Hi, On Jun 3, 2011, at 1:57 PM, Madhavi Polisetty wrote:
> Hi Rhett, > > Thanks a lot again for your answer. I was thinking of similar implementation, > but I did not use PGTs at all. > > To be very honest, the concept of Proxy Granting Ticket is little hazy to me. > Here is how I have my prototype configured and I plan on using the same in > PROD. Please let me know if you think I am missing something important here. > > I configured the client to use the following filters in the order listed here > > org.jasig.cas.client.session.SingleSignOutFilter (and its listener) > org.jasig.cas.client.authentication.AuthenticationFilter > org.jasig.cas.client.validation.Cas10TicketValidationFilter > org.jasig.cas.client.util.HttpServletRequestWrapperFilter > > So the only tickets I will ever request from the CAS server is TGT and ST. No > proxy tickets. > > I only plan on authenticating to java web applications. All HTTP requests. > > Its almost like, I have APP1, APP2 and APP3. > > User can chose to access any one of these and from there he will have links > to jump between apps. In same browser window(and/or child windows) > > He closes the window, end of authenticated session. Did I miss anything > important here? Please let me know. > > > My plan for implementing the original session timeout thing is as explained > below. > > I set the CAS TGT to time out in 20 mins > > each of my APPS will also have 20 mins time out. > > I will add a timestamp to the Assertion object that the client filter uses > from session. > > I will add an additional URI to CAS server web appp like "/cas/refreshtgt" > > This will be mapped to a Handler (A new one) inside which I will just invoke > the TicketGrantingTicketImpl.updateState() > > In the client filter, I will check if the Assertion is older than 17 minutes > or so. The 17 mins can be configurable > > If it is, then I will make a redirect to CAS server "/cas/refreshtgt" to > update the TGT state. The thing to be careful with here is for requests you can't redirect back to -- i.e., POSTs -- and clients that can't or won't follow the redirect -- e.g., XMLHTTP calls. This is why our design uses PTs, even though it requires many more changes: the PT can be requested by the application on the user's behalf without a redirect. If you don't need to support these kinds of requests, though, then it sounds like you'll be fine. > > The "/cas/refreshtgt" will ultimately redirect back to the original service > which will be passed in the URL as > "?service=http://myclient.com/fourthpage.jsp"; > > If this is the same design you are thinking of, Since you said you completed > only the first part, I can share any parts of my code with you if you need > it. Our design is a bit different, so I don't think there will be anything to share. Thank you for the offer. Rhett > > Thank you, > > Madhavi > > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
