Hi,
i'm not very familiar with the java client but everything you described
should be fixable.
Am 09.07.2010 17:23, schrieb Bryan Wooten:
Ok, sorry if this gets a bit long winded. The behavior I will describe
below is causing one of our developers to scream, “Security Holes!”. So
I am doing my best mitigate his concerns and along the way I am trying
to gain a deep understanding of the ins and outs of the CAS Client and
Server.
So here is the scenario, 2 users and 2 applications, using a Firefox
browser.
I access application 1 as user 1 and get redirected to CAS login. After
login I can use application 1. Now I browse to the CAS logout URL and it
says I am successfully logged out. Except as we know, I am not really
logged out of application 1 (single sign is disabled for all
applications because we are behind a load balancer). So here is the
first “Security Hole”, the user can still access the application without
being asked to log in again.
Now if I try to access application 2, I will be asked to login in again.
So I login as user 2 and use application 2. Now here is the second
“Security Hole”. In application 1 I am still known as user 1 and in
application 2 I am know as user 2. The developer feels that the second
login should mean that application 1 should now see me as user 2.
If you want that behaviour you have to work on getting Single Sign-Out
up or as an alternative implement a "gateway" call for every hit on your
applications. This would in affect authenticate every new page hit with
a call to the cas server. Not pleasant for the servers but "safe"
without Single Sign-Out.
phpCAS for example has a gateway call and can even cache the user for n
times to reduce the amount of revalidation calls to 1/n. This was
implemented before Single Sign-Out was implemented.
I believe all this is explained by the behavior of JSESSION IDs since
each application gets its own jsession (but I could be way off on this
assessment)
I have no clue what would happen if I introduced a 3^rd application into
the mix. If I hit the 3^rd application which login would it recognize?
A third application would get the 2nd login since you never logged out.
You have to accept that there is no live connection between your local
application session and the central sso session. Once you have a sso
session (TGT) you will get local sessions (your applications) via a ST
or PT. Since a new re-authentication against the cas server is very
expensive a local session does not get validated again the TGT during
your local session unless you manually force it to revalidate
(session.invalidate(), forced gateway call or renew call).
The best solution is a working Single Sign-Out because it will realize
exacly the behaviour you want.
I am trying to find a way to make my applications always go back to the
CAS server to see if the user has logged out via the CAS logout URL. I
don’t know if this is even possible without custom code. I am open to
writing my own custom filter or modifying the CAS client itself. I was
hoping some combination of renew = true or useSession=false would
accomplish this.
Check out gateway mode. It's a non interactive login procedure that will
create a local session for people with an active CAS session. In
combination with a session.invalidate() it should do the trick.
I have tried various combination of renew=true and useSession=false and
different filter ordering, none of which I can get to work. So at this
point I am planning on diving head first into the client code and figure
out exactly what the parameters do and how they work.
Have a look at the cas protocol maybe an check how cas is supposed to
work. I have the feeling your not that familiar what cas can do and what
will simply never work regardless of the client.
http://www.jasig.org/cas/protocol
I also recognize that our applications should all have “logout” buttons
or links that would allow us to invalidate the session and log that
application out of CAS. I won’t bore you will the politics of the logout
button. Sigh.
I'm not really sure what you want your goal is? No logout button, just a
central kill button for all session ?
Cheers,
Joachim
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
