Dear Mr. Marvin Addison, 1) Thanks for replying.
No disrespect was intended, truly. If I had new inputs, I'd gladly contribute. But please note solutions were already outlined: https://issues.jasig.org/browse/CAS-742 http://comments.gmane.org/gmane.comp.java.jasig.cas.devel/1495 2) Despite the weaknesses you (correctly!) mentioned, they're acceptable to some applications - depending on deployment & security requirements. They can be disabled by default - enabled only to those who explicitly configure them "at their own risk". 3) So please correct me if I'm wrong, but I felt it would be naive to "contribute" anything, because everything was already suggested and found "not critical enough" to change the code design. E.g. I wanted to override SimpleWebApplicationImpl and/or HttpClient - but I can't because they're "final", plus they're sometimes instantiated directly from the code (rather than Spring factories). This also happened to the guys in CAS-742. I could "contribute" a Spring FactoryBean.... but I don't believe the CAS experts are holding their breath for it... 4) Bottom line, I felt it's not delayed due to lack of contributors. But if you're in touch with people from the CAS team, and they can use a newbie who's willing to try and override SimpleWebApplicationImpl - I'd be glad (unfortunately I wouldn't dare mess with SAML or Google Accounts). Thanks again. ----- Original Message ----- From: Marvin Addison <[email protected]> To: [email protected] Cc: Sent: Sunday, December 9, 2012 3:41 PM Subject: Re: [cas-user] Single Sign Out - and load balancer > Would anyone please happen to know of patched to the CAS code - either > open-source or commercial - that solve this (e.g. implementing the CAS-742 > suggestion, to distinguish between "redirect" address and "logout > notification" address)? I developed a patch for this over a year ago, but apparently lost the source. I still have the VMs lying around where I did the QA work so maybe the source is on there. The OVA is available here: https://docs.google.com/open?id=0Bw8LSvcVZrEvWlUzTDdBX0hJbFU I had intended to provide this as a proof-of-concept for a VM-in-a-box solution for CAS, but haven't had the time to develop further. > Frankly I don't understand how CAS can be used so widely without solving such > a fundamental problem. In over a decade in IT, most of my applications were > load-balanced, and all of them had "logout". > > It simply doesn't make sense for developers to give up load balancing, or > give up "logout".... First, it's a hard problem and any solution has fundamental weaknesses. Please do some research on the many difficulties with distributed single sign-out; there are many discussions on this topic in the cas-user list archives as well as the Shibboleth user list. Second, work has clearly been done. I'd encourage you to spend some energy collaborating with our community to develop and test a solution that is suitable for general use. It's far more productive than lamenting lack of features. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
