Single Sign out (Krishna bhimanathini)
Krishna bhimanathini
krishna7904 at yahoo.com
Fri Feb 1 12:40:00 EST 2008
Yes,
I
have
SingleSignOutFilter,
SingleSignOutHttpSessionListener
in
both
of
my
applications.
CAS
Client
application
web.xml
contains
the
filter
and
listener
configured
as
shown
below:
<filter>
<filter-name>CAS
Single
Sign
Out
Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS
Single
Sign
Out
Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
Thanks
Krishna
----- Original Message ----
From: "cas-request at tp.its.yale.edu" <cas-request at tp.its.yale.edu>
To: cas at tp.its.yale.edu
Sent: Thursday, January 31, 2008 3:28:15 PM
Subject: cas Digest, Vol 56, Issue 56
Send
cas
mailing
list
submissions
to
cas at tp.its.yale.edu
To
subscribe
or
unsubscribe
via
the
World
Wide
Web,
visit
http://tp.its.yale.edu/mailman/listinfo/cas
or,
via
email,
send
a
message
with
subject
or
body
'help'
to
cas-request at tp.its.yale.edu
You
can
reach
the
person
managing
the
list
at
cas-owner at tp.its.yale.edu
When
replying,
please
edit
your
Subject
line
so
it
is
more
specific
than
"Re:
Contents
of
cas
digest..."
Today's
Topics:
1.
Re:
Single
Sign
out
(Krishna
bhimanathini)
----------------------------------------------------------------------
Message:
1
Date:
Thu,
31
Jan
2008
12:27:07
-0800
(PST)
From:
Krishna
bhimanathini
<krishna7904 at yahoo.com>
Subject:
Re:
Single
Sign
out
To:
cas at tp.its.yale.edu
Message-ID:
<837021.1407.qm at web60823.mail.yahoo.com>
Content-Type:
text/plain;
charset="us-ascii"
Yes,
I
have
SingleSignOutFilter,
SingleSignOutHttpSessionListener
in
both
of
my
applications.
CAS
Client
application
web.xml
contains
the
filter
and
listener
configured
as
shown
below:
<filter>
<filter-name>CAS
Single
Sign
Out
Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS
Single
Sign
Out
Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
Thanks
Krishna
-----
Original
Message
----
From:
"cas-request at tp.its.yale.edu"
<cas-request at tp.its.yale.edu>
To:
cas at tp.its.yale.edu
Sent:
Thursday,
January
31,
2008
2:47:18
PM
Subject:
cas
Digest,
Vol
56,
Issue
55
Send
cas
mailing
list
submissions
to
cas at tp.its.yale.edu
To
subscribe
or
unsubscribe
via
the
World
Wide
Web,
visit
http://tp.its.yale.edu/mailman/listinfo/cas
or,
via
email,
send
a
message
with
subject
or
body
'help'
to
cas-request at tp.its.yale.edu
You
can
reach
the
person
managing
the
list
at
cas-owner at tp.its.yale.edu
When
replying,
please
edit
your
Subject
line
so
it
is
more
specific
than
"Re:
Contents
of
cas
digest..."
Today's
Topics:
1.
Re:
CAS
3.1
RC1
client
(Scott
Battaglia)
2.
Re:
Login
view
(
Wilson
Fran?a
)
3.
Re:
kerberos
authentication
and
computer
login
(Scott
Battaglia)
4.
Re:
Single
Sign
out
(Scott
Battaglia)
----------------------------------------------------------------------
Message:
1
Date:
Thu,
31
Jan
2008
13:45:13
-0500
From:
"Scott
Battaglia"
<scott.battaglia at gmail.com>
Subject:
Re:
CAS
3.1
RC1
client
To:
"Yale
CAS
mailing
list"
<cas at tp.its.yale.edu>
Message-ID:
<1bbd36a10801311045g5b7ff7bbvbbd1655c81b281cf at mail.gmail.com>
Content-Type:
text/plain;
charset="iso-8859-1"
On
Jan
31,
2008
12:29
PM,
Marat
Radchenko
<slonopotamusorama at gmail.com>
wrote:
>
2008/1/31,
Scott
Battaglia
<scott.battaglia at gmail.com>:
>
>
>
>
<snip
/>
>
>
>
>
True,
it
will
hold
on
to
it.
Its
designed
for
the
"in-memory"
case.
If
>
>
we
don't
store
the
reference
in
memory
then
I
don't
know
how
to
gain
a
>
>
reference
to
that
session.
I
don't
think
the
Servlet
API
exposes
a
method,
>
>
does
it?
I'd
prefer
not
to
use
container
specific
versions
if
possible
>
>
(because
I'm
assuming
individual
containers
have
a
method
of
retrieving
a
>
>
session
based
on
id).
>
>
>
>
I
suggest
using
simple
hashmap-based
implementation
but
providing
>
extension
point
to
allow
customizations.
Servlet
API
doesn't
have
means
of
>
accessing
session,
however
application
developers
will
at
least
have
>
possibility
to
write
container-specific
management.
>
Take
a
look
at
what
I
just
put
in
Subversion
when
you
get
a
chance.
I
introduced
a
SessionMappingStorage
(default:
HashMap-based).
Not
sure
if
the
API
is
going
to
be
enough
to
allow
for
container
specific
management.
>
>
<snip
/>
>
>
>
>
I
resolved
your
JIRA
issue
about
the
"totally
broken"
part
:-).
It
>
>
should
actually
now
work
in
Spring.
I
added
some
test
cases
and
a
simple
>
>
Spring
configuration
example.
If
we
don't
resolve
the
above
Session
stuff
>
>
soon
I'll
cut
an
RC3
so
other
people
can
try
out
the
fix
for
the
Spring
>
>
stuff
(though
you
can
also
check
it
out
from
Subversion)
>
>
>
>
Great!
Except
for
mentioned
bug
cas-client-3.1-rc2
perfectly
works
for
us.
>
Signing
in,
proxy
stuff
and
single
sign
out.
The
only
thing
we
didn't
try
is
>
AuthenticationFilter
because
we
use
Acegi
Security
integration.
>
Thanks
for
trying
it
out!
I'm
probably
going
to
cut
RC3
tomorrow
with
a
goal
of
GA
by
early
next
week.
-Scott
>
>
P.S.
CAS
rocks
;)
>
>
>
_______________________________________________
>
Yale
CAS
mailing
list
>
cas at tp.its.yale.edu
>
http://tp.its.yale.edu/mailman/listinfo/cas
>
>
--
-Scott
Battaglia
LinkedIn:
http://www.linkedin.com/in/scottbattaglia
--------------
next
part
--------------
An
HTML
attachment
was
scrubbed...
URL:
http://tp.its.yale.edu/pipermail/cas/attachments/20080131/e0c1a005/attachment-0001.html
------------------------------
Message:
2
Date:
Thu,
31
Jan
2008
16:56:15
-0200
From:
"
Wilson
Fran?a
"
<wilsonrf at gmail.com>
Subject:
Re:
Login
view
To:
"Yale
CAS
mailing
list"
<cas at tp.its.yale.edu>
Message-ID:
<e17f429d0801311056w3150549ci31bacbf118638bad at mail.gmail.com>
Content-Type:
text/plain;
charset="iso-8859-1"
Thanx!
I
will
try.
On
Jan
31,
2008
3:41
PM,
Marat
Radchenko
<slonopotamusorama at gmail.com>
wrote:
>
It
is
absolutely
possible,
we
use
this
method.
You
simply
need
to
do
>
following
things:
>
1)
create
iframe
on
service
site.
>
2)
create
a
page
that
will
be
opened
on
successfull
login
and
will
reload
>
parent
window.
>
>
2008/1/31,
Wilson
Fran?a
<wilsonrf at gmail.com>:
>
>
>
>
Hi,
>
>
is
possible
to
have
an
authentication
form
on
IFRAME
instead
of
>
>
casLoginView.jsp?
>
>
I
want
to
use
the
same
form
in
two/more
app's,
without
the
user
know
>
>
that
authentication
form
is
outside
de
app.
>
>
>
>
Thanx.
>
>
>
>
PS:
sorry
the
poor
english
>
>
>
>
_______________________________________________
>
>
Yale
CAS
mailing
list
>
>
cas at tp.its.yale.edu
>
>
http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
>
>
>
_______________________________________________
>
Yale
CAS
mailing
list
>
cas at tp.its.yale.edu
>
http://tp.its.yale.edu/mailman/listinfo/cas
>
>
--------------
next
part
--------------
An
HTML
attachment
was
scrubbed...
URL:
http://tp.its.yale.edu/pipermail/cas/attachments/20080131/8f4a820e/attachment-0001.html
------------------------------
Message:
3
Date:
Thu,
31
Jan
2008
13:57:51
-0500
From:
"Scott
Battaglia"
<scott.battaglia at gmail.com>
Subject:
Re:
kerberos
authentication
and
computer
login
To:
"Yale
CAS
mailing
list"
<cas at tp.its.yale.edu>
Message-ID:
<1bbd36a10801311057g2deeedd4ybf77d726a6fb3db8 at mail.gmail.com>
Content-Type:
text/plain;
charset="iso-8859-1"
Michel,
If
the
web
browser
that
your
organization
uses
will
expose
the
Kerberos
TGT
(or
generate
something
else
that
is
needed)
such
that
CAS
can
obtain
it
from
the
request,
then
you
can
use
it.
I'm
not
sure
which,
if
any
browsers
do
that.
Thanks
-Scott
On
Jan
31,
2008
12:39
PM,
Sauvard,
Michel
<michel.sauvard at eds.com>
wrote:
>
Hello,
I
check
if
we
can
use
CAS.
