> Just to check my understanding since this is all new and a bit out of my
> comfort zone, this strategy basically amounts to building a custom
> ExpirationPolicy, and in this customization querying ThreadLocal
Yes. The actual code might look like the following:
public boolean isExpired(final TicketState ticketState) {
int timeout = this.defaultTimeOut;
if (isTrusted(ClientInfoHolder.getClientInfo().getClientIpAddress())) {
timeout = this.trustedTimeOut;
}
return System.currentTimeMillis() -
ticketState.getLastTimeUsed() < timeout;
}
The ClientInfoHolder class takes care of the thread-local stuff
provided you have the servlet filter set up properly. The following
filter (and corresponding filter-mapping) snippet you cited is the
correct one for that functionality
> <filter>
> <filter-name>CAS Client Info Logging Filter</filter-name>
>
> <filter-class>com.github.inspektr.common.web.ClientInfoThreadLocalFilter</filter-class>
> <init-param>
> <param-name>alternativeIpAddressHeader</param-name>
> <param-value>X-Forwarded-For</param-value>
> </init-param>
> </filter>
> On that note, is it right to assume that my setting of
> alternativeIpAddressHeader will be sufficient to get the *actual*
> IpAddress
Guess that depends on what "actual" means to you and your load
balancer behavior. Hopefully your load balancer doesn't modify source
IP addresses, but if it does it hopefully it makes it available via
some other means. In the configuration above, the assumption is that
the modified source is made available in the X-Forwarded-For header
(assuming the packet is an HTTP packet; note this won't work for HTTPS
packets). You'll have to know the details of how your load balancer
works in order to get that working properly in any case; you may be
limited by ClientInfoThreadLocalFilter since it can only look at HTTP
headers as an alternative to the using the IP address of the
underlying socket.
> Oh, and on a mostly unrelated note (perhaps suited for a new thread, but
> minor enough, probably)
Let's get that on another thread as you suggested and discuss further.
IIRC squirrelmail comes up from time to time, so making your work
generally available may be beneficial to others.
M
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
