Ok, sorry if this gets a bit long winded. The behavior I will describe below is causing one of our developers to scream, "Security Holes!". So I am doing my best mitigate his concerns and along the way I am trying to gain a deep understanding of the ins and outs of the CAS Client and Server.
So here is the scenario, 2 users and 2 applications, using a Firefox browser. I access application 1 as user 1 and get redirected to CAS login. After login I can use application 1. Now I browse to the CAS logout URL and it says I am successfully logged out. Except as we know, I am not really logged out of application 1 (single sign is disabled for all applications because we are behind a load balancer). So here is the first "Security Hole", the user can still access the application without being asked to log in again. Now if I try to access application 2, I will be asked to login in again. So I login as user 2 and use application 2. Now here is the second "Security Hole". In application 1 I am still known as user 1 and in application 2 I am know as user 2. The developer feels that the second login should mean that application 1 should now see me as user 2. I believe all this is explained by the behavior of JSESSION IDs since each application gets its own jsession (but I could be way off on this assessment) I have no clue what would happen if I introduced a 3rd application into the mix. If I hit the 3rd application which login would it recognize? I am trying to find a way to make my applications always go back to the CAS server to see if the user has logged out via the CAS logout URL. I don't know if this is even possible without custom code. I am open to writing my own custom filter or modifying the CAS client itself. I was hoping some combination of renew = true or useSession=false would accomplish this. I have tried various combination of renew=true and useSession=false and different filter ordering, none of which I can get to work. So at this point I am planning on diving head first into the client code and figure out exactly what the parameters do and how they work. I also recognize that our applications should all have "logout" buttons or links that would allow us to invalidate the session and log that application out of CAS. I won't bore you will the politics of the logout button. Sigh. Thanks, Bryan Wooten [email protected] Work: 801.585.9323 Cell: 801.414.3593 From: Scott Battaglia [mailto:[email protected]] Sent: Thursday, July 08, 2010 7:50 PM To: [email protected] Subject: Re: [cas-user] useSession=false problem What order do you have the filters in? Also, is there a reason you don't need sessions? On Thu, Jul 8, 2010 at 1:26 PM, Bryan Wooten <[email protected]<mailto:[email protected]>> wrote: When I set useSession=false in the Cas20ProxyReceivingTicketValidationFilter I get this after I : Firefox has detected that the server is redirecting the request for this address in a way that will never complete. If I set renew=true in conjunction with use=Session= false I can never get off the CAS login page. Any ideas? Thanks, Bryan Wooten [email protected]<mailto:[email protected]> Work: 801.585.9323 Cell: 801.414.3593 -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