>
>
Our
concern
is
to
avoid
a
login
on
the
computer
then
the
CAS
connection.
>
>
If
we
use
Kerberos
authentication,
for
both
computer
login
(UNIX
PAM,
>
Windows
pGINA)
and
CAS
>
The
computer
login
gives
a
Kerberos
TGT.
>
>
Do
you
think
we
have
a
lot
of
work,
if
any,
to
use
this
ticket
instead
of
>
user/password
to
obtain
the
CAS
TGC
without
displaying
an
authentication
>
form.
>
>
Best
regards
>
>
*Michel
SAUVARD*
>
*EDS
-
France*
>
*D?partement
Solution
et
Service
en
S?curit?
Publique
(D3SP)
>
190,
rue
Claude-Nicolas
LEDOUX
>
BP
83000
-
13793
Aix-en-Provence
Cedex
3
France
>
*?
+33
(0)4
42
39
39
05
>
*
***mailto:michel.sauvard at eds.com*
<michel.sauvard at eds.com>
>
>
_______________________________________________
>
Yale
CAS
mailing
list
>
cas at tp.its.yale.edu
>
http://tp.its.yale.edu/mailman/listinfo/cas
>
>
--
-Scott
Battaglia
LinkedIn:
http://www.linkedin.com/in/scottbattaglia
--------------
next
part
--------------
An
HTML
attachment
was
scrubbed...
URL:
http://tp.its.yale.edu/pipermail/cas/attachments/20080131/abb1ebca/attachment-0001.html
------------------------------
Message:
4
Date:
Thu,
31
Jan
2008
14:46:10
-0500
From:
"Scott
Battaglia"
<scott.battaglia at gmail.com>
Subject:
Re:
Single
Sign
out
To:
"Yale
CAS
mailing
list"
<cas at tp.its.yale.edu>
Message-ID:
<1bbd36a10801311146k6f5b6ad8nfa5975eb974d3980 at mail.gmail.com>
Content-Type:
text/plain;
charset="iso-8859-1"
Have
you
set
up
the
signout
filter
and
session
listener
in
the
client
applications?
-Scott
On
Jan
31,
2008
1:39
PM,
Krishna
bhimanathini
<krishna7904 at yahoo.com>
wrote:
>
Yes,
both
the
application
are
using
CAS
java
Client
3.1
RC1.
>
In
the
logoutController.java
of
CAS
Server,
I
am
getting
>
request.getParameter("service")
as
null.
How
do
I
set
this
parameter
so
>
that
it
posts
the
logout
information
to
all
the
application?
>
>
Thanks
>
Krishna
>
>
-----
Original
Message
----
>
From:
"cas-request at tp.its.yale.edu"
<cas-request at tp.its.yale.edu>
>
To:
cas at tp.its.yale.edu
>
Sent:
Thursday,
January
31,
2008
11:41:38
AM
>
Subject:
cas
Digest,
Vol
56,
Issue
52
>
>
Send
cas
mailing
list
submissions
to
>
cas at tp.its.yale.edu
>
>
To
subscribe
or
unsubscribe
via
the
World
Wide
Web,
visit
>
http://tp.its.yale.edu/mailman/listinfo/cas
>
or,
via
email,
send
a
message
with
subject
or
body
'help'
to
>
cas-request at tp.its.yale.edu
>
>
You
can
reach
the
person
managing
the
list
at
>
cas-owner at tp.its.yale.edu
>
>
When
replying,
please
edit
your
Subject
line
so
it
is
more
specific
>
than
"Re:
Contents
of
cas
digest..."
>
>
>
Today's
Topics:
>
>
1.
Re:
trying
to
track
down
jaas
memory
leak
(David
Spencer)
>
2.
Adding
a
customized
header
to
POST
(Robert,
Brice)
>
3.
Re:
SEVERE:
Error
filterStart
(Ole
Ersoy)
>
4.
Re:
CAS
3.1
RC1
client
(Scott
Battaglia)
>
5.
Login
view
(
Wilson
Fran?a
)
>
6.
Re:
SEVERE:
Error
filterStart
(Scott
Battaglia)
>
7.
RE:
trying
to
track
down
jaas
memory
leak
(Brad
A
Cupit)
>
8.
Re:
Single
Sign
out
(Scott
Battaglia)
>
>
>
----------------------------------------------------------------------
>
>
Message:
1
>
Date:
Thu,
31
Jan
2008
09:46:47
+0000
>
From:
David
Spencer
<David.Spencer at bristol.ac.uk>
>
Subject:
Re:
trying
to
track
down
jaas
memory
leak
>
To:
Yale
CAS
mailing
list
<cas at tp.its.yale.edu>
>
Message-ID:
<571645C14B0A452A2E2C8569 at cse-djs.cse.bris.ac.uk>
>
Content-Type:
text/plain;
charset=us-ascii;
format=flowed
>
>
Sorry
-
it
was
late
at
night
and
I
got
my
TCP
and
UDP
back-to-front.
>
>
com.sun.security.auth.module.Krb5LoginModule
will
ordinarily
use
UDP
>
sockets
>
and
it
is
these
that
we
were
seeing
accumulating.
>
>
A
"udp_preference_limit"
can
be
set
in
the
kerberos
configuration
(
>
krb5.conf)
>
and
if
the
size
of
the
message
is
greater
than
this
limit
TCP
is
used
>
instead.
>
By
setting
the
udp_preference_limit
to
1,
we
forced
all
messages
to
be
>
sent
by
>
TCP
and
our
UDP
socket
leak
went
away.
>
>
Sorry
if
I've
confused
anyone!
>
Dave
>
>
--On
30
January
2008
23:06
+0000
David
Spencer
<
>
David.Spencer at bristol.ac.uk>
>
wrote:
>
>
>
Brad,
>
>
>
>
Possibly
an
unrelated
problem
and
I
don't
have
all
the
details
to
hand
>
but
>
>
will
look
them
up
tomorrow
at
work
if
it
seems
relevant
to
you.
>
>
>
>
We
ran
into
a
problem
with
com.sun.security.auth.module.Krb5LoginModulethat
>
>
caused
our
CAS
server
to
gradually
accumulate
TCP
sockets
and
eventually
>
fall
>
>
over
when
it
had
used
up
all
the
socket
resources
on
the
box.
This
was
>
Java
5
>
>
on
some
flavour
of
Linux.
We
hadn't
seen
the
problem
running
the
same
>
code
on
>
>
Solaris.
I
think
we
would
have
been
running
with
a
larger
heap
than
>
256Mb
so
>
>
we
perhaps
hit
a
socket
resource
problem
before
we
hit
the
memory
limit
>
you
>
>
are
seeing?
>
>
>
>
A
bit
of
digging
showed
that
it
was
forgetting
to
close
the
TCP
socket
>
but
it
>
>
also
showed
that
the
section
that
dealt
with
UDP
sockets
didn't
have
the
>
same
>
>
problem.
We
asked
the
module
to
always
use
UDP
sockets
and
the
leak
went
>
>
away.
CAS
service
was
running
uninterrupted
throughout
2007.
>
>
>
>
I'll
dig
out
the
details
in
the
morning.
>
>
Dave
>
>
>
>
>
>
--On
30
January
2008
16:22
-0600
Brad
A
Cupit
<brad at lsu.edu>
wrote:
>
>
>
>>
>
>>
>
>>
Hello,
>
>>
>
>>
We
have
a
CAS
server
using
JAAS
+
Kerberos
to
authenticate
users
>
against
>
>>
Active
Directory.
We
started
seeing
OutOfMemoryErrors
with
the
default
>
Xmx
>
>>
(of
64m)
which
we
have
since
bumped
up
to
256m.
We
haven't
had
>
>>
OutOfMemoryErrors
since
then,
but
the
memory
usage
keeps
rising.
>
>>
>
>>
>
>>
>
>>
I've
hooked
up
JProfiler
to
try
and
see
where
the
memory
is
going,
and
>
>>
noticed
that
it
goes
up
with
each
request,
and
running
the
garbage
>
collector
>
>>
(via
System.gc())
doesn't
reclaim
many
of
the
objects.
I'm
sure
we
just
>
have
>
>>
a
configuration
error
of
sorts,
but
I've
spent
a
few
days
and
can't
>
seem
to
>
>>
figure
it
out.
>
>>
>
>>
>
>>
>
>>
JProfiler
tells
me
that
after
a
few
requests
(500
or
so),
we
have
an
>
enormous
>
>>
number
of
LinkedHashMap$Entry
objects,
as
well
as
>
>>
java.security.Provider$ServiceKey,
java.security.Provider$Service,
and
>
>>
HashMap$Entry
instances.
>
>>
>
>>
>
>>
>
>>
I've
also
noticed
that
instances
of
com.sun.crypto.provider.SunJCE
go
>
up
by
2
>
>>
per
request,
and
don't
get
reclaimed
with
garbage
collection.
>
>>
>
>>
>
>>
>
>>
JProfiler's
cumulative
allocations
point
to
>
>>
javax.security.auth.login.LoginContext.login()
method,
but
I've
checked
>
out
>
>>
the
code
and
stepped
through
it
with
a
debugger,
but
can't
see
anything
>
wrong
>
>>
(no
creation
of
instances
that
would
be
uncollectable
by
the
gc).
