[cas-dev] CAS Client for Java 3.1

Andrew R Feller afelle1 at lsu.edu
Fri Nov 16 08:44:41 EST 2007 

Oops!  I am NOT the decision maker on policy!  *you know what I meant*
XC

 

Andrew R Feller, Analyst

Subversion Administrator

University Information Systems

Louisiana State University

afelle1 at lsu.edu

(office) 225.578.3737

________________________________

From: cas-dev-bounces at tp.its.yale.edu
[mailto:cas-dev-bounces at tp.its.yale.edu] On Behalf Of Andrew R Feller
Sent: Friday, November 16, 2007 7:38 AM
To: Mailing list for CAS developers
Subject: Re: [cas-dev] CAS Client for Java 3.1

 

I agree that in a standalone application, you wouldn't want to log them
out of every system.  However, the majority (95%+) of applications here
reside within a home-grown portal, so you would never log out of an
individual application but rather the portal itself.  These applications
are developed/borrowed and supported by the campus IT group.
Departments can develop and host their own solutions without the
informing the campus IT group, which makes it difficult to monitor and
ensure they are doing things properly.  These can choose to follow the
portal's logout policy or use a local one instead.  Our plan after
rolling out CAS as the main authentication system is to make the
departments aware of the CAS clients available to tie into a user's
existing SSO session rather than doing their own user management.
However, there have been issues in the past with disreputable practices
of these rogue systems, which leaves some in management paranoid and
wanting to take the blanket approach.

 

I am not saying it is ideal, but I am simply the messenger and the
decision maker on policy. =(

 

Andrew R Feller, Analyst

Subversion Administrator

University Information Systems

Louisiana State University

afelle1 at lsu.edu

(office) 225.578.3737

________________________________

From: cas-dev-bounces at tp.its.yale.edu
[mailto:cas-dev-bounces at tp.its.yale.edu] On Behalf Of Scott Battaglia
Sent: Friday, November 16, 2007 7:17 AM
To: Mailing list for CAS developers
Subject: Re: [cas-dev] CAS Client for Java 3.1

 

Our recommendation is that you NEVER log a user out of everything
without informing them.  It creates a jarring experience as people
expect that when they log out of one application, they are only logged
out of one application and not everything.  To anyone looking at a
"LOGOUT" link in an application, it would appear to only log them out of
that application.  To do anything other than a local logout could
confuse people who had two tabs and two different applications open. 

Is your plan to make the logout link in applications an automatic link
to the global logout?



On Nov 16, 2007 8:08 AM, Andrew R Feller <afelle1 at lsu.edu > wrote:

So basically, if you want people to log out of all applications upon log
out, you would simply point them to the CAS logout servlet, which would
send logout requests to all of the services the user had a service
ticket validated by.  If you want per-application logout, then you would
need the page you described.

 

We have been tossing around the whole "Why does log out mean?" with SSO
and chose the logout means everything as we have a major portal that
serves applications for users.

 

Thanks Scott! =)

 

Andrew R Feller, Analyst

Subversion Administrator

University Information Systems

Louisiana State University

afelle1 at lsu.edu 

(office) 225.578.3737

________________________________

From: cas-dev-bounces at tp.its.yale.edu
[mailto:cas-dev-bounces at tp.its.yale.edu] On Behalf Of Scott Battaglia 
Sent: Thursday, November 15, 2007 4:09 PM
To: Mailing list for CAS developers
Subject: Re: [cas-dev] CAS Client for Java 3.1

 

Our best practices says that all applications should have a local log
out (because hey, people may want to log out of your application ;-)).
Those local log out screens should inform you that you've only logged
out of that specific application and then provide a link to log out of
every application you've signed into. 

Which I guess the blurb I put in doesn't explain too well :-)

-Scott

On Nov 15, 2007 3:56 PM, Andrew R Feller <afelle1 at lsu.edu> wrote: 

Scott,

 

Congratulations on the approaching milestone 1 release! =)

 

While looking at the documentation, I noticed a point of confusion.  In
the "Configuring the CAS Client" section, there is a link to
"Configuring Single Sign Out", but at the bottom of the page there is
the "Recommended Logout Procedure" that has users' applications hitting
an application specific logout and making the CAS logout an additional
step.

 

Could you please elaborate?

 

Once again, thanks for the hard work!

 

Andrew R Feller, Analyst

Subversion Administrator

University Information Systems

Louisiana State University

afelle1 at lsu.edu 

(office) 225.578.3737

________________________________

From: cas-dev-bounces at tp.its.yale.edu
[mailto:cas-dev-bounces at tp.its.yale.edu] On Behalf Of Scott Battaglia 
Sent: Thursday, November 15, 2007 2:24 PM
To: CAS Developers Mailing List
Subject: [cas-dev] CAS Client for Java 3.1

 

All,

I've been working on the CAS Client for Java 3.1 release when I've had
some time.  We're almost ready for an M1 release.  I've documented a lot
of things here:
http://www.ja-sig.org/wiki/display/CASC/CAS+Client+for+Java+3.1

It explains the basic differences between the 3.0 client and the 3.1
client and includes documentation on how to use it.

One thing that isn't detailed is the things left out (for now): 
* uPortal support.  For the time being users should continue to use what
is included in the uPortal 2.x releases.  uPortal 3 will support Spring
Security (which will eventually use the new client).
* DelegatingFilter - It can't be easily supported in the web.xml
configuration.  We can include it with a note stating it can only be
configured through Spring if people think they will use it.
* Basic Authorization Filters - were people using these?  If so, we can
offer a simplified version (or just re-include the more complex ones
with the knowledge that these again require Spring). 

Please provide your thoughts on whether the second two are worth
including as "Spring-only" configuration options.

Thanks
-Scott

-- 
-Scott Battaglia
LinkedIn: http://www.linkedin.com/in/scottbattaglia 


_______________________________________________
cas-dev mailing list
cas-dev at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas-dev




-- 
-Scott Battaglia

LinkedIn: http://www.linkedin.com/in/scottbattaglia 


_______________________________________________
cas-dev mailing list
cas-dev at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas-dev




-- 
-Scott Battaglia

LinkedIn: http://www.linkedin.com/in/scottbattaglia 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas-dev/attachments/20071116/c0adccdd/attachment-0001.html

More information about the cas-dev mailing list