|
> Any thoughts, Scott/Andrew? I think it is best to use a client library for CAS integration. > may need to add manual login to my webapp (meaning, not use the web.xml method or jsp tag library) Why? Assuming this is a Java web application, in what way is the CASFilter not sufficient? > Basically, I want to make sure that whether the user goes to Page2 via Page1 > or directly, he is always going to be authenticated. > So, here is the logic that EVERY page executes- [ Get ticket parameter if ticket is null redirect to CAS login with renew=FALSE Get ticket parameter validate ticket if user is authenticated display page else redirect to CAS with renew=TRUE ] You can look at the CASFilter for an outline of the desired logic here. If you want to "bounce the user off of CAS" on every page click, this logic at the top of every page does it: [ Get ticket parameter if ticket is null redirect to CAS login with service={the page's URL} validate ticket if ticket validates display page appropriate to user authenticated by ticket else redirect to CAS with service={the page's URL}&renew=true ] If you don't want to use CAS's "renew" feature, you needn't specify renew=false, you can just omit the parameter. The renew=true on that last redirect is useful for avoiding an infinite loop of redirecting back and forth between CAS and your application with CAS issuing tickets that then fail to validate, e.g. because your app is misconfigured as to validation URL. You don't need to use CAS's "renew" feature to get a valid ticket, you only need to use it if you want to ensure that the user strongly authenticated (typically, typed in password) in order to access your page. Using the "renew" feature in an application that gets and validates a new ticket on every page access yields an annoying user experience of constantly having to type the password. CAS is an authenticated session broker, not an authenticated session manager. Which is to say, CAS is the trusted intermediary whereby a user establishes an authenticated session with your application. Your application is then intended to carry forward that authenticated session, managing it however it needs to be managed. Your application is intended to recognize the authenticated user on subsequent requests after initial CAS authentication is established. If you follow this practice, then the logic is more like: [ Check for authenticated username in the session If username found display page appropriate to authenticated user Get ticket parameter if ticket is null redirect to CAS login with service={the page's URL} validate ticket if ticket validates store authenticated username into session display page appropriate to user authenticated by ticket else redirect to CAS with service={the page's URL}&renew=true ] > If there is no ticket and I redirect to CAS with renew=false, I will be REQUIRED to login- is that a correct statement? Probably not the way you mean. If you redirect to CAS and do not specify renew=true, CAS will look for a secure SSO session cookie ("ticket granting ticket") in th web browser request. If it is present and valid, CAS will issue a service ticket on that basis and redirect back to your application without displaying a login user experience. If you specify renew=true on the request, then CAS will present the login form regardless of the presence of a valid ticket granting ticket. Andrew http://support.unicon.net/ webzo wrote:
|
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