>
>>
>
>>
>
>>
>
>>
If
it
helps,
here's
our
jaas.conf
file:
>
>>
>
>>
>
>>
>
>>
CAS
{
>
>>
>
>>
com.sun.security.auth.module.Krb5LoginModule
required
>
client=TRUE
>
>>
debug=FALSE
useTicketCache=FALSE;
>
>>
>
>>
};
>
>>
>
>>
>
>>
>
>>
I'm
going
to
try
to
setup
CAS
to
use
the
LDAP
authentication
handler
to
>
see
>
>>
if
the
problem
is
strictly
JAAS
related.
>
>>
>
>>
>
>>
>
>>
Has
anyone
seen
issues
like
this
before?
>
>>
>
>>
>
>>
>
>>
Thanks
in
advance!
>
>>
>
>>
>
>>
>
>>
Brad
Cupit
>
>>
Louisiana
State
University
-
UIS
>
>>
e-mail:
brad at lsu.edu
>
>>
office:
225.578.4774
>
>>
>
>>
>
>
>
>
>
>
>
>
----------------------
>
>
David
Spencer
>
>
Information
Systems
and
Computing
>
>
University
of
Bristol
>
>
_______________________________________________
>
>
Yale
CAS
mailing
list
>
>
cas at tp.its.yale.edu
>
>
http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
>
----------------------
>
David
Spencer
>
Information
Systems
and
Computing
>
University
of
Bristol
>
>
>
------------------------------
>
>
Message:
2
>
Date:
Thu,
31
Jan
2008
09:53:26
-0500
>
From:
"Robert,
Brice"
<Brice.Robert at alliancebernstein.com>
>
Subject:
Adding
a
customized
header
to
POST
>
To:
<cas at tp.its.yale.edu>
>
Message-ID:
>
<830D204DEB08F84890EA3D3A8F1289C302A1F2AD at METROEVS3.ac.lp.acml.com>
>
Content-Type:
text/plain;
charset="us-ascii"
>
>
Scott,
>
>
>
>
Thanks,
for
the
answer
>
>
>
>
>(see
the
one
we
use
as
an
example)
>
>
If
you
are
talking
about
the
dynamicRedirectViewSelector
provided
in
>
CAS-CORE,
I
replaced
it
with
my
own
one.
>
>
But
I
can't
get
the
the
HttpServerResponse
to
set
the
header
like
>
httpost.addHeader("USER",
"myself");
>
>
Placed
just
before
the
below
code
and
used
several
other
ones.
>
>
>
>
return
new
ExternalRedirect(service.getResponse(ticket).getUrl());
>
>
<end-state
id="redirect"
view="bean:dynamicRedirectViewSelector"
/>
>
>
>
>
How
to
we
update
the
Response
in
CAS
withtout
creating
a
new
httpClient
>
>
I
might
be
missing
a
link
where
to
find
the
appropriate
examples.
Would
>
you
please
advise?
>
>
>
>
In
the
mean
time,
I
was
able
to
get
examples
from
the
French
University
>
(I
read
French)
but
it
still
doesn't
help
me
adding
my
customized
Http
>
Header,
>
>
Meanwhile
it
helped
me
redirecting
the
page
when
using
IE6
(through
a
>
Javascript
code)
>
>
http://doc-cri.univ-nancy2.fr/public/?contentId=3841
>
>
>
>
Thanks,
>
>
Brice
>
>
>
>
>
-----------------------------------------
>
The
information
contained
in
this
transmission
may
be
privileged
and
>
confidential
and
is
intended
only
for
the
use
of
the
person(s)
named
>
above.
If
you
are
not
the
intended
recipient,
or
an
employee
or
agent
>
responsible
>
for
delivering
this
message
to
the
intended
recipient,
any
review,
>
dissemination,
>
distribution
or
duplication
of
this
communication
is
strictly
prohibited.
>
If
you
are
>
not
the
intended
recipient,
please
contact
the
sender
immediately
by
reply
>
e-mail
>
and
destroy
all
copies
of
the
original
message.
Please
note
that
we
do
not
>
accept
>
account
orders
and/or
instructions
by
e-mail,
and
therefore
will
not
be
>
responsible
>
for
carrying
out
such
orders
and/or
instructions.
If
you,
as
the
intended
>
recipient
>
of
this
message,
the
purpose
of
which
is
to
inform
and
update
our
clients,
>
prospects
>
and
consultants
of
developments
relating
to
our
services
and
products,
>
would
not
>
like
to
receive
further
e-mail
correspondence
from
the
sender,
please
>
"reply"
to
the
>
sender
indicating
your
wishes.
In
the
U.S.:
1345
Avenue
of
the
Americas,
>
New
York,
>
NY
10105.
>
--------------
next
part
--------------
>
An
HTML
attachment
was
scrubbed...
>
URL:
>
http://tp.its.yale.edu/pipermail/cas/attachments/20080131/804e5ded/attachment-0001.html
>
>
------------------------------
>
>
Message:
3
>
Date:
Thu,
31
Jan
2008
09:30:29
-0600
>
From:
Ole
Ersoy
<ole.ersoy at gmail.com>
>
Subject:
Re:
SEVERE:
Error
filterStart
>
To:
Yale
CAS
mailing
list
<cas at tp.its.yale.edu>
>
Message-ID:
<47A1E995.4070206 at gmail.com>
>
Content-Type:
text/plain;
charset=ISO-8859-1;
format=flowed
>
>
Hi
Scott,
>
>
Looks
like
we
may
have
crossed
messages.
After
completing
steps
six
in
>
the
demo
tutorial:
>
>
http://www.ja-sig.org/wiki/display/CASUM/Demo
>
>
I
fired
it
up
and
got
the
exception.
The
only
log
message
was
SEVER:
>
Error
FilterStart.
Turns
out
that
I
also
needed
to
add
commons-logging,
>
which
I
found
out
by
just
doing
a
fresh
maven
webapp,
with
the
cas
client
>
dependency
specified.
I
did
add
an
exlusion
element
within
the
cas
>
dependency
element
to
exclude
the
servlet
transitive
dependency,
such
that
>
the
tomcat
plugin
did
not
bundle
the
servlet
2.3
jar
with
the
other
>
transitive
dependencies
(commons-logging).
I'm
sure
this
is
preaching
to
>
the
quire...if
the
servlet
dependency
has
scope
set
to
provided,
then
others
>
deploying
the
cas
client
get
to
skip
the
exclusion
step.
Tomcat
6
detects
>
and
logs
that
the
dependency
is
there,
and
still
uses
2.5,
so
it's
only
to
>
avoid
bloat.
>
>
Thanks
for
all
the
brilliant
work
on
CAS,
>
-
Ole
>
>
>
>
>
Scott
Battaglia
wrote:
>
>
Are
any
other
messages
showing
up
in
your
catalina.out?
CAS
Client
for
>
>
Java
3.1
is
where
we
will
be
putting
our
development
efforts
going
>
>
forward.
However,
the
version
you
are
using
should
still
work
fine.
>
>
>
>
-Scott
>
>
>
>
On
Jan
30,
2008
5:43
PM,
Ole
Ersoy
<ole.ersoy at gmail.com
>
>
<mailto:ole.ersoy at gmail.com>>
wrote:
>
>
>
>
Hi,
>
>
>
>
I'm
trying
to
get
the
wiki
example
setup
on
Tomcat
6.0.14
and
I
get
>
>
a
SEVERE:
Error
filterStart,
in
the
log
during
startup,
which
causes
>
>
the
/examples
app
to
startup
to
fail.
I
have
https
working
fine,
>
>
and
my
web.xml
cas
filter
is
setup
like
this:
>
>
>
>
<filter>
>
>
<filter-name>CAS
Filter</filter-name>
>
>
<filter-class>edu.yale.its.tp.cas.client.filter.CASFilter
>
</filter-class>
>
>
<init-param>
>
>
<param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
>
>
<param-value>https://localhost.localdomain:8443/cas/login
>
</param-value>
>
>
</init-param>
>
>
<init-param>
>
>
<param-name>edu.yale.its.tp.cas.client.filter.validateUrl
>
</param-name>
>
>
<param-value>https://localhost.localdomain:8443/cas/serviceValidate
>
</param-value>
>
>
</init-param>
>
>
<init-param>
>
>
<param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
>
>
<param-value>localhost.localdomain:8080</param-value>
>
>
</init-param>
>
>
</filter>
>
>
>
>
<filter-mapping>
>
>
<filter-name>CAS
Filter</filter-name>
>
>
<url-pattern>/servlet/HelloWorldExample</url-pattern>
>
>
</filter-mapping>
>
>
>
>
Any
ideas
on
how
to
debug
this?
Also
it
seems
like
there
are
2
cas
>
>
clients.
Right
now
I'm
using
2.1.1.
Should
I
be
using
3.1
with
>
>
Tomcat
6?
>
>
>
>
Thanks,
>
>
-
Ole
>
>
_______________________________________________
>
>
Yale
CAS
mailing
list
>
>
cas at tp.its.yale.edu
<mailto:cas at tp.its.yale.edu>
>
>
http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
>
>
>
>
>
>
>
--
>
>
-Scott
Battaglia
>
>
>
>
LinkedIn:
http://www.linkedin.com/in/scottbattaglia
>
>
>
>
>
>
------------------------------------------------------------------------
>
>
>
>
_______________________________________________
>
>
Yale
CAS
mailing
list
>
>
cas at tp.its.yale.edu
>
>
http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
------------------------------
>
>
Message:
4
>
Date:
Thu,
31
Jan
2008
11:20:47
-0500
>
From:
"Scott
Battaglia"
<scott.battaglia at gmail.com>
>
Subject:
Re:
CAS
3.1
RC1
client
>
To:
"Yale
CAS
mailing
list"
<cas at tp.its.yale.edu>
>
Message-ID:
>
<1bbd36a10801310820r6d3dea2dg336636ec76872848 at mail.gmail.com>
>
Content-Type:
text/plain;
charset="iso-8859-1"
>
>
On
Jan
31,
2008
2:23
AM,
Marat
Radchenko
<slonopotamusorama at gmail.com>
>
wrote:
>
>
>
>
>
>
>
<snip
/>
>
>
>
>
>
>
>
>
>
3)
SingleSignOutHttpSessionListener
ticket/session
mapping
won't
>
>
>
>
survive
server
restart
(even
if
sessions
are
not
lost).
