Single Sign out
Scott Battaglia
scott.battaglia at gmail.com
Thu Jan 31 11:41:22 EST 2008
Are both application 1 and application utilizing a CAS client that supports
Single Sign Out?
Thanks
-Scott
On Jan 30, 2008 10:38 AM, Krishna bhimanathini <krishna7904 at yahoo.com>
wrote:
> At the application level I called session.invalidate() and redirected to
> https://myserver/cas/logout on logout. CAS logs me out from application 1
> but not from the other application 2. If I try to access the application 2
> in the same browser CAS doesn't ask for credentials.
>
> I am not sure what I have missed, I tried debugging AuthenticationFilter
> it checks for ticket null, session variable CONST_CAS_ASSERTION null. Here
> I find ticket is null and session variable is still not null for the
> application 2 where logout was not called hence AuthenticationFilter doesn't
> redirect to CAS server for authentication.
>
> Please let me know where do I debug to solve this issue.
>
> Thanks
> Krishna
>
> ----- Original Message ----
> From: "cas-request at tp.its.yale.edu" <cas-request at tp.its.yale.edu>
> To: cas at tp.its.yale.edu
> Sent: Wednesday, January 30, 2008 8:23:50 AM
> Subject: cas Digest, Vol 56, Issue 49
>
> Send cas mailing list submissions to
> cas at tp.its.yale.edu
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://tp.its.yale.edu/mailman/listinfo/cas
> or, via email, send a message with subject or body 'help' to
> cas-request at tp.its.yale.edu
>
> You can reach the person managing the list at
> cas-owner at tp.its.yale.edu
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of cas digest..."
>
>
> Today's Topics:
>
> 1. Re: Security concern with CAS cluster (Barrow H Kwan)
> 2. Single Sign out (Krishna bhimanathini)
> 3. Re: Single Sign out (=?GB2312?B?wfnL6r7Nuty/4Q==?=)
> 4. Re: CAS 3.1 RC1 client (Marat Radchenko)
> 5. Re: CAS 3.1 RC1 client (Scott Battaglia)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 29 Jan 2008 14:59:19 -0600
> From: Barrow H Kwan <bhkwan at thoughtworks.com>
> Subject: Re: Security concern with CAS cluster
> To: Yale CAS mailing list <cas at tp.its.yale.edu>
> Cc: "Yale CAS mailing list" <cas at tp.its.yale.edu>,
> cas-bounces at tp.its.yale.edu
> Message-ID:
> <
> OF34162DFC.FB9D195C-ON862573DF.00733A05-882573DF.00734C25 at thoughtworks.com
> >
>
> Content-Type: text/plain; charset="us-ascii"
>
> thanks Scott,
>
> option a is exactly what I am trying to implement and it seems working
> great so far.
>
>
> =================
> Barrow Kwan
> ThoughtWorks, Inc.
>
> New from ThoughtWorks: Mingle, an Agile project management application.
> Mingle. Project Intelligence. Powerfully Simple.
> More at http://studios.thoughtworks.com
>
>
>
>
> "Scott Battaglia" <scott.battaglia at gmail.com>
> Sent by: cas-bounces at tp.its.yale.edu
> 01/29/08 12:28 PM
> Please respond to
> Yale CAS mailing list <cas at tp.its.yale.edu>
>
>
> To
> "Yale CAS mailing list" <cas at tp.its.yale.edu>
> cc
>
> Subject
> Re: Security concern with CAS cluster
>
>
>
>
>
>
> On Jan 28, 2008 1:01 AM, Barrow H Kwan <bhkwan at thoughtworks.com> wrote:
>
>
> If I have setup app1.example.com to authenticate cas1.example.com and
> app2.example.com to authenticate cas2.example.com.
>
> If I configured cas1 and cas2 in a cluster, is it possible for me to login
>
> once ( either cas1 or cas2 ) and access both app1 and app2 ?
>
> If you configured CAS in a cluster, I would recommend something like the
> following, either:
> (a) make it so that both CAS instances appear to be under the same domain
> (i.e. cas.example.com) or
> (b) create domains such that you have cas1.sso.example.com and
> cas2.sso.example.com and ensure that nothing else gets put under the
> sso.example.com domain. Why? Because in order for those two servers to
> see the cookie it would have be domain scoped to sso.example.com and you
> don't want any other applications/services to see it.
