Hi Marvin, The SendTicketGrantingTicketAction does destroy the TGT, but it does not send a single-sign-out signal to services registered by principal X. Hence, the sessions on those services are still active for principal X, even after user Y has authenticated to CAS.
I guess Vivek is right regarding the fact that CAS should also send single-sign-out messages in case it destroys an old TGT to replace it with a new one for a new user. I do not see this as a security issue though, as the impersonation stems from the first user not logging out and not closing his browser (this is the true security problem). Still, it is a discomfort for the users and there seems to have an easy way to correct this. Regards, David 2011/3/23 Marvin Addison <[email protected]> > > * If in the browser, CASTGC cookie exists, then on receiving the > authentication request on CAS server, this TGT should be expired and a SSOut > signal should be sent to all the services registered against the TGT before > granting a new TGT. > > The SendTicketGrantingTicketAction Web flow action has code to do > exactly that (cited from 3.4.7 source): > > protected Event doExecute(final RequestContext context) { > final String ticketGrantingTicketId = > WebUtils.getTicketGrantingTicketId(context); > final String ticketGrantingTicketValueFromCookie = (String) > context.getFlowScope().get("ticketGrantingTicketId"); > > if (ticketGrantingTicketId == null) { > return success(); > } > > > > this.ticketGrantingTicketCookieGenerator.addCookie(WebUtils.getHttpServletRequest(context), > WebUtils > .getHttpServletResponse(context), ticketGrantingTicketId); > > if (ticketGrantingTicketValueFromCookie != null && > !ticketGrantingTicketId.equals(ticketGrantingTicketValueFromCookie)) { > this.centralAuthenticationService > > .destroyTicketGrantingTicket(ticketGrantingTicketValueFromCookie); > } > > return success(); > } > > I wonder if the multiple-tab issue is complicating matters such that > the cookies of the closed tab aren't sent to the server upon > reauthentication in the other tab. That's the only way I can explain > the behavior you've noted. Can you capture the Web request traffic > for the workflow you described above using a proxy or similar tool? > We only need the headers for each request and response. > > M > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