That
would
>
be
ok
if
>
>
>
>
there
were
any
possibility
to
inject
smarter-than-hashmap
storage.
>
However
>
>
>
>
it
isn't
possible,
so
the
only
way
is
a
full
rewrite.
Additionally,
>
it
will
>
>
>
>
have
troubles
in
case
of
many
sessions
because
it
stores
all
of
them
>
in
>
>
>
>
memory.
>
>
>
>
>
>
>
>
If
you
had
a
JIRA
issue
I
can
attempt
to
make
it
similar
to
the
>
>
>
ProxyReceptorServlet
where
we
provide
the
base
and
you
implement
two
>
methods
>
>
>
that
do
the
delete/retrieval.
Though
memory
should
not
be
an
issue
as
>
they
>
>
>
are
only
references
to
the
session
objects
that
already
exist.
And
>
those
>
>
>
references
should
be
deleted
when
the
session
expires.
>
>
>
>
>
>
>
Well,
actually
thing
are
not
so
simple.
Servlet
container
(if
properly
>
>
configured)
can
serialize
sessions
to
persistet
store
(disk,
db
or
>
whatever)
>
>
in
order
to
free
memory.
But
current
implementation
>
>
of
SingleSignOutHttpSessionListener
will
still
hold
references
thus
>
>
preventing
sessions
from
being
garbage
collected.
>
>
>
>
True,
it
will
hold
on
to
it.
Its
designed
for
the
"in-memory"
case.
If
>
we
>
don't
store
the
reference
in
memory
then
I
don't
know
how
to
gain
a
>
reference
to
that
session.
I
don't
think
the
Servlet
API
exposes
a
>
method,
>
does
it?
I'd
prefer
not
to
use
container
specific
versions
if
possible
>
(because
I'm
assuming
individual
containers
have
a
method
of
retrieving
a
>
session
based
on
id).
>
>
<snip
/>
>
>
>
>
>
>
Yes,
actually
it
can
still
be
configured
via
Spring.
All
of
the
>
filters
>
>
>
should
have
setters
for
their
various
properties.
We
haven't
done
>
extensive
>
>
>
testing
with
it,
but
the
goal
was
to
allow
you
to
either
use
the
>
web.xmlfor
simple
cases,
or
utilizing
something
else
like
Spring.
>
>
>
>
>
>
>
>
>
Oh.
It's
my
fault,
a
little
misunderstanding
of
source
:)
I'm
taking
my
>
words
back,
it
really
can
be
configured
via
spring.
>
>
>
>
I
resolved
your
JIRA
issue
about
the
"totally
broken"
part
:-).
It
should
>
actually
now
work
in
Spring.
I
added
some
test
cases
and
a
simple
Spring
>
configuration
example.
If
we
don't
resolve
the
above
Session
stuff
soon
>
I'll
cut
an
RC3
so
other
people
can
try
out
the
fix
for
the
Spring
stuff
>
(though
you
can
also
check
it
out
from
Subversion)
>
>
-Scott
>
--------------
next
part
--------------
>
An
HTML
attachment
was
scrubbed...
>
URL:
>
http://tp.its.yale.edu/pipermail/cas/attachments/20080131/d32f7d5b/attachment-0001.html
>
>
------------------------------
>
>
Message:
5
>
Date:
Thu,
31
Jan
2008
14:27:14
-0200
>
From:
"
Wilson
Fran?a
"
<wilsonrf at gmail.com>
>
Subject:
Login
view
>
To:
"Yale
CAS
mailing
list"
<cas at tp.its.yale.edu>
>
Message-ID:
>
<e17f429d0801310827m3d087255m15b5c33dd8be6ab2 at mail.gmail.com>
>
Content-Type:
text/plain;
charset="iso-8859-1"
>
>
Hi,
>
is
possible
to
have
an
authentication
form
on
IFRAME
instead
of
>
casLoginView.jsp?
>
I
want
to
use
the
same
form
in
two/more
app's,
without
the
user
know
that
>
authentication
form
is
outside
de
app.
>
>
Thanx.
>
>
PS:
sorry
the
poor
english
>
--------------
next
part
--------------
>
An
HTML
attachment
was
scrubbed...
>
URL:
>
http://tp.its.yale.edu/pipermail/cas/attachments/20080131/2efc08d2/attachment-0001.html
>
>
------------------------------
>
>
Message:
6
>
Date:
Thu,
31
Jan
2008
11:28:32
-0500
>
From:
"Scott
Battaglia"
<scott.battaglia at gmail.com>
>
Subject:
Re:
SEVERE:
Error
filterStart
>
To:
"Yale
CAS
mailing
list"
<cas at tp.its.yale.edu>
>
Message-ID:
>
<1bbd36a10801310828l4c91dca3pc0d5a666d03683c3 at mail.gmail.com>
>
Content-Type:
text/plain;
charset="iso-8859-1"
>
>
Ole,
which
CAS
client
are
you
using?
If
its
the
2.x
one
then
I'm
not
sure
>
we
can
update
any
of
those
POMs.
If
its
3.1
then
I
still
have
time
to
>
update
it.
>
>
Thanks
>
-Scott
>
>
On
Jan
31,
2008
10:30
AM,
Ole
Ersoy
<ole.ersoy at gmail.com>
wrote:
>
>
>
Hi
Scott,
>
>
>
>
Looks
like
we
may
have
crossed
messages.
After
completing
steps
six
in
>
>
the
demo
tutorial:
>
>
>
>
http://www.ja-sig.org/wiki/display/CASUM/Demo
>
>
>
>
I
fired
it
up
and
got
the
exception.
The
only
log
message
was
SEVER:
>
>
Error
FilterStart.
Turns
out
that
I
also
needed
to
add
commons-logging,
>
>
which
I
found
out
by
just
doing
a
fresh
maven
webapp,
with
the
cas
>
client
>
>
dependency
specified.
I
did
add
an
exlusion
element
within
the
cas
>
>
dependency
element
to
exclude
the
servlet
transitive
dependency,
such
>
that
>
>
the
tomcat
plugin
did
not
bundle
the
servlet
2.3
jar
with
the
other
>
>
transitive
dependencies
(commons-logging).
I'm
sure
this
is
preaching
>
to
>
>
the
quire...if
the
servlet
dependency
has
scope
set
to
provided,
then
>
others
>
>
deploying
the
cas
client
get
to
skip
the
exclusion
step.
Tomcat
6
>
detects
>
>
and
logs
that
the
dependency
is
there,
and
still
uses
2.5,
so
it's
only
>
to
>
>
avoid
bloat.
>
>
>
>
Thanks
for
all
the
brilliant
work
on
CAS,
>
>
-
Ole
>
>
>
>
>
>
>
>
>
>
Scott
Battaglia
wrote:
>
>
>
Are
any
other
messages
showing
up
in
your
catalina.out?
CAS
Client
>
for
>
>
>
Java
3.1
is
where
we
will
be
putting
our
development
efforts
going
>
>
>
forward.
However,
the
version
you
are
using
should
still
work
fine.
>
>
>
>
>
>
-Scott
>
>
>
>
>
>
On
Jan
30,
2008
5:43
PM,
Ole
Ersoy
<ole.ersoy at gmail.com
>
>
>
<mailto:ole.ersoy at gmail.com>>
wrote:
>
>
>
>
>
>
Hi,
>
>
>
>
>
>
I'm
trying
to
get
the
wiki
example
setup
on
Tomcat
6.0.14
and
I
get
>
>
>
a
SEVERE:
Error
filterStart,
in
the
log
during
startup,
which
>
causes
>
>
>
the
/examples
app
to
startup
to
fail.
I
have
https
working
fine,
>
>
>
and
my
web.xml
cas
filter
is
setup
like
this:
>
>
>
>
>
>
<filter>
>
>
>
<filter-name>CAS
Filter</filter-name>
>
>
>
<filter-class>edu.yale.its.tp.cas.client.filter.CASFilter
>
>
</filter-class>
>
>
>
<init-param>
>
>
>
<param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
>
>
>
<param-value>https://localhost.localdomain:8443/cas/login
>
>
</param-value>
>
>
>
</init-param>
>
>
>
<init-param>
>
>
>
<param-name>edu.yale.its.tp.cas.client.filter.validateUrl
>
>
</param-name>
>
>
>
<param-value>https://localhost.localdomain:8443/cas/serviceValidate
>
>
</param-value>
>
>
>
</init-param>
>
>
>
<init-param>
>
>
>
<param-name>edu.yale.its.tp.cas.client.filter.serverName
>
>
</param-name>
>
>
>
<param-value>localhost.localdomain:8080</param-value>
>
>
>
</init-param>
>
>
>
</filter>
>
>
>
>
>
>
<filter-mapping>
>
>
>
<filter-name>CAS
Filter</filter-name>
>
>
>
<url-pattern>/servlet/HelloWorldExample</url-pattern>
>
>
>
</filter-mapping>
>
>
>
>
>
>
Any
ideas
on
how
to
debug
this?