>
> The problem with (b) is that it provides no failover (if cas2 is down
> app2, cannot use cas1).
>
> -Scott
>
>
>
> =================
> Barrow Kwan
> ThoughtWorks, Inc.
>
> New from ThoughtWorks: Mingle, an Agile project management application.
> Mingle. Project Intelligence. Powerfully Simple.
> More at http://studios.thoughtworks.com
>
>
>
> "Scott Battaglia" <scott.battaglia at gmail.com>
> Sent by: cas-bounces at tp.its.yale.edu
> 01/27/08 11:42 AM
>
>
> Please respond to
>
> Yale CAS mailing list <cas at tp.its.yale.edu>
>
>
> To
> "Yale CAS mailing list" <cas at tp.its.yale.edu>
> cc
>
> Subject
> Re: Security concern with CAS cluster
>
>
>
>
>
>
>
>
> If you've configured app.example.com to authenticate to cas.example.com,
> its impossible for it to utilize the fake CAS server (because it would
> explicitly configured to use cas.example.com). (my guess would be your
> cas.example.com session was still active).
>
> That said, your cookieDomain for your TicketGrantingTIcket should be as
> restrictive as possible. It should use cas.example.com and not
> example.com. Exposing the cookie to more domains than necessary exposes
> your TGT to applications that should not have access to it.
>
> Setting a max cookie age of -1 means that its only valid for the duration
> of the browser session (i.e. until you completely exit the
> browser...though if you exit/restart quick enough it may still be in
> there).
>
> -Scott
>
> On Jan 27, 2008 12:59 AM, Barrow H Kwan <bhkwan at thoughtworks.com> wrote:
>
> After I added "cookieDomain" in cas-servlet.xml under bean
> "warnCookieGenerator" and "ticketGrantingTicketCookieGenerator" ( eg with
>
> value="example.com" ). I can use a fake CAS server to authenticate ( eg
> use the sample username=password ) and access any other CAS server under
> the example.com domain.
>
> Basically, if I have a production CAS server, cas.example.com and an app,
>
> app.example.com. I connect to app.example.com, it redirect me to
> cas.example.com, then I login ( backend is LDAP ) and it let me access
> app.example.com. Now I setup another CAS server called
> fake-cas.example.com ( with the cookieDomain set ) that use
> username=password for authentication. I open my browser and go to
> fake-cas.example.com and login with username=password. then go to
> app.example.com, it let me in without login through cas.example.com.
>
> is this a security hole or it is because of my setting? also in the
> instruction "http://www.ja-sig.org/wiki/display/CASUM/Clustering+CAS" ,
> the cookieMaxAge is -1, does it mean the cookie will not expire at all ?
>
>
>
> =================
> Barrow Kwan
> ThoughtWorks, Inc.
>
> New from ThoughtWorks: Mingle, an Agile project management application.
> Mingle. Project Intelligence. Powerfully Simple.
> More at http://studios.thoughtworks.com
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
>
> --
> -Scott Battaglia
>
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
> _______________________________________________
>
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
>
> --
> -Scott Battaglia
>
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://tp.its.yale.edu/pipermail/cas/attachments/20080129/4b7df809/attachment-0001.html
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/x-pkcs7-signature
> Size: 5256 bytes
> Desc: S/MIME Cryptographic Signature
> Url :
> http://tp.its.yale.edu/pipermail/cas/attachments/20080129/4b7df809/attachment-0001.bin
>
> ------------------------------
>
> Message: 2
> Date: Tue, 29 Jan 2008 13:01:36 -0800 (PST)
> From: Krishna bhimanathini <krishna7904 at yahoo.com>
> Subject: Single Sign out
> To: cas at tp.its.yale.edu
> Message-ID: <484845.88375.qm at web60822.mail.yahoo.com>
> Content-Type: text/plain; charset="us-ascii"
>
> Hello
>
> I am using CAS server 3.1.1 and CAS java Client 3.1 RC1 for Single Sign On
> in two applications in different domains. I am having no issues in doing
> Single Sign On, thanks to entire team for making it available.
>
> Is it possible to logout the user from all the application when he logouts
> from one application.
