I used the following approach to handle the logout issue. Seems to be working fairly well.
FOR PAGES THAT REQUIRE THE USER TO BE LOGGED IN: 1 First check to see if a ticket is part of the request. If no, go to step 2. If yes, go to step 3. 2. The ticket is not part of the request, redirect to the CAS Login URL. Skip remaining steps. 3. The ticket is part of the request, so validate it. If not valid, go to step 4. If valid go to step 5. 4. The ticket is not valid or expired, throw JspTagException. Skip remaining steps. 5. The ticket is valid, get the netID. 6. Check to see if a LOGIN_BEAN exists in the HTTP session with the same netID. If yes skip remaining steps. 7. Get user details from the database using netID. Create a LOGIN_BEAN and add it to the session. ON LOGOUT: Remove TGT and invalidate the session. There is however one small issue that I am faced with. There are pages that do not necessarily require the user to be logged in. However, the amount of information that is displayed on the page would be dependent on whether the user is logged in or not. For such pages, how do I check if the user is still logged in? Checking for the LOGIN_BEAN in the session is not the right solution. I would like to be able to enquire the CAS server if the TGT still exists or the Single Sign On session is still valid. Please advise. Thanks, Kristin On Nov 12, 2007 12:09 PM, Kristin Coles <[EMAIL PROTECTED]> wrote: > Hi guys, > > I have written a custom CAS client tag library (based on the original > Yale CAS Java client) and it works great. (Thanks to the emails in the > mailing list archive and the helpful documentation written about CAS > clients). > > Whenever a user visits a domain, my custom CAS client checks to see > if the LOGIN_BEAN exists in the HTTP session. If it exists, the user > is assumed to be logged in. If it does not, the client checks to see > if there is a ticket associated with the request. If a ticket exists, > the ticket is validated and LOGIN_BEAN added to the session. If the > ticket does not exist or is invalid, the user is prompted with a login > screen. > > HOWEVER, there is one single problem which I need some help on. > > When a user logs into domain A (which is one of the many domains that > use CAS), I create a LOGIN_BEAN_A and add it to the HTTP Session > associated with domain A. When the same user goes to domain B, the > client detects that the ticket is still valid and creates LOGIN_BEAN_B > and adds it to the HTTP Session assocated with domain B. In effect the > user is logged into domain B without being to be prompted for the > login screen. > > When the user logs out of domain A. I invalidate the session and kill > the CAS authentication information (make the TGT invalid). However, > the session associated with domain B still exists along with > LOGIN_BEAN_B. When the user now visits domain B, it shows him as still > logged in, since LOGIN_BEAN_B still exists in the session. I check for > the ticket validity only when the LOGIN_BEAN does not exist in the > session. > > How do I overcome this situation? Couple of options that immediately > come to my mind are... > 1) Should I implement session sharing across multiple domains? If so > how do I do that? > 2) Validate tickets for each request rather than relying on the > LOGIN_BEAN in the session. Probably not an efficient way to do it, but > would get it done. > 3) Find a way to invalidate the user sessions across all the domains > when the user logs out of any domain. > > Any other ideas? If not which of the above option should I opt for? > > Thank you all, > Kristin > _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