Also
it
seems
like
there
are
2
cas
>
>
>
clients.
Right
now
I'm
using
2.1.1.
Should
I
be
using
3.1
with
>
>
>
Tomcat
6?
>
>
>
>
>
>
Thanks,
>
>
>
-
Ole
>
>
>
_______________________________________________
>
>
>
Yale
CAS
mailing
list
>
>
>
cas at tp.its.yale.edu
<mailto:cas at tp.its.yale.edu>
>
>
>
http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
--
>
>
>
-Scott
Battaglia
>
>
>
>
>
>
LinkedIn:
http://www.linkedin.com/in/scottbattaglia
>
>
>
>
>
>
>
>
>
>
------------------------------------------------------------------------
>
>
>
>
>
>
_______________________________________________
>
>
>
Yale
CAS
mailing
list
>
>
>
cas at tp.its.yale.edu
>
>
>
http://tp.its.yale.edu/mailman/listinfo/cas
>
>
_______________________________________________
>
>
Yale
CAS
mailing
list
>
>
cas at tp.its.yale.edu
>
>
http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
>
>
>
--
>
-Scott
Battaglia
>
>
LinkedIn:
http://www.linkedin.com/in/scottbattaglia
>
--------------
next
part
--------------
>
An
HTML
attachment
was
scrubbed...
>
URL:
>
http://tp.its.yale.edu/pipermail/cas/attachments/20080131/88dd405c/attachment-0001.html
>
>
------------------------------
>
>
Message:
7
>
Date:
Thu,
31
Jan
2008
10:41:11
-0600
>
From:
"Brad
A
Cupit"
<brad at lsu.edu>
>
Subject:
RE:
trying
to
track
down
jaas
memory
leak
>
To:
"Yale
CAS
mailing
list"
<cas at tp.its.yale.edu>
>
Message-ID:
<1D5C148F9259BC47BC3CBD2F76ABA205BFD643 at email002.lsu.edu>
>
Content-Type:
text/plain;
charset="US-ASCII"
>
>
I
added
>
udp_preference_limit
=
1
>
in
the
[libdefaults]
section
of
the
/etc/krb5.conf,
but
it
didn't
seem
>
to
address
the
issue.
We
are
running
on
Linux
(RHEL)
with
Java
1.6.0_03.
>
>
We
have
seen
an
unusually
large
number
of
blocked
threads
after
a
few
>
hundred
requests,
and
after
enough
connections
Tomcat
stops
responding.
>
There
could
be
several
things
wrong
with
our
environment
such
as
a
>
broken
connection
to
Active
Directory
or
a
broken
connection
to
Domino
>
(custom
code
we
wrote
to
generate
an
LtpaToken
for
single
sign
on
to
>
Lotus
Notes
apps).
>
>
We
have
not
seen
an
OutOfMemoryError
since
changing
Xmx
from
64m
(the
>
default)
to
256m,
however,
the
memory
is
still
growing
and
eventually
>
Tomcat
becomes
unresponsive,
presumably
due
to
the
number
of
blocked
>
threads.
>
>
I'll
continue
to
narrow
down
the
areas
which
could
be
a
problem,
and
>
repost
to
this
list
as
I
find
more
information.
>
>
Thanks
for
the
help
so
far!
>
>
Brad
Cupit
>
Louisiana
State
University
-
UIS
>
>
-----Original
Message-----
>
From:
cas-bounces at tp.its.yale.edu
[mailto:cas-bounces at tp.its.yale.edu]
>
On
Behalf
Of
David
Spencer
>
Sent:
Thursday,
January
31,
2008
3:47
AM
>
To:
Yale
CAS
mailing
list
>
Subject:
Re:
trying
to
track
down
jaas
memory
leak
>
>
Sorry
-
it
was
late
at
night
and
I
got
my
TCP
and
UDP
back-to-front.
>
>
com.sun.security.auth.module.Krb5LoginModule
will
ordinarily
use
UDP
>
sockets
>
and
it
is
these
that
we
were
seeing
accumulating.
>
>
A
"udp_preference_limit"
can
be
set
in
the
kerberos
configuration
>
(krb5.conf)
>
and
if
the
size
of
the
message
is
greater
than
this
limit
TCP
is
used
>
instead.
>
By
setting
the
udp_preference_limit
to
1,
we
forced
all
messages
to
be
>
sent
by
>
TCP
and
our
UDP
socket
leak
went
away.
>
>
Sorry
if
I've
confused
anyone!
>
Dave
>
>
--On
30
January
2008
23:06
+0000
David
Spencer
>
<David.Spencer at bristol.ac.uk>
>
wrote:
>
>
>
Brad,
>
>
>
>
Possibly
an
unrelated
problem
and
I
don't
have
all
the
details
to
hand
>
but
>
>
will
look
them
up
tomorrow
at
work
if
it
seems
relevant
to
you.
>
>
>
>
We
ran
into
a
problem
with
>
com.sun.security.auth.module.Krb5LoginModule
that
>
>
caused
our
CAS
server
to
gradually
accumulate
TCP
sockets
and
>
eventually
fall
>
>
over
when
it
had
used
up
all
the
socket
resources
on
the
box.
This
was
>
Java
5
>
>
on
some
flavour
of
Linux.
We
hadn't
seen
the
problem
running
the
same
>
code
on
>
>
Solaris.
I
think
we
would
have
been
running
with
a
larger
heap
than
>
256Mb
so
>
>
we
perhaps
hit
a
socket
resource
problem
before
we
hit
the
memory
>
limit
you
>
>
are
seeing?
>
>
>
>
A
bit
of
digging
showed
that
it
was
forgetting
to
close
the
TCP
socket
>
but
it
>
>
also
showed
that
the
section
that
dealt
with
UDP
sockets
didn't
have
>
the
same
>
>
problem.
We
asked
the
module
to
always
use
UDP
sockets
and
the
leak
>
went
>
>
away.
CAS
service
was
running
uninterrupted
throughout
2007.
>
>
>
>
I'll
dig
out
the
details
in
the
morning.
>
>
Dave
>
>
>
>
>
>
--On
30
January
2008
16:22
-0600
Brad
A
Cupit
<brad at lsu.edu>
wrote:
>
>
>
>>
>
>>
>
>>
Hello,
>
>>
>
>>
We
have
a
CAS
server
using
JAAS
+
Kerberos
to
authenticate
users
>
against
>
>>
Active
Directory.
We
started
seeing
OutOfMemoryErrors
with
the
>
default
Xmx
>
>>
(of
64m)
which
we
have
since
bumped
up
to
256m.
We
haven't
had
>
>>
OutOfMemoryErrors
since
then,
but
the
memory
usage
keeps
rising.
>
>>
>
>>
>
>>
>
>>
I've
hooked
up
JProfiler
to
try
and
see
where
the
memory
is
going,
>
and
>
>>
noticed
that
it
goes
up
with
each
request,
and
running
the
garbage
>
collector
>
>>
(via
System.gc())
doesn't
reclaim
many
of
the
objects.
I'm
sure
we
>
just
have
>
>>
a
configuration
error
of
sorts,
but
I've
spent
a
few
days
and
can't
>
seem
to
>
>>
figure
it
out.
>
>>
>
>>
>
>>
>
>>
JProfiler
tells
me
that
after
a
few
requests
(500
or
so),
we
have
an
>
enormous
>
>>
number
of
LinkedHashMap$Entry
objects,
as
well
as
>
>>
java.security.Provider$ServiceKey,
java.security.Provider$Service,
>
and
>
>>
HashMap$Entry
instances.
>
>>
>
>>
>
>>
>
>>
I've
also
noticed
that
instances
of
com.sun.crypto.provider.SunJCE
go
>
up
by
2
>
>>
per
request,
and
don't
get
reclaimed
with
garbage
collection.
>
>>
>
>>
>
>>
>
>>
JProfiler's
cumulative
allocations
point
to
>
>>
javax.security.auth.login.LoginContext.login()
method,
but
I've
>
checked
out
>
>>
the
code
and
stepped
through
it
with
a
debugger,
but
can't
see
>
anything
wrong
>
>>
(no
creation
of
instances
that
would
be
uncollectable
by
the
gc).
>
>>
>
>>
>
>>
>
>>
If
it
helps,
here's
our
jaas.conf
file:
>
>>
>
>>
>
>>
>
>>
CAS
{
>
>>
>
>>
com.sun.security.auth.module.Krb5LoginModule
required
>
client=TRUE
>
>>
debug=FALSE
useTicketCache=FALSE;
>
>>
>
>>
};
>
>>
>
>>
>
>>
>
>>
I'm
going
to
try
to
setup
CAS
to
use
the
LDAP
authentication
handler
>
to
see
>
>>
if
the
problem
is
strictly
JAAS
related.
>
>>
>
>>
>
>>
>
>>
Has
anyone
seen
issues
like
this
before?
>
>>
>
>>
>
>>
>
>>
Thanks
in
advance!
