CAS ask me for authentication evey time

Andrew Petro apetro at unicon.net
Wed Jul 5 04:22:35 EDT 2006 

> In the cas-servlet.xml file I have modified the bean
> "ticketGrantingTicketCookieGenerator" changing the parameter
> "cookieMaxAge" from "-1" (cookie not persistent, deleted when client shuts
> down) to a positive time value (i.e. "1800", half an hour).
> 
> Please let me know if there is something wrong with this solution.

What's wrong with this solution is that the Ticket Granting Cookie now is
written to disk.  In a shared user environment other users may be able to
access the disk and read that ticket granting cookie, and use it to hijack
the user's CAS single sign on session.  It's hard enough getting users to
close out their web browser sessions fully -- now they'll also have to be
sure to explicitly log out of CAS.

This may or may not be acceptable in your particular environment.  It's a
trade off between user convenience and protecting the session from
hijacking.

Interestingly, giving the ticket granting cookie an explicit expiry less
than the configured expiry of the ticket granting ticket itself has the
consequence that a user may have an active CAS session with delegated proxy
granting tickets that he, the end user, is unable to revoke because he no
longer has the corresponding ticket granting cookie to present to CAS
logout.  This is no different than the problem a user creates by closing his
web browser and is likely not that serious of a problem -- users typically
don't care much about revoking already issued proxy granting tickets.
Still, it's a logout feature to be aware of.  

We've sometimes kicked around, on list and off, thoughts of providing an
advanced user UI for managing delegated tickets in more detail.  A
sophisticated user should be able to forget to log out of CAS on computer A,
go to computer B, authenticate, and then revoke the tickets outstanding to
the session on computer A.  In theory.  I think this has actually been done
somewhere.

> A
> question... is there any "user guide" or "configuration guide" or
> something similar where you can find the options you can set up when
> deploying your server?

Nope.  There's a website, http://www.ja-sig.org/products/cas/ .  There's a
wiki, with lots of good stuff and lots of noise.  There's an email archive.
There's comments in the configuration files.  There's a Maven-generated site
with some documentation with ambiguous relationships to the website and wiki
documentation.  

But there isn't a polished "Guide for CAS deployers" ala the Spring or
Hibernate book-style manuals.  There probably should be.


> It is because the Javadoc of the beans is harder to
> follow for a system administrator and my questions are more... what is
> cas-servlet.xml for? What can I change in auditTrailContext.xml? How could
> I do ...?

Indeed.  You're looking for the literate narrative documentation.  We don't
really have much.

> And yes, I was opening different browser instances (no tabs or new windows
> within a browser). In this sense, there is something I don't understand:
> 
> I thought the whole point of a SSO was that you can open different browser
> instances (or even close all the browsers and five minutes later open a
> new one) and you were still authenticated.

Nope, at least, not the point of this SSO.  You could achieve functionality
like this by using a non-interactive credentials technology (say,
client-side SSL certs).


> If you open new tabs (in
> firefox) or "new windows" in IE, you are sharing the same session ID, so
> you are already authenticated, even if you are not using SSO at all...

Only to that one application.

CAS provides "single" sign on in the sense of single web application to
which passwords are presented.  No CASified application need see the
password.

CAS provides "single" sign on in the sense of using seven applications in
the course of a single browser session, you authenticate to CAS once and
then you don't have to type your username and password again.

> Just one more thing (not related with this issue) The Spanish translations
> are quite... strange 
> I know in a 90% of the cases you will replace the CAS screens with your
> own ones, so it is not an important issue, but I can send you a more
> "accurate" (form my own point of view) translation if you think it could
> be useful.

That would be great.  The best way to receive that contribution would be as
a Jira issue with your new translations attached to it, so that it can be
scheduled and tracked from there.

Andrew

More information about the cas mailing list