<Background -- and I am sorry it is so long>
BYU currently is running the CA SiteMinder product for our homegrown
"portal" (eg. a group of pages tied together with a common session).
SiteMinder evaluates its own security policy to determine whether or not
to authenticate a user based on a URL pattern. SiteMinder fronts
applications via reverse proxies and an apache module. The SiteMinder
enabled reverse proxies send the user identity via the RemoteUser to
applications. SiteMinder is providing authentication, authorization
(can I get there decisions) and session management. Also, when I logout
of SiteMinder, I am assumed to logout out of every application in the
Siteminder shared session domain. We have three application frameworks
(c cgi, peoplesoft, java spring mvn, hibernate etc) that are working in
this mode.
As we move to CAS, we created a servlet filter for our java applications
that does the following
If (request has ticket) {
Validate ticket and create authenticated application *session*
} else if (request does not have ticket && user does not already have
*session*) {
redirect to CAS login page with service ticket request
} else {
Redirect to CAS login
}
My management wants to continue the Siteminder global session "bubble"
around the three frameworks using an abstraction similar to
aforementioned filter with minimal changes to the frameworks. However,
I want to follow best practices and repent of sins of the past and still
meet their needs.
<Question>
1. What is the best practice for integrating for a global application
session across application domains with CAS?
Our thoughts were that it is common practice (at least in java) to
include the CAS/app session logic in filters that can hooked into spring
security. PeopleSoft can use java filters so we re-cycle the java
filter/CAS client in Peoplesoft. C cgi, we are still working on a
solution but I think we can front the cgi's with a Java servlet filter.
2. Where should application session management occur in a framework or
abstracted out completely into the network infrastructure?
We are of two minds at BYU. One suggestion was to tweak mod_auth_CAS to
make operate similar to our current SiteMinder/reverse proxy
configuration. The other suggestion is integrate CAS/session management
into our four frameworks using filters etc. In my mind, it doesn't seem
like a like a good architecture to store security logic (do I need to
authenticate logic) in apache instead of application / framework code.
My bias is toward frameworks because we have lots of Java developers and
maybe one apache module c developer (not meant as a slight to the
mod_auth_cas community). Furthermore, I can't image we want to be the
module business.
3. Has anyone else tried something like this?
I seems to me to be a bit insane to share sessions between cgi's, java
and peoplesoft. Rather mess with sessions, I think we should create the
appearance of "global session" bubble. All applications login in to CAS
using filters etc. The three frameworks logout using CAS and Single
Signout. The appearance of the global app session remains intact.
Any input and a sanity check would be great. Thanks!
tom
PS I am still tying to get the Single Signout working based on this URL
http://www.ja-sig.org/wiki/display/CASUM/Single+Sign+Out and I am having
trouble figuring out what I need to configure in CAS to register single
sign out call backs.
--
********************************
Tom Freestone
([EMAIL PROTECTED])
Engineering
Office of Information Technology
Brigham Young University
********************************
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