>
>>
>
>>
>
>>
>
>>
Brad
Cupit
>
>>
Louisiana
State
University
-
UIS
>
>>
e-mail:
brad at lsu.edu
>
>>
office:
225.578.4774
>
>>
>
>>
>
>
>
>
>
>
>
>
----------------------
>
>
David
Spencer
>
>
Information
Systems
and
Computing
>
>
University
of
Bristol
>
>
_______________________________________________
>
>
Yale
CAS
mailing
list
>
>
cas at tp.its.yale.edu
>
>
http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
>
----------------------
>
David
Spencer
>
Information
Systems
and
Computing
>
University
of
Bristol
>
_______________________________________________
>
Yale
CAS
mailing
list
>
cas at tp.its.yale.edu
>
http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
------------------------------
>
>
Message:
8
>
Date:
Thu,
31
Jan
2008
11:41:22
-0500
>
From:
"Scott
Battaglia"
<scott.battaglia at gmail.com>
>
Subject:
Re:
Single
Sign
out
>
To:
"Yale
CAS
mailing
list"
<cas at tp.its.yale.edu>
>
Message-ID:
>
<1bbd36a10801310841m50e92b84y211212bed5e59ed3 at mail.gmail.com>
>
>
Content-Type:
text/plain;
charset="iso-8859-1"
>
>
Are
both
application
1
and
application
utilizing
a
CAS
client
that
>
supports
>
Single
Sign
Out?
>
>
Thanks
>
-Scott
>
>
On
Jan
30,
2008
10:38
AM,
Krishna
bhimanathini
<krishna7904 at yahoo.com>
>
wrote:
>
>
>
At
the
application
level
I
called
session.invalidate()
and
redirected
to
>
>
https://myserver/cas/logout
on
logout.
CAS
logs
me
out
from
application
>
1
>
>
but
not
from
the
other
application
2.
If
I
try
to
access
the
application
>
2
>
>
in
the
same
browser
CAS
doesn't
ask
for
credentials.
>
>
>
>
I
am
not
sure
what
I
have
missed,
I
tried
debugging
>
AuthenticationFilter
>
>
it
checks
for
ticket
null,
session
variable
CONST_CAS_ASSERTION
null.
>
Here
>
>
I
find
ticket
is
null
and
session
variable
is
still
not
null
for
the
>
>
application
2
where
logout
was
not
called
hence
AuthenticationFilter
>
doesn't
>
>
redirect
to
CAS
server
for
authentication.
>
>
>
>
Please
let
me
know
where
do
I
debug
to
solve
this
issue.
>
>
>
>
Thanks
>
>
Krishna
>
>
>
>
-----
Original
Message
----
>
>
From:
"cas-request at tp.its.yale.edu"
<cas-request at tp.its.yale.edu>
>
>
To:
cas at tp.its.yale.edu
>
>
Sent:
Wednesday,
January
30,
2008
8:23:50
AM
>
>
Subject:
cas
Digest,
Vol
56,
Issue
49
>
>
>
>
Send
cas
mailing
list
submissions
to
>
>
cas at tp.its.yale.edu
>
>
>
>
To
subscribe
or
unsubscribe
via
the
World
Wide
Web,
visit
>
>
http://tp.its.yale.edu/mailman/listinfo/cas
>
>
or,
via
email,
send
a
message
with
subject
or
body
'help'
to
>
>
cas-request at tp.its.yale.edu
>
>
>
>
You
can
reach
the
person
managing
the
list
at
>
>
cas-owner at tp.its.yale.edu
>
>
>
>
When
replying,
please
edit
your
Subject
line
so
it
is
more
specific
>
>
than
"Re:
Contents
of
cas
digest..."
>
>
>
>
>
>
Today's
Topics:
>
>
>
>
1.
Re:
Security
concern
with
CAS
cluster
(Barrow
H
Kwan)
>
>
2.
Single
Sign
out
(Krishna
bhimanathini)
>
>
3.
Re:
Single
Sign
out
(=?GB2312?B?wfnL6r7Nuty/4Q==?=)
>
>
4.
Re:
CAS
3.1
RC1
client
(Marat
Radchenko)
>
>
5.
Re:
CAS
3.1
RC1
client
(Scott
Battaglia)
>
>
>
>
>
>
----------------------------------------------------------------------
>
>
>
>
Message:
1
>
>
Date:
Tue,
29
Jan
2008
14:59:19
-0600
>
>
From:
Barrow
H
Kwan
<bhkwan at thoughtworks.com>
>
>
Subject:
Re:
Security
concern
with
CAS
cluster
>
>
To:
Yale
CAS
mailing
list
<cas at tp.its.yale.edu>
>
>
Cc:
"Yale
CAS
mailing
list"
<cas at tp.its.yale.edu>,
>
>
cas-bounces at tp.its.yale.edu
>
>
Message-ID:
>
>
<
>
>
>
OF34162DFC.FB9D195C-ON862573DF.00733A05-882573DF.00734C25 at thoughtworks.com
>
>
>
>
>
>
>
Content-Type:
text/plain;
charset="us-ascii"
>
>
>
>
thanks
Scott,
>
>
>
>
option
a
is
exactly
what
I
am
trying
to
implement
and
it
seems
working
>
>
great
so
far.
>
>
>
>
>
>
=================
>
>
Barrow
Kwan
>
>
ThoughtWorks,
Inc.
>
>
>
>
New
from
ThoughtWorks:
Mingle,
an
Agile
project
management
application.
>
>
Mingle.
Project
Intelligence.
Powerfully
Simple.
>
>
More
at
http://studios.thoughtworks.com
>
>
>
>
>
>
>
>
>
>
"Scott
Battaglia"
<scott.battaglia at gmail.com>
>
>
Sent
by:
cas-bounces at tp.its.yale.edu
>
>
01/29/08
12:28
PM
>
>
Please
respond
to
>
>
Yale
CAS
mailing
list
<cas at tp.its.yale.edu>
>
>
>
>
>
>
To
>
>
"Yale
CAS
mailing
list"
<cas at tp.its.yale.edu>
>
>
cc
>
>
>
>
Subject
>
>
Re:
Security
concern
with
CAS
cluster
>
>
>
>
>
>
>
>
>
>
>
>
>
>
On
Jan
28,
2008
1:01
AM,
Barrow
H
Kwan
<bhkwan at thoughtworks.com>
wrote:
>
>
>
>
>
>
If
I
have
setup
app1.example.com
to
authenticate
cas1.example.com
and
>
>
app2.example.com
to
authenticate
cas2.example.com.
>
>
>
>
If
I
configured
cas1
and
cas2
in
a
cluster,
is
it
possible
for
me
to
>
login
>
>
>
>
once
(
either
cas1
or
cas2
)
and
access
both
app1
and
app2
?
>
>
>
>
If
you
configured
CAS
in
a
cluster,
I
would
recommend
something
like
the
>
>
following,
either:
>
>
(a)
make
it
so
that
both
CAS
instances
appear
to
be
under
the
same
>
domain
>
>
(i.e.
cas.example.com)
or
>
>
(b)
create
domains
such
that
you
have
cas1.sso.example.com
and
>
>
cas2.sso.example.com
and
ensure
that
nothing
else
gets
put
under
the
>
>
sso.example.com
domain.
Why?
Because
in
order
for
those
two
servers
to
>
>
see
the
cookie
it
would
have
be
domain
scoped
to
sso.example.com
and
you
>
>
don't
want
any
other
applications/services
to
see
it.
>
>
>
>
The
problem
with
(b)
is
that
it
provides
no
failover
(if
cas2
is
down
>
>
app2,
cannot
use
cas1).
>
>
>
>
-Scott
>
>
>
>
>
>
>
>
=================
>
>
Barrow
Kwan
>
>
ThoughtWorks,
Inc.
>
>
>
>
New
from
ThoughtWorks:
Mingle,
an
Agile
project
management
application.
>
>
Mingle.
Project
Intelligence.
Powerfully
Simple.
>
>
More
at
http://studios.thoughtworks.com
>
>
>
>
>
>
>
>
"Scott
Battaglia"
<scott.battaglia at gmail.com>
>
>
Sent
by:
cas-bounces at tp.its.yale.edu
>
>
01/27/08
11:42
AM
>
>
>
>
>
>
Please
respond
to
>
>
>
>
Yale
CAS
mailing
list
<cas at tp.its.yale.edu>
>
>
>
>
>
>
To
>
>
"Yale
CAS
mailing
list"
<cas at tp.its.yale.edu>
>
>
cc
>
>
>
>
Subject
>
>
Re:
Security
concern
with
CAS
cluster
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
If
you've
configured
app.example.com
to
authenticate
to
cas.example.com,
>
>
its
impossible
for
it
to
utilize
the
fake
CAS
server
(because
it
would
>
>
explicitly
configured
to
use
cas.example.com).
(my
guess
would
be
your
>
>
cas.example.com
session
was
still
active).
>
>
>
>
That
said,
your
cookieDomain
for
your
TicketGrantingTIcket
should
be
as
>
>
restrictive
as
possible.
It
should
use
cas.example.com
and
not
>
>
example.com.
Exposing
the
cookie
to
more
domains
than
necessary
exposes
>
>
your
TGT
to
applications
that
should
not
have
access
to
it.
>
>
>
>
Setting
a
max
cookie
age
of
-1
means
that
its
only
valid
for
the
>
duration
>
>
of
the
browser
session
(i.e.
until
you
completely
exit
the
>
>
browser...though
if
you
exit/restart
quick
enough
it
may
still
be
in
>
>
there).
>
>
>
>
-Scott
>
>
>
>
On
Jan
27,
2008
12:59
AM,
Barrow
H
Kwan
<bhkwan at thoughtworks.com>
wrote:
>
>
>
>
After
I
added
"cookieDomain"
in
cas-servlet.xml
under
bean
>
>
"warnCookieGenerator"
and
"ticketGrantingTicketCookieGenerator"
(
eg
>
with
>
>
>
>
value="example.com"
).
I
can
use
a
fake
CAS
server
to
authenticate
(
eg
>
>
use
the
sample
username=password
)
and
access
any
other
CAS
server
under
>
>
the
example.com
domain.