>
> Thanks for you help in advance
> Krishna
>
>
>
> ____________________________________________________________________________________
> Looking for last minute shopping deals?
> Find them fast with Yahoo! Search.
> http://tools.search.yahoo.com/newsearch/category.php?category=shopping
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://tp.its.yale.edu/pipermail/cas/attachments/20080129/8da2ecea/attachment-0001.html
>
> ------------------------------
>
> Message: 3
> Date: Wed, 30 Jan 2008 09:04:00 +0800
> From: "=?GB2312?B?wfnL6r7Nuty/4Q==?=" <chencao0524 at gmail.com>
> Subject: Re: Single Sign out
> To: "Yale CAS mailing list" <cas at tp.its.yale.edu>
> Message-ID:
> <66fa303b0801291704u15cc781at4c287262b1111153 at mail.gmail.com>
> Content-Type: text/plain; charset="gb2312"
>
> Yes, CAS server 3.1.1 supports Single Sign Out now! If you want to logout,
> visit https://your.cas.server/cas/logout, than you could logout all
> applications. Below is the doc
> http://www.ja-sig.org/wiki/display/CASC/CAS+Client+for+Java+3.1
> http://www.ja-sig.org/wiki/display/CASC/Configuring+Single+Sign+Out
>
>
> 2008/1/30, Krishna bhimanathini <krishna7904 at yahoo.com>:
> >
> > Hello
> >
> >
> >
> > I am using CAS server 3.1.1 and CAS java Client 3.1 RC1 for Single Sign
> On
> > in two applications in different domains. I am having no issues in
> > doing Single Sign On, thanks to entire team for making it available.
> >
> >
> >
> > Is it possible to logout the user from all the application when he
> logouts
> > from one application.
> >
> >
> >
> > Thanks for you help in advance
> >
> > Krishna
> >
> >
> >
> >
> >
> >
> >
> > ------------------------------
> > Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try
> it
> > now.<
> http://us.rd.yahoo.com/evt=51733/*http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
> >
> >
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
> >
>
>
> --
> Regards
> CC.
>
> ///
> (. .)
> -----ooO--(_)--Ooo-----
>
> ????
>
> ???????????? ????????????
> ????????????
>
> ??????????????????????197????????????????13??
> ??????020-22387935
> ??????020-22387960
> ??????510600
> ??????http://www.ce.net.cn
> QQ??5027277
> MSN??chencao0524 at hotmail.com
> E-mail??chencao0524 at gmail.com
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://tp.its.yale.edu/pipermail/cas/attachments/20080130/51c664b2/attachment-0001.html
>
> ------------------------------
>
> Message: 4
> Date: Wed, 30 Jan 2008 10:10:58 +0300
> From: "Marat Radchenko" <slonopotamusorama at gmail.com>
> Subject: Re: CAS 3.1 RC1 client
> To: "Yale CAS mailing list" <cas at tp.its.yale.edu>
> Message-ID:
> <b944a51b0801292310tc099546g17f330af311d583a at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> I'd like to tell my thoughts about cas-client-3.1.
>
> 1) It no longer depends on cas-server-core. That's great. Much more simple
> config (plain strings/urls instead of ServiceImpl)
> 2) SpringConfiguredProxyReceptorServlet suddenly disappeared. That's
> annoying (backward-compatibility lost). It was replaced with
> Cas20ProxyReceivingTicketValidationFilter.
> 3) SingleSignOutHttpSessionListener ticket/session mapping won't survive
> server restart (even if sessions are not lost). That would be ok if there
> were any possibility to inject smarter-than-hashmap storage. However it
> isn't possible, so the only way is a full rewrite. Additionally, it will
> have troubles in case of many sessions because it stores all of them in
> memory.
> 4) The worst thing: AbstractConfigurationFilter and all its descendants
> cannot be configured from spring anymore. We use multiple profiles and
> separate settings in .properties file. However in order to upgrade to
> cas-client-3.1 we will have to do one of the following:
> a) extend filter and add spring-friendly configuration means
> b) create multiple web.xml files (i strongly dislike this option)
> c) backport required stuff to cas-client-3.0
>
> Hope this feedback will help. I'm ready to discuss above problems so we
> could find ways to solve them.
