Hi, I'd appreciate feedbacks for an idea of mine - does anyone see fitfalls or security risks? Basically, my business applications wants to know when logouts occur (java Single Sign Out Filter). This registration usually occurs when issuing ServiceTicket - but I wanted to move it to the Ticket Validation stage.
In detail, we ran into a sign-out problem when the business application is clustered behind a load balancer: http://comments.gmane.org/gmane.comp.java.jasig.cas.devel/1495 To recap, CAS sends a logout notification to the external address of the business application (the "service" param from "/cas/login?SERVICE=...) which is useless behind a Load Balancer: notification doesn't go to the machine that wanted it, but rather to some random machine selected by the LB. Now, I don't like the common workaround of data replication (e.g. JBoss Cache). It's hard on performance / maintenance. Instead, I wanted to move registration to the Validation stage. My code changes are: 1) When business machine validations a ServiceTicket (Cas20ProxyReceivingTicketValidationFilter) it send an extra custom parameter, representing the internal IP of this business machine 2) When CAS server receives such validation request, it keeps track of this internal IP (in some datastructre that associates it with the Service Ticket) 3) When logout occurs, a notification is send to those registered IPs (in CAS HttpClient) This code worked for me on a basic sanity check, and I know other SSO products that use a similar approach. But I'd really appreciate opinions or warnings on it. I keep wondering why this approach isn't commonly used - is there anything wrong with it? Thanks :) -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
