We have developed our own expiration policy called:
DistributedTimeoutExpirationPolicy
Our scenario:
if CAS is checking TGT for expiration it checks whether:
exists at least one session which has not expired.
By “session” I mean: CAS session + all applications sessions to which
user gains access via CAS.
For single-sign-out purposes TGT contains STs (service tickets) with
links to all applications user have gained access to via CAS.
Applications also know STs which are needed to logout user on CAS
logoutRequest.
We loop through applications links and question them for user’s
last-click-time.
If:
current_time - last-click-time> TGT-expiration-time (defined in
grantingTicketExpirationPolicy bean)
is true session is treated as expired.
Obviously, we need to implement this within applications. But it’s very
easy and similar to handle logoutRequest in application.
Additional advantage of such solution is that session expiration in all
applications is controlled by CAS (assuming that applications session
timeouts are longer that TGTs)
It would be great if such Expiration Policy was in CAS by default.
--
Michal Pysz
Information Technology Section
Jagiellonian University
Krakow, Poland
https://login.uj.edu.pl/
http://www.jasig.org/cas/deployments/jagiellonian-university-
W dniu 2010-08-19 16:41, Murat Can ALPAY pisze:
I am planning to add a new, so I think, ticket expiration policy for our
app.
My requirement is that CAS should expire tickets when all of the
clients, using certain ticket, timeouts.
An example scenario would be ;
A user logins to web applications A and B.
Application A timeouts eventually. CAS should not expire the ticket.
Application B timeouts. Since the user is timeouted from all the apps
now CAS should expire the ticket.
I am thinking that it should be doable by registering the session Id's
of the apps with the CAS ticket. And the expiration policy should check
if the all applications timeouted associated with the ticket. First use
of the ticket should be omitted from above.
Did anybody required or did a similar thing ? Does a such policy already
exists ? What do you think ?
I hope I could have been clear enough.
Thanks,
--
Murat Can ALPAY
http://mcatr.blogspot.com
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