>
> 2008/1/29, Scott Battaglia <scott.battaglia at gmail.com>:
> > The RC2 binary and source jars in the repo. I'm having trouble having
> it
> > generate the javadocs so those are not in there right now.
> >
> > -Scott
> >
> >
> > On Jan 29, 2008 9:37 AM, Marat Radchenko <slonopotamusorama at gmail.com>
> > wrote:
> >
> > > Additionally, please add sources and javadoc jar to repo. Thanks.
> > >
> > > 2008/1/29, Scott Battaglia <scott.battaglia at gmail.com>:
> > >
> > >
> > >
> > > > I'm building an RC2 shortly. When that happens I'll make sure all
> of
> > the
> > > > correct stuff ends up in the repo ;-)
> > > >
> > > > Thanks
> > > > -Scott
> > > >
> > > >
> > > > On Jan 28, 2008 8:09 AM, Marat Radchenko <
> slonopotamusorama at gmail.com>
> > > > wrote:
> > > >
> > > > > maven repo error:
> > > > > cas-client-core-3.1-RC1 uses cas-client-3.1-RC1 as parent pom.
> > > > > But there isn't any in
> > > > >
> > > >
> > http://developer.ja-sig.org/maven2/org/jasig/cas/cas-client/
> > > > >
> > > > >
> > > > > 2008/1/28, Scott Battaglia <scott.battaglia at gmail.com>:
> > > > >
> > > > >
> > > > >
> > > > > > Thanks! I'll look at this tomorrow at work.
> > > > > >
> > > > > > -Scott
> > > > > >
> > > > > >
> > > > > > On Jan 25, 2008 3:18 PM, rg <rg4312 at gmail.com> wrote:
> > > > > > > Great! I have created the JIRA:
> > > > > > > http://www.ja-sig.org/issues/browse/CASC-34
> > > > > > >
> > > > > > >
> > > > > > > -rg
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > On Jan 25, 2008 2:28 PM, Scott Battaglia
> > <scott.battaglia at gmail.com>
> > > > > > wrote:
> > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > Adding a template method sounds relatively reasonable. If
> you
> > can
> > > > > > create a JIRA issue to track it that would be great. I'll also
> > probably
> > > > > > look into whether it makes sense to add one for failure too.
> > > > > > > >
> > > > > > > > -Scott
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > On Jan 25, 2008 2:19 PM, rg <rg4312 at gmail.com> wrote:
> > > > > > > >
> > > > > > > > > I was afraid you were going to ask that question ;)
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Basically it's to deal with a scenario I mentioned in a
> prior
> > > > email.
> > > > > > See question #1 here:
> > > > > > > > >
> > > > > >
> > > >
> > http://article.gmane.org/gmane.comp.java.jasig.cas.user/4230
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > How I am dealing with this scenario, is I created my own
> > > > > > ExpirationPolicy which looks in a database for the last accessed
> > time
> > > > for
> > > > > > the users ticket grating ticket OR service ticket. When the
> user
> > makes
> > > > an
> > > > > > http request to a service webapp, an internal web service call
> will
> > be
> > > > made
> > > > > > to update this "last accessed time" in the database. What that
> > means is
> > > > I
> > > > > > need to hold onto the service ticket IDs in the http session for
> > each
> > > > > > service.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > The problem I have is finding the appropriate place in the
> > > > lifecycle
> > > > > > of the service ticket validation http request to put the service
> > ticket
> > > > ID
> > > > > > in the http session. This is what I want to do right after the
> > ticket
> > > > is
> > > > > > validated. And now that I think about it a little more, the
> > template
> > > > method
> > > > > > would need to be something like:
> > > > > > > > > onServiceTicketSuccess(ServletRequest,
> > > > > > ServletResponse, Assertion)
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > I'm guessing you are going to have a negative reaction to
> what
> > I
> > > > just
> > > > > > described. But know that I have control over the CAS webapp,
> and
> > every
> > > > > > single webapp that uses CAS for authentication. This is a
> closed
> > system
> > > > > > with only my webapps.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > -rg
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > On Jan 25, 2008 11:39 AM, Scott Battaglia
> > > > <scott.battaglia at gmail.com>
> > > > > > wrote:
> > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > rg,
> > > > > > > > > >
> > > > > > > > > > What's your use case for the functionality that needs to
> > happen
> > > > > > after a successful service ticket validation? This way we can
> > figure
> > > > out
> > > > > > the best way to make the library extendable.
