George, The SSOut feature in CAS works by telling the CAS clients that requested validation for service tickets that a user is logging out and that it should invalidate the user's session on the application server.
Let me see if I can draw a picture to illustrate the point: GIVEN: Two, non-replicated CAS Servers: CAS001 (active) and CAS002 (passive) 1. User logins to CAS001 2. User works with Applications A, B, & C 3. CAS001 goes down thus making CAS002 active At this point, all of your SSO information on CAS001 is lost, so you can no longer use the same SSO session and CAS doesn't remember which applications you were working with. So let us look at the different scenarios that can occur here: Scenario: User logs out of CAS002 - SSO cookie is invalidated, but ... - No SSOut requests sent to Applications A, B, & C, so ... - Someone could come behind User and use Applications A-C Scenario: User attempts to use a new CAS-protected application - Required to login to CAS002, which remembers Application D - User logs out of CAS002 ... - SSO cookies is invalidated ... - SSOut request sent to Application D only - Someone could come behind User and use Applications A-C The point I am trying to make is that whenever you failover to a different CAS server, there is potential for a security issue if the registry information is not replicated between the CAS servers. I cannot tell you how this issue was handled in the past as we adopted CAS once it supported SSOut. Hope that helps, A- On 11/20/08 7:22 AM, "Lin George" <[EMAIL PROTECTED]> wrote: > Thanks Andrew! > > > I have two more questions for your reply below. > > 1. > > You mentioned -- "One of the take aways to think about with a active-passive > failover setup is how Single Sign Out (SSOut) behaves. For those who use CAS > 3.1 and higher, this feature will issue session invalidation calls whenever > users logout of CAS to any application that had a service ticket validated." > > I think active-passive setup you mean setup two CAS servers, and one as > primary which always do authentication if the server is live. The other server > is slave server which will not do authentication when primary server is > working (slave server will take effect when primary server is down)? Correct > understanding? > > I am confused about why setup with an active-passive failover deployment will > cause issues like "session invalidation calls whenever users logout of CAS to > any application that had a service ticket validated"? Could you describe in > more details? > > 2. > > You mentioned -- "If registry information is not replicated between machines > and applications expect the CAS logout to invalidate session information, then > users' application sessions will still be active until whatever mechanism is > used to remember the user (cookie, session information, etc)." -- so your > suggestion is to replicate session information between two servers? What > information do you think we need to setup to replicate? > > regards, > George > > ------------------------------------------------------------------------------ > ------------------------------------------------------------------------------ > ---------------------------------------------- > Message: 5 > Date: Wed, 19 Nov 2008 09:32:59 -0600 > From: "Andrew Ralph Feller, afelle1" <[EMAIL PROTECTED]> > Subject: Re: high availability issue of CAS > To: CAS Users <[email protected]> > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset="ISO-8859-1" > > One of the take aways to think about with a active-passive failover setup is > how Single Sign Out (SSOut) behaves. For those who use CAS 3.1 and higher, > this feature will issue session invalidation calls whenever users logout of > CAS to any application that had a service ticket validated. > > If registry information is not replicated between machines and applications > expect the CAS logout to invalidate session information, then users' > application sessions will still be active until whatever mechanism is used > to remember the user (cookie, session information, etc). > > This issue is alleviated when you replicate registry information via JBoss > Cache, Memcached, or JPA. > > $0.02, > A- > > > -- Andrew R. Feller, Analyst Information Technology Services 200 Fred Frey Building Louisiana State University Baton Rouge, LA 70803 (225) 578-3737 (Office) (225) 578-6400 (Fax) _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