>
>
>
>
Basically,
if
I
have
a
production
CAS
server,
cas.example.com
and
an
>
app,
>
>
>
>
app.example.com.
I
connect
to
app.example.com,
it
redirect
me
to
>
>
cas.example.com,
then
I
login
(
backend
is
LDAP
)
and
it
let
me
access
>
>
app.example.com.
Now
I
setup
another
CAS
server
called
>
>
fake-cas.example.com
(
with
the
cookieDomain
set
)
that
use
>
>
username=password
for
authentication.
I
open
my
browser
and
go
to
>
>
fake-cas.example.com
and
login
with
username=password.
then
go
to
>
>
app.example.com,
it
let
me
in
without
login
through
cas.example.com.
>
>
>
>
is
this
a
security
hole
or
it
is
because
of
my
setting?
also
in
the
>
>
instruction
"http://www.ja-sig.org/wiki/display/CASUM/Clustering+CAS"
,
>
>
the
cookieMaxAge
is
-1,
does
it
mean
the
cookie
will
not
expire
at
all
?
>
>
>
>
>
>
>
>
=================
>
>
Barrow
Kwan
>
>
ThoughtWorks,
Inc.
>
>
>
>
New
from
ThoughtWorks:
Mingle,
an
Agile
project
management
application.
>
>
Mingle.
Project
Intelligence.
Powerfully
Simple.
>
>
More
at
http://studios.thoughtworks.com
>
>
>
>
_______________________________________________
>
>
Yale
CAS
mailing
list
>
>
cas at tp.its.yale.edu
>
>
http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
>
>
>
>
>
>
>
--
>
>
-Scott
Battaglia
>
>
>
>
LinkedIn:
http://www.linkedin.com/in/scottbattaglia
>
>
_______________________________________________
>
>
>
>
Yale
CAS
mailing
list
>
>
cas at tp.its.yale.edu
>
>
http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
>
>
>
_______________________________________________
>
>
Yale
CAS
mailing
list
>
>
cas at tp.its.yale.edu
>
>
http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
>
>
>
>
>
>
>
--
>
>
-Scott
Battaglia
>
>
>
>
LinkedIn:
http://www.linkedin.com/in/scottbattaglia
>
>
_______________________________________________
>
>
Yale
CAS
mailing
list
>
>
cas at tp.its.yale.edu
>
>
http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
>
--------------
next
part
--------------
>
>
An
HTML
attachment
was
scrubbed...
>
>
URL:
>
>
>
http://tp.its.yale.edu/pipermail/cas/attachments/20080129/4b7df809/attachment-0001.html
>
>
--------------
next
part
--------------
>
>
A
non-text
attachment
was
scrubbed...
>
>
Name:
smime.p7s
>
>
Type:
application/x-pkcs7-signature
>
>
Size:
5256
bytes
>
>
Desc:
S/MIME
Cryptographic
Signature
>
>
Url
:
>
>
>
http://tp.its.yale.edu/pipermail/cas/attachments/20080129/4b7df809/attachment-0001.bin
>
>
>
>
------------------------------
>
>
>
>
Message:
2
>
>
Date:
Tue,
29
Jan
2008
13:01:36
-0800
(PST)
>
>
From:
Krishna
bhimanathini
<krishna7904 at yahoo.com>
>
>
Subject:
Single
Sign
out
>
>
To:
cas at tp.its.yale.edu
>
>
Message-ID:
<484845.88375.qm at web60822.mail.yahoo.com>
>
>
Content-Type:
text/plain;
charset="us-ascii"
>
>
>
>
Hello
>
>
>
>
I
am
using
CAS
server
3.1.1
and
CAS
java
Client
3.1
RC1
for
Single
Sign
>
On
>
>
in
two
applications
in
different
domains.
I
am
having
no
issues
in
doing
>
>
Single
Sign
On,
thanks
to
entire
team
for
making
it
available.
>
>
>
>
Is
it
possible
to
logout
the
user
from
all
the
application
when
he
>
logouts
>
>
from
one
application.
>
>
>
>
Thanks
for
you
help
in
advance
>
>
Krishna
>
>
>
>
>
>
>
>
>
____________________________________________________________________________________
>
>
Looking
for
last
minute
shopping
deals?
>
>
Find
them
fast
with
Yahoo!
Search.
>
>
http://tools.search.yahoo.com/newsearch/category.php?category=shopping
>
>
--------------
next
part
--------------
>
>
An
HTML
attachment
was
scrubbed...
>
>
URL:
>
>
>
http://tp.its.yale.edu/pipermail/cas/attachments/20080129/8da2ecea/attachment-0001.html
>
>
>
>
------------------------------
>
>
>
>
Message:
3
>
>
Date:
Wed,
30
Jan
2008
09:04:00
+0800
>
>
From:
"=?GB2312?B?wfnL6r7Nuty/4Q==?="
<chencao0524 at gmail.com>
>
>
Subject:
Re:
Single
Sign
out
>
>
To:
"Yale
CAS
mailing
list"
<cas at tp.its.yale.edu>
>
>
Message-ID:
>
>
<66fa303b0801291704u15cc781at4c287262b1111153 at mail.gmail.com>
>
>
Content-Type:
text/plain;
charset="gb2312"
>
>
>
>
Yes,
CAS
server
3.1.1
supports
Single
Sign
Out
now!
If
you
want
to
>
logout,
>
>
visit
https://your.cas.server/cas/logout,
than
you
could
logout
all
>
>
applications.
Below
is
the
doc
>
>
http://www.ja-sig.org/wiki/display/CASC/CAS+Client+for+Java+3.1
>
>
http://www.ja-sig.org/wiki/display/CASC/Configuring+Single+Sign+Out
>
>
>
>
>
>
2008/1/30,
Krishna
bhimanathini
<krishna7904 at yahoo.com>:
>
>
>
>
>
>
Hello
>
>
>
>
>
>
>
>
>
>
>
>
I
am
using
CAS
server
3.1.1
and
CAS
java
Client
3.1
RC1
for
Single
>
Sign
>
>
On
>
>
>
in
two
applications
in
different
domains.
I
am
having
no
issues
in
>
>
>
doing
Single
Sign
On,
thanks
to
entire
team
for
making
it
available.
>
>
>
>
>
>
>
>
>
>
>
>
Is
it
possible
to
logout
the
user
from
all
the
application
when
he
>
>
logouts
>
>
>
from
one
application.
>
>
>
>
>
>
>
>
>
>
>
>
Thanks
for
you
help
in
advance
>
>
>
>
>
>
Krishna
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
------------------------------
>
>
>
Be
a
better
friend,
newshound,
and
know-it-all
with
Yahoo!
Mobile.
Try
>
>
it
>
>
>
now.<
>
>
>
http://us.rd.yahoo.com/evt=51733/*http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
>
>
>
>
>
>
>
>
>
_______________________________________________
>
>
>
Yale
CAS
mailing
list
>
>
>
cas at tp.its.yale.edu
>
>
>
http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
>
>
>
>
>
>
>
>
>
--
>
>
Regards
>
>
CC.
>
>
>
>
///
>
>
(.
.)
>
>
-----ooO--(_)--Ooo-----
>
>
>
>
????
>
>
>
>
????????????
????????????
>
>
????????????
>
>
>
>
??????????????????????197????????????????13??
>
>
??????020-22387935
>
>
??????020-22387960
>
>
??????510600
>
>
??????http://www.ce.net.cn
>
>
QQ??5027277
>
>
MSN??chencao0524 at hotmail.com
>
>
E-mail??chencao0524 at gmail.com
>
>
--------------
next
part
--------------
>
>
An
HTML
attachment
was
scrubbed...
>
>
URL:
>
>
>
http://tp.its.yale.edu/pipermail/cas/attachments/20080130/51c664b2/attachment-0001.html
>
>
>
>
------------------------------
>
>
>
>
Message:
4
>
>
Date:
Wed,
30
Jan
2008
10:10:58
+0300
>
>
From:
"Marat
Radchenko"
<slonopotamusorama at gmail.com>
>
>
Subject:
Re:
CAS
3.1
RC1
client
>
>
To:
"Yale
CAS
mailing
list"
<cas at tp.its.yale.edu>
>
>
Message-ID:
>
>
<b944a51b0801292310tc099546g17f330af311d583a at mail.gmail.com>
>
>
Content-Type:
text/plain;
charset="utf-8"
>
>
>
>
I'd
like
to
tell
my
thoughts
about
cas-client-3.1.
>
>
>
>
1)
It
no
longer
depends
on
cas-server-core.
That's
great.
Much
more
>
simple
>
>
config
(plain
strings/urls
instead
of
ServiceImpl)
>
>
2)
SpringConfiguredProxyReceptorServlet
suddenly
disappeared.
That's
>
>
annoying
(backward-compatibility
lost).
It
was
replaced
with
>
>
Cas20ProxyReceivingTicketValidationFilter.
>
>
3)
SingleSignOutHttpSessionListener
ticket/session
mapping
won't
survive
>
>
server
restart
(even
if
sessions
are
not
lost).
That
would
be
ok
if
>
there
>
>
were
any
possibility
to
inject
smarter-than-hashmap
storage.
However
it
>
>
isn't
possible,
so
the
only
way
is
a
full
rewrite.
Additionally,
it
will
>
>
have
troubles
in
case
of
many
sessions
because
it
stores
all
of
them
in
>
>
memory.
>
>
4)
The
worst
thing:
AbstractConfigurationFilter
and
all
its
descendants
>
>
cannot
be
configured
from
spring
anymore.
We
use
multiple
profiles
and
>
>
separate
settings
in
.properties
file.
