When you go to the CAS login page, it only checks the TGT for validity if you also actually request authentication to something (which is why if you specify a service url you'll be prompted for credentials). There is no way to check the validity of a TGT without requesting a service ticket.
Otherwise, if you don't request access to a service it just checks if you have a single sign on session already initiated by looking for the cookie (this method is secure as the first time you attempt to gain access to anything it will detect that the session is no longer valid). Hope that helps. Glad to hear you've got CAS working! -Scott -- -Scott Battaglia LinkedIn: http://www.linkedin.com/in/scottbattaglia On Nov 15, 2007 2:07 PM, Kristin Coles <[EMAIL PROTECTED]> wrote: > Thank you for a quick reply Scott.You are right, when I give a > different service parameter to the login URL, I'm getting the login > prompt. > > I understand that the cookie still exists (because a. it did not > expire; b. browser wasn't closed; c. the user did not delete the > cookies from the browser). But since the corresponding TGT does not > exist anymore, should I not be prompted for the login credentials? How > does the service parameter impact this behavior? Can you please > elaborate. > > Feels like a huge load has been lifted off my chest. I'm really > thankful to this forum for their continued help. I have a working CAS > server :) > > Regards, > Kristin. > > > On Nov 15, 2007 11:11 AM, Scott Battaglia <[EMAIL PROTECTED]> > wrote: > > You're seeing expected behavior. Your cookie exists in between Tomcat > > shutdowns. If you try to access another service however, you will be > > prompted for credentials because even though the cookie still exists > client > > side (the browser) there is no corresponding TicketGrantingTicket on the > CAS > > Server. > > > > -Scott > > > > > > > > On Nov 15, 2007 12:46 PM, Kristin Coles <[EMAIL PROTECTED]> wrote: > > > Thanks for your suggestion Nicolas. It DID DISABLE session > > > persistence. Proof is the following message in Tomcat logs during > > > startup. > > > > > > [org.apache.catalina.session.PersistentManagerBase] : No Store > > > configured, persistence disabled > > > > > > However, when I restart Tomcat and go to https://kristin/login, I > > > still get the message "You have successfully logged into the Central > > > Authentication Service."! > > > > > > #Tomcat\conf\server.xml > > > <Host name="kristin" appBase="webapps" > > > > > > unpackWARs="true" autoDeploy="true" > > > xmlValidation="false" xmlNamespaceAware="false" > > expireSessionsOnShutdown="true"> > > > <Context path="" docBase="cas"> > > > > > > <Manager className=" > org.apache.catalina.session.PersistentManager" > > > debug="0" saveOnRestart="false"></Manager> > > > </Context> > > > </Host> > > > > > > I am completely stumped! CAS and Tomcat guru's please advise! > > > > > > Regards, > > > Kristin > > > > > > > > > > > > > > > On Nov 14, 2007 11:03 PM, Nicolas Clemeur < [EMAIL PROTECTED]> > wrote: > > > > > > > > > Thank you very much Scott! I got the browser REFRESH issue > resolved by > > > > > redirecting to the same URL without the ticket. If not for your > reply, > > > > > it would have taken me a long time to figure it out! :) > > > > > > > > > > The TGTs are persisting between Tomcat restarts though. I am still > > > > > unable to disable session persistence in Tomcat. > > > > > > > > > > I have tried the following to disable session persistence in > Tomcat. > > > > [...] > > > > > Can anyone please help me. > > > > > > > > > > > > > I think if you add the following in your context.xml , it should > disable > > session > > > > persistence: > > > > > > > > <!-- This prevent tomcat to serialize session object on shutdown > --> > > > > <Manager className="org.apache.catalina.session.PersistentManager " > > > > saveOnRestart="false"/> > > > > > > > > > > > > _______________________________________________ > > > > Yale CAS mailing list > > > > [email protected] > > > > http://tp.its.yale.edu/mailman/listinfo/cas > > > > > > > _______________________________________________ > > > Yale CAS mailing list > > > [email protected] > > > http://tp.its.yale.edu/mailman/listinfo/cas > > > > > > > > > > > -- > > > > > > -Scott Battaglia > > > > LinkedIn: http://www.linkedin.com/in/scottbattaglia > > _______________________________________________ > > Yale CAS mailing list > > [email protected] > > http://tp.its.yale.edu/mailman/listinfo/cas > > > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas >
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