> > > > > > > > > >
> > > > > > > > > > -Scott
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > On Jan 25, 2008 9:55 AM, rg <rg4312 at gmail.com> wrote:
> > > > > > > > > >
> > > > > > > > > > > I have been using the 3.1 RC1 client for a few days in
> the
> > > > > > prototype I'm building. So my perspective of the release client
> is
> > > > limited,
> > > > > > but, so far I haven't seen any bugs.
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > One change that i would like to be considered is to
> change
> > > > > > Cas20ProxyReceivingTicketValidationFilter to NOT be
> > > > marked
> > > > > > final, and to have a new template method
> > > > > > onServiceTicketSuccess() declared in
> > > > > > AbstractTicketValidationFilter and called in doFilter()
> > > > > > after this.ticketValidator.validate(). This way I can extend
> > > > > > Cas20ProxyReceivingTicketValidationFilter and
> > override
> > > > > > onServiceTicketSuccess().
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > I understand the goal to keep certain things final,
> but,
> > all i
> > > > > > want to do is add some code on successful service ticket
> validation,
> > and
> > > > I
> > > > > > don't see any way to do it currently.
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > thanks,
> > > > > > > > > > > -rg
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > On Jan 24, 2008 10:18 AM, Scott Battaglia
> > > > > > <scott.battaglia at gmail.com> wrote:
> > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > It can be found here:
> > > > > > > > > > > >
> > > > > >
> > > >
> >
> http://www.ja-sig.org/downloads/cas-clients/cas-client-3.1-RC1-release.zip
> > > > > > > > > > > >
> > > > > > > > > > > > Documentation can be found here:
> > > > > > > > > > > >
> > > > > >
> > > >
> > http://www.ja-sig.org/wiki/display/CASC/CAS+Client+for+Java+3.1
> > > > > > > > > > > >
> > > > > > > > > > > > If you can try it out and give us any feedback that
> > would be
> > > > > > great. We're looking to do a release soon so we can incorporate
> it
> > into
> > > > the
> > > > > > next version of Acegi.
> > > > > > > > > > > >
> > > > > > > > > > > > -Scott
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > On Jan 24, 2008 4:11 AM, Marat Radchenko
> > > > > > <slonopotamusorama at gmail.com> wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > > Where I can download it?
> > > > > > > > > > > > >
> > > > > > > > > > > > > 2008/1/23, Scott Battaglia
> > <scott.battaglia at gmail.com>:
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > > > Folks--
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > We want to get ready to do the CAS 3.1 client
> > release
> > > > for
> > > > > > Java (so we can
> > > > > > > > > > > > > > start working on 3.1.1). I've done some testing
> of
> > it
> > > > > > locally. Has anyone
> > > > > > > > > > > > > > else tested it that can say it works well?
