On 9/13/2013 6:25 AM, Marvin S. Addison wrote:
I would exercise caution with this approach. CAS natively employs attribute caching; attributes are only fetched on user authentication, so attributes are naturally cached for the duration of the SSO session.
Ah, I did not realize that the attributes were cached with the TGT. That does indeed make caching attributes at the persondir level much less necessary.
In most cases that's at least once per day which is arguably too long for certain kinds of authorization data.
Yes, I'll have to mention this to our security group to take into account when deciding how long a TGT should last. It would be nice to have a feature that would not require the user to re-authenticate but would refresh their attributes more frequently (I'd probably go with hourly).
That said, we use Ehcache in a custom attribute resolver to cache attributes during the authentication pipeline.
I'm already using ehcache to replicate tickets between load balanced servers. While I might end up not implementing caching for the LDAP queries, could I trouble you to share your configuration if only so I can understand how it's supposed to work :)?
I'm going to go on record and say I hate Person Directory. The only way I figure things out is by reviewing source:
I can't say I'm very fond in general of the Java XML bean configuration methodology 8-/, it makes my head hurt :(.
Thanks much for the information… -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | [email protected] California State Polytechnic University | Pomona CA 91768 -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
