Hi Guys,
I have a policy of allowing only unique valid session for a user identifier.
Given such a situation, i have developed a PoC to test the concept and this
policy is now working perfectly.
I created an adapter/delegate class to override the method (public String
createTicketGrantingTicket (Credentials credentials)) of the
CentralAuthenticationServiceImpl class.
>> Basically, the new method checks before issuing a new ticket if the user
has a valid session. If the session exists it is destroyed and a new session
is created.
Currently, I believe even as a naive implementation since replicate data and
synchronous single sign out is very expensive.
Please, what do you think of this solution?
Cheers,
Yuri Feitosa Negócio
/**
* @throws IllegalArgumentException if the credentials are null.
*/
@Audit(
action="TICKET_GRANTING_TICKET",
actionResolverName="CREATE_TICKET_GRANTING_TICKET_RESOLVER",
resourceResolverName="CREATE_TICKET_GRANTING_TICKET_RESOURCE_RESOLVER")
@Profiled(tag = "CREATE_TICKET_GRANTING_TICKET", logFailuresSeparately =
false)
@Transactional(readOnly = false)
public String createTicketGrantingTicket(Credentials credentials)
throws TicketException {
Assert.notNull(credentials, "credentials cannot be null");
try {
final Authentication authentication =
this.authenticationManager
.authenticate(credentials);
final TicketGrantingTicket ticketGrantingTicket = new
TicketGrantingTicketImpl(
this.ticketGrantingTicketUniqueTicketIdGenerator
.getNewTicketId(TicketGrantingTicket.PREFIX),
authentication,
this.ticketGrantingTicketExpirationPolicy);
UniqueSessionPolicyTicket uniqueSessionPolicyTicket =
this.uniqueSessionPolicyRegistry.getTicket(
authentication.getPrincipal().getId());
if (uniqueSessionPolicyTicket!=null) {
if (log.isDebugEnabled()) {
log.debug("Unique session ticket found. Single
Sign Out to old user and update unique session ticket. " +
uniqueSessionPolicyTicket);
}
this.originalCentralAuthenticationService
.destroyTicketGrantingTicket(uniqueSessionPolicyTicket.getTicketGrantingTicketId());
uniqueSessionPolicyTicket.setTicketGrantingTicketId(ticketGrantingTicket.getId());
this.uniqueSessionPolicyRegistry.updateTicket(uniqueSessionPolicyTicket);
} else {
if (log.isDebugEnabled()) {
log.debug("Unique session ticket not found.
Creating new unique session ticket. " + uniqueSessionPolicyTicket);
}
this.uniqueSessionPolicyRegistry.createTicket(
new UniqueSessionPolicyTicketImpl(
authentication.getPrincipal().getId(),
ticketGrantingTicket.getId())
);
}
this.ticketRegistry.addTicket(ticketGrantingTicket);
return ticketGrantingTicket.getId();
} catch (final AuthenticationException e) {
throw new TicketCreationException(e);
}
}
On Thu, Jan 6, 2011 at 1:02 AM, Scott Battaglia
<[email protected]>wrote:
> On Tue, Jan 4, 2011 at 1:47 PM, Yuri Negocio Negocio <[email protected]>wrote:
>
>> Guys,
>>
>> Anyone know how to say it is possible to ensure a single session per user
>> single
>> sign on?
>
>
> Its not supported out of the box. You'd have to have a custom
> TIcketRegistry.
>
>>
>>
>> If a new user Ticket Granting Cookie is created the previous is
>> destroyed?
>>
>
> If you create a new ticket via renew=true, then the old one is destroyed.
> They are not destroyed across web browsers.
>
>
>>
>> Is there any way to ensure the validity of TGC from partner web
>> application? To prevent multiple user sessions tickets?
>>
>
> No one can see the TGC but the CAS Server so I'm not sure I follow.
>
> Cheers,
> Scott
>
>
>>
>> Cheers,
>>
>> Yuri
>>
>> --
>> You are currently subscribed to [email protected] as:
>> [email protected]
>>
>>
>> To unsubscribe, change settings or access archives, see
>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>
>>
> --
> You are currently subscribed to [email protected] as: [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
>
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