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > Thanks
> > > > > > > > > > > > > > -Scott
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > --
> > > > > > > > > > > > > > -Scott Battaglia
> > > > > > > > > > > > > > LinkedIn:
> > > > > > http://www.linkedin.com/in/scottbattaglia
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > _______________________________________________
> > > > > > > > > > > > > > Yale CAS mailing list
> > > > > > > > > > > > > > cas at tp.its.yale.edu
> > > > > > > > > > > > > >
> > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > _______________________________________________
> > > > > > > > > > > > > Yale CAS mailing list
> > > > > > > > > > > > > cas at tp.its.yale.edu
> > > > > > > > > > > > >
> > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > --
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > -Scott Battaglia
> > > > > > > > > > > >
> > > > > > > > > > > > LinkedIn:
> > > > > > http://www.linkedin.com/in/scottbattaglia
> > > > > > > > > > > >
> > > > _______________________________________________
> > > > > > > > > > > >
> > > > > > > > > > > > Yale CAS mailing list
> > > > > > > > > > > > cas at tp.its.yale.edu
> > > > > > > > > > > >
> > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > _______________________________________________
> > > > > > > > > > > Yale CAS mailing list
> > > > > > > > > > > cas at tp.its.yale.edu
> > > > > > > > > > >
> > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > --
> > > > > > > > > > -Scott Battaglia
> > > > > > > > > >
> > > > > > > > > > LinkedIn:
> > > > http://www.linkedin.com/in/scottbattaglia
> > > > > > > > > >
> > _______________________________________________
> > > > > > > > > >
> > > > > > > > > > Yale CAS mailing list
> > > > > > > > > > cas at tp.its.yale.edu
> > > > > > > > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > _______________________________________________
> > > > > > > > > Yale CAS mailing list
> > > > > > > > > cas at tp.its.yale.edu
> > > > > > > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > -Scott Battaglia
> > > > > > > >
> > > > > > > > LinkedIn:
> > http://www.linkedin.com/in/scottbattaglia
> > > > > > > > _______________________________________________
> > > > > > > >
> > > > > > > > Yale CAS mailing list
> > > > > > > > cas at tp.its.yale.edu
> > > > > > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > _______________________________________________
> > > > > > > Yale CAS mailing list
> > > > > > > cas at tp.its.yale.edu
> > > > > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > -Scott Battaglia
> > > > > >
> > > > > > LinkedIn: http://www.linkedin.com/in/scottbattaglia
> > > > > > _______________________________________________
> > > > >
> > > > >
> > > > >
> > > > > > Yale CAS mailing list
> > > > > > cas at tp.its.yale.edu
> > > > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > > >
> > > > > >
> > > > > _______________________________________________
> > > > > Yale CAS mailing list
> > > > > cas at tp.its.yale.edu
> > > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > -Scott Battaglia
> > > >
> > > > LinkedIn: http://www.linkedin.com/in/scottbattaglia
> > > > _______________________________________________
> > > > Yale CAS mailing list
> > > > cas at tp.its.yale.edu
> > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > >
> > > >
> > > _______________________________________________
> > > Yale CAS mailing list
> > > cas at tp.its.yale.edu
> > > http://tp.its.yale.edu/mailman/listinfo/cas
> > >
> >
> >
> >
> > --
> > -Scott Battaglia
> >
> > LinkedIn: http://www.linkedin.com/in/scottbattaglia
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://tp.its.yale.edu/pipermail/cas/attachments/20080130/2bc24a08/attachment-0001.html
>
> ------------------------------
>
> Message: 5
> Date: Wed, 30 Jan 2008 08:22:45 -0500
> From: "Scott Battaglia" <scott.battaglia at gmail.com>
> Subject: Re: CAS 3.1 RC1 client
> To: "Yale CAS mailing list" <cas at tp.its.yale.edu>
> Message-ID:
> <1bbd36a10801300522n50b21358wf68200d67176cd5 at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> On Jan 30, 2008 2:10 AM, Marat Radchenko <slonopotamusorama at gmail.com>
> wrote:
>
> > I'd like to tell my thoughts about cas-client-3.1.
> >
> > 1) It no longer depends on cas-server-core. That's great. Much more
> simple
> > config (plain strings/urls instead of ServiceImpl)
>
> Yes, I thought that would be simpler ;-)
>
> >
> > 2) SpringConfiguredProxyReceptorServlet suddenly disappeared. That's
> > annoying (backward-compatibility lost). It was replaced with
> > Cas20ProxyReceivingTicketValidationFilter.
>
> Yes, it was removed on purpose as it depended on Spring entirely, which
> this
> library doesn't.
>
> >
> > 3) SingleSignOutHttpSessionListener ticket/session mapping won't survive
> > server restart (even if sessions are not lost). That would be ok if
> there
> > were any possibility to inject smarter-than-hashmap storage. However it
> > isn't possible, so the only way is a full rewrite. Additionally, it will
> > have troubles in case of many sessions because it stores all of them in
> > memory.
>
>
> If you had a JIRA issue I can attempt to make it similar to the
> ProxyReceptorServlet where we provide the base and you implement two
> methods
> that do the delete/retrieval. Though memory should not be an issue as
> they
> are only references to the session objects that already exist. And those
> references should be deleted when the session expires.
