Giuseppe Sollazzo skrev 08. mars 2010 09:54:
Hi Noah,
well... theoretically you are at least partially right. But that's not
the case when discussing a real implementation and I can explain why.
The point with CAS is that it offers an *optional* single sign out
procedure. Most applications/implementations won't log out the full CAS
session. In most installs I've seen, there is no interest for a single
sign out, or when such interest is valid, single sign out is performed
using a centralized "logout" web application (generally it's the
corporate portal).
There are many reasons for doing this, but the very simple one (the one
most sysadmin give when asked) is that most users are fine with a
centralized login, but would not assume to have logged out globally. In
environment with thousands of users, all of them very diverse (wrt to IT
skills), it's not advisable (and it's common practice) to have a single
sign out, but just a single sign on.
That's why configuring most applications (I've had experience with
Moodle, Plone, Apache, and some others) you get asked, in the
configuration files/gui, to specify entry points for both /login and
/logout. Actually, all apps so far allow that, except trac.
<end-of-day-off-topic-rant>
The above (varying levels of IT competence) is *exactly* why Single Sign
On without Single Sign Out is always going to be a huge security issue.
I think the general reason for requiring Single Sign Out via a global
portal is that most "enterprise" system is horrible, broken insecure
crap -- and the contractors couldn't be bothered to care about security
of the sytems involved, or read enough of a spec to be able to actually
*provide* single sign out...
</rant>
So the question is still valid :-) Is there a known way of avoiding
single sign out?
Looking at:
http://trac-hacks.org/browser/traccasplugin/0.11/traccas/traccas.py
it would appear the way the cas plugins check to see if a user i logged
in, is by checking for a valid CAS ticket (which is exactly what you
would expect it to do).
And the logout-call invalidates the CAS ticket.
According to (one cas implementation):
http://www.ja-sig.org/wiki/display/CASUM/Single+Sign+Out
it appears the way to deal with broken CAS clients, that maintain a
separate session from the CAS session, is to disable single sign out on
the CAS server.
I guess the reason why you'd want this is because you've given up on
single sign on, and use CAS simply as a way to synchronize login names
and passwords across several servers. I guess this is fine -- it's just
a bit different from what CAS really is intended to do.
Either way -- as far as I can tell the trac plugin is behaving correctly
(even without any option to turn off SSOut).
-e
--
.---. Eirik Schwenke <eirik.schwe...@nsd.uib.no>
( NSD ) Harald HÃ¥rfagresgate 29 Rom 150
'---' N-5007 Bergen tlf: (555) 889 13
GPG-key at pgp.mit.edu Id 0x8AA3392C
--
You received this message because you are subscribed to the Google Groups "Trac
Users" group.
To post to this group, send email to trac-us...@googlegroups.com.
To unsubscribe from this group, send email to
trac-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/trac-users?hl=en.
