Hi, I'm trying out a patch/workaround, and would appreciate any opinions on it, please :)
The issue is single-sign-out when the business application (say "salaries") is clustered behind a load balancer: http://jasig.275507.n4.nabble.com/single-sign-out-problem-in-clustered-environment-td2996758.html To recap, CAS attempts to notify the business application, so as to invalidate the http session. Unfortunately, CAS sends this "logout message" to the service originally requested by the browser (as in "/cas/login?SERVICE=http://salaries";). Which is useless, because it just goes to some random machine selected by the load balancer. Not necessarily the one that holds this user's http session. Now, I don't like the common workaround of replicating data (e.g. JBoss Tree Cache - I don't like the overhead in maintenance + performance). So I'm trying a different workaround : having the business application register during TicketValidation. So my patch is: 1- In the business application, I changed Cas20ProxyReceivingTicketValidationFilter so that when it asks CAS for ticket validation, it will pass an extra (custom) parameter with the *internal* address of this business server. 2- On the CAS server side, I changed ServiceValidateController so as to read this extra parameter, and maintain a datastructure to associated serviceTicket with all interanl business machines that use it (=asked to validate it) 3- Then I changed CAS HttpClient , that sends out those logout notifications. Naturally, given a serviceTicket it consults the above datastructure to see which internal business machines should be notified. It seems to work on a simple "sanity check", and I also know other SSO pruducts that use this approach. But I'd appreciate opinions - does anyone see design flaws, security risks, etc? Thanks very much :) -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