>
> >
> > 4) The worst thing: AbstractConfigurationFilter and all its descendants
> > cannot be configured from spring anymore. We use multiple profiles and
> > separate settings in .properties file. However in order to upgrade to
> > cas-client-3.1 we will have to do one of the following:
> > a) extend filter and add spring-friendly configuration means
> > b) create multiple web.xml files (i strongly dislike this option)
> > c) backport required stuff to cas-client-3.0
>
>
> Yes, actually it can still be configured via Spring. All of the filters
> should have setters for their various properties. We haven't done
> extensive
> testing with it, but the goal was to allow you to either use the web.xmlfor
> simple cases, or utilizing something else like Spring.
>
> We have some information on it here:
>
> http://www.ja-sig.org/wiki/display/CASC/Configuring+the+JA-SIG+CAS+Client+for+Java+using+Spring
> (though it does look like I have one typo related to the
> proxycallbackUrl.)
>
> Hope that helps. Thanks for the feedback.
> -Scott
>
>
> >
> >
> > Hope this feedback will help. I'm ready to discuss above problems so we
> > could find ways to solve them.
> >
> >
> > 2008/1/29, Scott Battaglia <scott.battaglia at gmail.com>:
> > > The RC2 binary and source jars in the repo. I'm having trouble having
> > it
> > > generate the javadocs so those are not in there right now.
> > >
> > > -Scott
> > >
> > >
> > > On Jan 29, 2008 9:37 AM, Marat Radchenko <slonopotamusorama at gmail.com>
> > > wrote:
> > >
> > > > Additionally, please add sources and javadoc jar to repo. Thanks.
> > > >
> > > > 2008/1/29, Scott Battaglia <scott.battaglia at gmail.com>:
> > > >
> > > >
> > > >
> > > > > I'm building an RC2 shortly. When that happens I'll make sure all
> > of
> > > the
> > > > > correct stuff ends up in the repo ;-)
> > > > >
> > > > > Thanks
> > > > > -Scott
> > > > >
> > > > >
> > > > > On Jan 28, 2008 8:09 AM, Marat Radchenko <
> > slonopotamusorama at gmail.com>
> > > > > wrote:
> > > > >
> > > > > > maven repo error:
> > > > > > cas-client-core-3.1-RC1 uses cas-client-3.1-RC1 as parent pom.
> > > > > > But there isn't any in
> > > > > >
> > > > >
> > > http://developer.ja-sig.org/maven2/org/jasig/cas/cas-client/
> > > > > >
> > > > > >
> > > > > > 2008/1/28, Scott Battaglia <scott.battaglia at gmail.com>:
> > > > > >
> > > > > >
> > > > > >
> > > > > > > Thanks! I'll look at this tomorrow at work.
> > > > > > >
> > > > > > > -Scott
> > > > > > >
> > > > > > >
> > > > > > > On Jan 25, 2008 3:18 PM, rg <rg4312 at gmail.com> wrote:
> > > > > > > > Great! I have created the JIRA:
> > > > > > > > http://www.ja-sig.org/issues/browse/CASC-34
> > > > > > > >
> > > > > > > >
> > > > > > > > -rg
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > On Jan 25, 2008 2:28 PM, Scott Battaglia
> > > <scott.battaglia at gmail.com>
> > > > > > > wrote:
> > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Adding a template method sounds relatively reasonable. If
> > you
> > > can
> > > > > > > create a JIRA issue to track it that would be great. I'll
> also
> > > probably
> > > > > > > look into whether it makes sense to add one for failure too.
> > > > > > > > >
> > > > > > > > > -Scott
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > On Jan 25, 2008 2:19 PM, rg <rg4312 at gmail.com> wrote:
> > > > > > > > >
> > > > > > > > > > I was afraid you were going to ask that question ;)
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > Basically it's to deal with a scenario I mentioned in a
> > prior
> > > > > email.