However
in
order
to
upgrade
to
>
>
cas-client-3.1
we
will
have
to
do
one
of
the
following:
>
>
a)
extend
filter
and
add
spring-friendly
configuration
means
>
>
b)
create
multiple
web.xml
files
(i
strongly
dislike
this
option)
>
>
c)
backport
required
stuff
to
cas-client-3.0
>
>
>
>
Hope
this
feedback
will
help.
I'm
ready
to
discuss
above
problems
so
we
>
>
could
find
ways
to
solve
them.
>
>
>
>
2008/1/29,
Scott
Battaglia
<scott.battaglia at gmail.com>:
>
>
>
The
RC2
binary
and
source
jars
in
the
repo.
I'm
having
trouble
having
>
>
it
>
>
>
generate
the
javadocs
so
those
are
not
in
there
right
now.
>
>
>
>
>
>
-Scott
>
>
>
>
>
>
>
>
>
On
Jan
29,
2008
9:37
AM,
Marat
Radchenko
<slonopotamusorama at gmail.com>
>
>
>
wrote:
>
>
>
>
>
>
>
Additionally,
please
add
sources
and
javadoc
jar
to
repo.
Thanks.
>
>
>
>
>
>
>
>
2008/1/29,
Scott
Battaglia
<scott.battaglia at gmail.com>:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
I'm
building
an
RC2
shortly.
When
that
happens
I'll
make
sure
all
>
>
of
>
>
>
the
>
>
>
>
>
correct
stuff
ends
up
in
the
repo
;-)
>
>
>
>
>
>
>
>
>
>
Thanks
>
>
>
>
>
-Scott
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
On
Jan
28,
2008
8:09
AM,
Marat
Radchenko
<
>
>
slonopotamusorama at gmail.com>
>
>
>
>
>
wrote:
>
>
>
>
>
>
>
>
>
>
>
maven
repo
error:
>
>
>
>
>
>
cas-client-core-3.1-RC1
uses
cas-client-3.1-RC1
as
parent
pom.
>
>
>
>
>
>
But
there
isn't
any
in
>
>
>
>
>
>
>
>
>
>
>
>
>
>
http://developer.ja-sig.org/maven2/org/jasig/cas/cas-client/
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
2008/1/28,
Scott
Battaglia
<scott.battaglia at gmail.com>:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
Thanks!
I'll
look
at
this
tomorrow
at
work.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
-Scott
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
On
Jan
25,
2008
3:18
PM,
rg
<rg4312 at gmail.com>
wrote:
>
>
>
>
>
>
>
>
Great!
I
have
created
the
JIRA:
>
>
>
>
>
>
>
>
http://www.ja-sig.org/issues/browse/CASC-34
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
-rg
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
On
Jan
25,
2008
2:28
PM,
Scott
Battaglia
>
>
>
<scott.battaglia at gmail.com>
>
>
>
>
>
>
>
wrote:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
Adding
a
template
method
sounds
relatively
reasonable.
>
If
>
>
you
>
>
>
can
>
>
>
>
>
>
>
create
a
JIRA
issue
to
track
it
that
would
be
great.
I'll
>
also
>
>
>
probably
>
>
>
>
>
>
>
look
into
whether
it
makes
sense
to
add
one
for
failure
too.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
-Scott
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
On
Jan
25,
2008
2:19
PM,
rg
<rg4312 at gmail.com>
wrote:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
I
was
afraid
you
were
going
to
ask
that
question
;)
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
Basically
it's
to
deal
with
a
scenario
I
mentioned
in
a
>
>
prior
>
>
>
>
>
email.
>
>
>
>
>
>
>
See
question
#1
here:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
http://article.gmane.org/gmane.comp.java.jasig.cas.user/4230
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
How
I
am
dealing
with
this
scenario,
is
I
created
my
own
>
>
>
>
>
>
>
ExpirationPolicy
which
looks
in
a
database
for
the
last
>
accessed
>
>
>
time
>
>
>
>
>
for
>
>
>
>
>
>
>
the
users
ticket
grating
ticket
OR
service
ticket.
When
the
>
>
user
>
>
>
makes
>
>
>
>
>
an
>
>
>
>
>
>
>
http
request
to
a
service
webapp,
an
internal
web
service
call
>
>
will
>
>
>
be
>
>
>
>
>
made
>
>
>
>
>
>
>
to
update
this
"last
accessed
time"
in
the
database.
What
>
that
>
>
>
means
is
>
>
>
>
>
I
>
>
>
>
>
>
>
need
to
hold
onto
the
service
ticket
IDs
in
the
http
session
>
for
>
>
>
each
>
>
>
>
>
>
>
service.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
The
problem
I
have
is
finding
the
appropriate
place
in
>
the
>
>
>
>
>
lifecycle
>
>
>
>
>
>
>
of
the
service
ticket
validation
http
request
to
put
the
>
service
>
>
>
ticket
>
>
>
>
>
ID
>
>
>
>
>
>
>
in
the
http
session.
This
is
what
I
want
to
do
right
after
>
the
>
>
>
ticket
>
>
>
>
>
is
>
>
>
>
>
>
>
validated.
And
now
that
I
think
about
it
a
little
more,
the
>
>
>
template
>
>
>
>
>
method
>
>
>
>
>
>
>
would
need
to
be
something
like:
>
>
>
>
>
>
>
>
>
>
onServiceTicketSuccess(ServletRequest,
>
>
>
>
>
>
>
ServletResponse,
Assertion)
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
I'm
guessing
you
are
going
to
have
a
negative
reaction
>
to
>
>
what
>
>
>
I
>
>
>
>
>
just
>
>
>
>
>
>
>
described.
But
know
that
I
have
control
over
the
CAS
webapp,
>
>
and
>
>
>
every
>
>
>
>
>
>
>
single
webapp
that
uses
CAS
for
authentication.
This
is
a
>
>
closed
>
>
>
system
>
>
>
>
>
>
>
with
only
my
webapps.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
-rg
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
On
Jan
25,
2008
11:39
AM,
Scott
Battaglia
>
>
>
>
>
<scott.battaglia at gmail.com>
>
>
>
>
>
>
>
wrote:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
rg,
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
What's
your
use
case
for
the
functionality
that
needs
>
to
>
>
>
happen
>
>
>
>
>
>
>
after
a
successful
service
ticket
validation?
This
way
we
can
>
>
>
figure
>
>
>
>
>
out
>
>
>
>
>
>
>
the
best
way
to
make
the
library
extendable.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
-Scott
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
On
Jan
25,
2008
9:55
AM,
rg
<rg4312 at gmail.com>
wrote:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
I
have
been
using
the
3.1
RC1
client
for
a
few
days
>
in
>
>
the
>
>
>
>
>
>
>
prototype
I'm
building.
So
my
perspective
of
the
release
>
client
>
>
is
>
>
>
>
>
limited,
>
>
>
>
>
>
>
but,
so
far
I
haven't
seen
any
bugs.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
One
change
that
i
would
like
to
be
considered
is
to
>
>
change
>
>
>
>
>
>
>
Cas20ProxyReceivingTicketValidationFilter
to
NOT
be
>
>
>
>
>
marked
>
>
>
>
>
>
>
final,
and
to
have
a
new
template
method
>
>
>
>
>
>
>
onServiceTicketSuccess()
declared
in
>
>
>
>
>
>
>
AbstractTicketValidationFilter
and
called
in
doFilter()
>
>
>
>
>
>
>
after
this.ticketValidator.validate().
This
way
I
can
extend
>
>
>
>
>
>
>
Cas20ProxyReceivingTicketValidationFilter
and
>
>
>
override
>
>
>
>
>
>
>
onServiceTicketSuccess().
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
I
understand
the
goal
to
keep
certain
things
final,
>
>
but,
>
>
>
all
i
>
>
>
>
>
>
>
want
to
do
is
add
some
code
on
successful
service
ticket
>
>
validation,
>
>
>
and
>
>
>
>
>
I
>
>
>
>
>
>
>
don't
see
any
way
to
do
it
currently.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
thanks,
>
>
>
>
>
>
>
>
>
>
>
>
-rg
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
On
Jan
24,
2008
10:18
AM,
Scott
Battaglia
>
>
>
>
>
>
>
<scott.battaglia at gmail.com>
wrote:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
It
can
be
found
here:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
http://www.ja-sig.org/downloads/cas-clients/cas-client-3.1-RC1-release.zip
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
Documentation
can
be
found
here:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
http://www.ja-sig.org/wiki/display/CASC/CAS+Client+for+Java+3.1
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
If
you
can
try
it
out
and
give
us
any
feedback
>
that
>
>
>
would
be
>
>
>
>
>
>
>
great.
We're
looking
to
do
a
release
soon
so
we
can
>
incorporate
>
>
it
>
>
>
into
>
>
>
>
>
the
>
>
>
>
>
>
>
next
version
of
Acegi.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
-Scott
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
On
Jan
24,
2008
4:11
AM,
Marat
Radchenko
>
>
>
>
>
>
>
<slonopotamusorama at gmail.com>
wrote:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
Where
I
can
download
it?
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
2008/1/23,
Scott
Battaglia
>
>
>
<scott.battaglia at gmail.com>:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
Folks--
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
We
want
to
get
ready
to
do
the
CAS
3.1
client
>
>
>
release
>
>
>
>
>
for
>
>
>
>
>
>
>
Java
(so
we
can
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
start
working
on
3.1.1).
I've
done
some
>
testing
>
>
of
>
>
>
it
>
>
>
>
>
>
>
locally.
Has
anyone
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
else
tested
it
that
can
say
it
works
well?
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>