Hi all, We're newbies to the CAS, looking at / playing with the distribution and have some questions. We had tried to set up the "demo" ( http://www.ja-sig.org/wiki/display/CASUM/Demo) CAS setup: using the CAS server webapp 3.3.1, casclient 2.1.1, tomcat 6, and a hello-world type program to "cas-ify."
(1) Is there an exisitng way to cache/reduce the number of redirects to the CAS server for authentication -- does this violate the whole intent of CAS? For example, if we have cas-server and app-server that may have app1, app2, app3, etc. on it. If user starts the browser and goes to http://app-server/app1, user will be redirected to the cas-server/cas/login... to enter credentials and login, then (if successful) be redirected back to app1. In this same browser session, will future " http://app-server/app1"; go through this redirection again, or will they cut straight through to the app1? Also, for app2, app3, etc: the redirect to the cas-server still occurs, and then gets re-redirected without user intervention (because cas-server found the CASTGC cookie?) back to the app-server. Is there any way to minimize these redirects, and do subsequent calls to app2 also go through the cas-server-redirection again? (the same question as for app1) I guess this question was raised as part of a discussion wondering about potential bandwidth cost if many logged-in users are accessing several applications, frequently. (2) This is a fuzzy (and perhaps not too sensical) question, because I don't yet have an idea how to phrase it well -- it is related to if/how CAS can be used to protect certain remote API (RPC?) calls from one machine to another. But if it rings any bells, and you have some ideas where to it's possible, any pointers are welcome. I think it may be sort of related to the thread by Danilo ( http://tp.its.yale.edu/pipermail/cas/2008-October/009906.html), but I'm not sure. I will obtain more details from the application developers and try to clarify. (3) This is something I noticed when playing around in the logout, is the behavior as intended? - go to http://app-server/app1. Get redirected to cas-server/cas/login, enter credentials, get redirected back to app-server/app1. That's fine. - go to https://cas-server/cas/logout. See the "logged out successfully" message. Checked the cookies and the CASTGC is gone. - go to http://app-server/app1. It runs again, without being redirected to cas-server/cas/login ? This confuses me a little bit, because is this how post-logout behavior should be? If I go explicitly to cas-server/cas/login, I'll get the login page again prompting for credentials. Then if I go (without entering credentials) to the app-server/app1 page again, app1 will again be run. I do see that the logout page recommends closing the browser after logout, and I had not done that, but I was just curious about what we were seeing above. This is an interesting technology, although parts a bit confusing for us to initially grasp. Thanks in advance for any insight that you can provide! Kevin
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
