> I have two spring security based web applications that both use cas to > provide authentication against an open ldap identity store. > > If a user logs into application 1 (App1) and follows a link to application 2 > (App2) the following takes place: > > - Spring (in App1) will call the cas login url intially, the user will > provide > credentials, these will be authenticated, a TGT Cookie will be set, a new ST > will be validated in a call back to the cas server and a Spring Security > session > established in App1. > > - Upon linking to App2, Spring (in App2) will call the cas login url, the > TGT > Cookie will be presented to cas, a new ST will be returned then validated on > call back and a Spring Security session established in App2. > > Assuming the TGT Cookie expiration policy is 30 minutes of inactivity and > the > http session inactivity timeout on both apps is 30 minutes, if the user > spends > 1 hour using App2 then clicks a link back to App1 the Spring Security > session > will no longer be there in App1 causing the cas login url to be called - as > the > TGT cookie has also expired a login page will be presented to the user. > > Is this correct ?
I believe that this is correct. > > Assuming it is, then in my situation this is undesirable as the user is led > to > believe that that have been actively using a global id and should not have > timed out (especially if branding indicates both apps are part of the same > whole). > > What possible strategies are there to keep the TGT Cookie "fresh" ? > I understand that to a large extent this is not really the responsibility of > cas > but I would be interested in any thoughts anyone might be able to > contribute. Im hoping I have explained my situation reasonably and this is > not > too stupid a question. Here is a very raw suggestions that might not be ideal: If you control the applications, you can have the applications pop a window that accesses a CAS protected URI that is outside the scope of application session. This will force the browser back to CAS to get an ST. The target coud be javascript that just closes the window. > > Thanks in anticipation. > -- > You are currently subscribed to [email protected] as: > [email protected] To unsubscribe, change settings or access archives, > see http://www.ja-sig.org/wiki/display/JSG/cas-user
smime.p7s
Description: S/MIME cryptographic signature
