Greetings I have inherited our CAS server implementation. I am pretty familiar with web security and how it works but brand new to CAS. We have several web apps that participate in SSO. They are spring apps and use Acegi on the client side.
I think the version of CAS I currently have installed in prod is 3.0.6. There have been various changes / extensions; to this, I am not sure how many or the size of the changes. I have been asked to implement a "global timeout" (explanation to follow). The contractor that was working on this project prior to my coming on board made changes to 3.0.6 to do this global timeout but has never tested his changes (he is now gone). Global timeout issue: Current Situation: When a user leaves the secured site and remains on a non- secure page in the same browser window past the 15-minute inactivity limit, then the redirection of the secured site to complete session logout does not happen. Proposed Solution: A login registry will be added within the authentication mechanism so as to monitor user's activity with the secured applications, and log them out when they are no longer active with any sessions. They will remain active if they have even one active session with any of the secured applications. This is implemented currently (but untested and probably not complete) by setting up a registry in the CAS server that keeps track of every application you are logged into, then with a session invalidate listener (or filter or something) fires on sessiobn expiration that will remove that particular app from the registry in CAS. When there are no more entries in this registry you are logged out and our CAS will no longer auth you. Sorry to be so dense about this but I am still in the process of trying to understand this all and CAS as well. This line "the redirection of the secured site to complete session logout does not happen", refers to a jsp callback in each of our apps that blow away the session for that app. So I click logout, and a jsp page comes up that calls a bunch of other jsps (one for each participating app). Those pages blow away the session in each app. I think this is where the problem comes from, if I navigate away from the site there wont be any callbacks to log me out of each app. My question is two fold, firstly any general advice you can give me would be greatly appreciated, secondly, should i scrap all this and start over with a plain vanilla (current release) CAS server? Thanks Troy _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
