] <mailto:[email protected]>
>
> Work: 801.585.9323
>
> Cell: 801.414.3593
>
> --
>
> You are currently subscribed [email protected]
> <mailto:[email protected]> as:[email protected]
> <mailto:[email protected]>
>
>
>
>
>
> To unsubscribe, change settings or access archives,
> seehttp://www.ja-sig.org/wiki/display/JSG/cas-user
>
> --
>
> You are currently subscribed to [email protected] as:
> [email protected]
>
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
> --
> You are currently subscribed to [email protected] as:
> [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
--
Joachim Fritschi
Hochschulrechenzentrum (HRZ)
L1|01 Raum 248
Petersenstr. 30
64287 Darmstadt
Tel. +49 6151 16-5638
Fax. +49 6151 16-3050
E-Mail: [email protected]
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
