Tom,
CAS is designed specifically not to be a application session manager
or a policy enforcement point, these responsibilities are delegated to
applications themselves.
#3 seems to be the most reasonable route...although Single Sign Out
requires some work on the application side...you need a URL on each
application that can invalidate the individual application
sessions...I suppose you might be able to encapsulate this behavior in
a common filter. RU has not implemented SSOut and probably won't.
Bill
On Thu, Oct 2, 2008 at 1:02 AM, Tom Freestone <[EMAIL PROTECTED]> wrote:
> <Background -- and I am sorry it is so long>
> BYU currently is running the CA SiteMinder product for our homegrown
> "portal" (eg. a group of pages tied together with a common session).
> SiteMinder evaluates its own security policy to determine whether or not
> to authenticate a user based on a URL pattern. SiteMinder fronts
> applications via reverse proxies and an apache module. The SiteMinder
> enabled reverse proxies send the user identity via the RemoteUser to
> applications. SiteMinder is providing authentication, authorization
> (can I get there decisions) and session management. Also, when I logout
> of SiteMinder, I am assumed to logout out of every application in the
> Siteminder shared session domain. We have three application frameworks
> (c cgi, peoplesoft, java spring mvn, hibernate etc) that are working in
> this mode.
>
> As we move to CAS, we created a servlet filter for our java applications
> that does the following
>
> If (request has ticket) {
> Validate ticket and create authenticated application *session*
> } else if (request does not have ticket && user does not already have
> *session*) {
> redirect to CAS login page with service ticket request
> } else {
> Redirect to CAS login
> }
>
> My management wants to continue the Siteminder global session "bubble"
> around the three frameworks using an abstraction similar to
> aforementioned filter with minimal changes to the frameworks. However,
> I want to follow best practices and repent of sins of the past and still
> meet their needs.
> <Question>
> 1. What is the best practice for integrating for a global application
> session across application domains with CAS?
> Our thoughts were that it is common practice (at least in java) to
> include the CAS/app session logic in filters that can hooked into spring
> security. PeopleSoft can use java filters so we re-cycle the java
> filter/CAS client in Peoplesoft. C cgi, we are still working on a
> solution but I think we can front the cgi's with a Java servlet filter.
> 2. Where should application session management occur in a framework or
> abstracted out completely into the network infrastructure?
> We are of two minds at BYU. One suggestion was to tweak mod_auth_CAS to
> make operate similar to our current SiteMinder/reverse proxy
> configuration. The other suggestion is integrate CAS/session management
> into our four frameworks using filters etc. In my mind, it doesn't seem
> like a like a good architecture to store security logic (do I need to
> authenticate logic) in apache instead of application / framework code.
> My bias is toward frameworks because we have lots of Java developers and
> maybe one apache module c developer (not meant as a slight to the
> mod_auth_cas community). Furthermore, I can't image we want to be the
> module business.
> 3. Has anyone else tried something like this?
> I seems to me to be a bit insane to share sessions between cgi's, java
> and peoplesoft. Rather mess with sessions, I think we should create the
> appearance of "global session" bubble. All applications login in to CAS
> using filters etc. The three frameworks logout using CAS and Single
> Signout. The appearance of the global app session remains intact.
>
> Any input and a sanity check would be great. Thanks!
>
> tom
>
> PS I am still tying to get the Single Signout working based on this URL
> http://www.ja-sig.org/wiki/display/CASUM/Single+Sign+Out and I am having
> trouble figuring out what I need to configure in CAS to register single
> sign out call backs.
>
> --
>
>
> ********************************
> Tom Freestone
> ([EMAIL PROTECTED])
> Engineering
> Office of Information Technology
> Brigham Young University
> ********************************
>
> _______________________________________________
> Yale CAS mailing list
> [email protected]
> http://tp.its.yale.edu/mailman/listinfo/cas
>
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
