Le 23/06/2011 18:04, Marvin Addison a écrit :
Yes, I have only one servlet container. X509 certificate is not required but optional. After 6 months of experimentation in our service, it works as we expected :-). I've just tracked down why it triggers a new login, but I don't understand yet why it happens :I'm now hitting logout page...WHO: audit:unknown WHAT: TGT-4-cGhcNvYZmjZCKIQRrvo4Pe0KlP7wu3lc7Pj5emDjLiKQXbYXsJ-dev.mydomain ACTION: TICKET_GRANTING_TICKET_DESTROYED => Perfect WHO:<DN of my certificate> WHAT: supplied credentials:<DN of my certificate> ACTION: AUTHENTICATION_SUCCESS WHO:<DN of my certificate> WHAT: TGT-5-bjIrzp2Vo1ECysI3uJqLaZmzyvlElfIN7s6tsdIZAZdYn4aQNa-dev.mydomain ACTION: TICKET_GRANTING_TICKET_CREATED => Hum, this is not that I intended to do !This likely happens because your logout URL is also under the same servlet container config that requests a client certificate. That's not enough to trigger the login Webflow in itself, but I would imagine that there is some resource that the browser is making a GET to such that the login Webflow is executing following the extraction of the cert by the container. That would meet the criteria for a non-interactive authentication, and generate a TGT as your audit logs indicate. The question remains about what, in particular, is triggering the login Webflow.
Browser : https://dev.miletrie.chl/cas/logoutServer : HTTP/1.1 200 OK , Set-Cookie: CASTGC=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/cas
OK that's fine :-) Browser : https://dev.miletrie.chl/cas/js/common_rosters.js Server : HTTP/1.1 302 Déplacé Temporairement , Location: https://dev.miletrie.chl/cas/loginAhem... why this redirection ?? Here it's triggering the login Webflow. I feel that I've a configuration issue somewhere...
From my computer, if I use wget to retrieve common_rosters.js, I get the same redirection.
I would argue that every X.509 deployment should be configured with two ports, one that is configured to want or require a cert to support the login Webflow, and all other requests. We do this and it has worked exceptionally well.
Would a two ports configuration work with our actual authentication scheme ? - First CAS checks if a valid X509 certificate is provided by the client - If not, a login/password is requestedIf it's compatible, could you please be more explicit about the two-ports configuration and interactions between CAS, users and client services ?
Rgds. -- Philippe MARASSE Service Informatique - Centre Hospitalier Henri Laborit BP 587 - 370 avenue Jacques Coeur 86021 Poitiers Cedex Tel : 05.49.44.57.19
smime.p7s
Description: S/MIME Cryptographic Signature