> > > > > > > See question #1 here:
> > > > > > > > > >
> > > > > > >
> > > > >
> > > http://article.gmane.org/gmane.comp.java.jasig.cas.user/4230
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > How I am dealing with this scenario, is I created my own
> > > > > > > ExpirationPolicy which looks in a database for the last
> accessed
> > > time
> > > > > for
> > > > > > > the users ticket grating ticket OR service ticket. When the
> > user
> > > makes
> > > > > an
> > > > > > > http request to a service webapp, an internal web service call
> > will
> > > be
> > > > > made
> > > > > > > to update this "last accessed time" in the database. What
> that
> > > means is
> > > > > I
> > > > > > > need to hold onto the service ticket IDs in the http session
> for
> > > each
> > > > > > > service.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > The problem I have is finding the appropriate place in
> the
> > > > > lifecycle
> > > > > > > of the service ticket validation http request to put the
> service
> > > ticket
> > > > > ID
> > > > > > > in the http session. This is what I want to do right after
> the
> > > ticket
> > > > > is
> > > > > > > validated. And now that I think about it a little more, the
> > > template
> > > > > method
> > > > > > > would need to be something like:
> > > > > > > > > > onServiceTicketSuccess(ServletRequest,
> > > > > > > ServletResponse, Assertion)
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > I'm guessing you are going to have a negative reaction
> to
> > what
> > > I
> > > > > just
> > > > > > > described. But know that I have control over the CAS webapp,
> > and
> > > every
> > > > > > > single webapp that uses CAS for authentication. This is a
> > closed
> > > system
> > > > > > > with only my webapps.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > -rg
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > On Jan 25, 2008 11:39 AM, Scott Battaglia
> > > > > <scott.battaglia at gmail.com>
> > > > > > > wrote:
> > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > rg,
> > > > > > > > > > >
> > > > > > > > > > > What's your use case for the functionality that needs
> to
> > > happen
> > > > > > > after a successful service ticket validation? This way we can
> > > figure
> > > > > out
> > > > > > > the best way to make the library extendable.
> > > > > > > > > > >
> > > > > > > > > > > -Scott
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > On Jan 25, 2008 9:55 AM, rg <rg4312 at gmail.com> wrote:
> > > > > > > > > > >
> > > > > > > > > > > > I have been using the 3.1 RC1 client for a few days
> in
> > the
> > > > > > > prototype I'm building. So my perspective of the release
> client
> > is
> > > > > limited,
> > > > > > > but, so far I haven't seen any bugs.
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > One change that i would like to be considered is to
> > change
> > > > > > > Cas20ProxyReceivingTicketValidationFilter to NOT be
> > > > > marked
> > > > > > > final, and to have a new template method
> > > > > > > onServiceTicketSuccess() declared in
> > > > > > > AbstractTicketValidationFilter and called in doFilter()
> > > > > > > after this.ticketValidator.validate(). This way I can extend
> > > > > > > Cas20ProxyReceivingTicketValidationFilter and
> > > override
> > > > > > > onServiceTicketSuccess().
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > I understand the goal to keep certain things final,
> > but,
> > > all i
> > > > > > > want to do is add some code on successful service ticket
> > validation,
> > > and
> > > > > I
> > > > > > > don't see any way to do it currently.
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > thanks,
> > > > > > > > > > > > -rg
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > On Jan 24, 2008 10:18 AM, Scott Battaglia
> > > > > > > <scott.battaglia at gmail.com> wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > > It can be found here:
> > > > > > > > > > > > >
> > > > > > >
> > > > >
> > >
> >
> http://www.ja-sig.org/downloads/cas-clients/cas-client-3.1-RC1-release.zip
> > > > > > > > > > > > >
> > > > > > > > > > > > > Documentation can be found here:
> > > > > > > > > > > > >
> > > > > > >
> > > > >
> > > http://www.ja-sig.org/wiki/display/CASC/CAS+Client+for+Java+3.1
> > > > > > > > > > > > >
> > > > > > > > > > > > > If you can try it out and give us any feedback
> that
> > > would be
> > > > > > > great. We're looking to do a release soon so we can
> incorporate
> > it
> > > into
> > > > > the
> > > > > > > next version of Acegi.
> > > > > > > > > > > > >
> > > > > > > > > > > > > -Scott
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > > On Jan 24, 2008 4:11 AM, Marat Radchenko
> > > > > > > <slonopotamusorama at gmail.com> wrote:
> > > > > > > > > > > > >
> > > > > > > > > > > > > > Where I can download it?
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > 2008/1/23, Scott Battaglia
> > > <scott.battaglia at gmail.com>:
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > > Folks--
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > We want to get ready to do the CAS 3.1 client
> > > release
> > > > > for
> > > > > > > Java (so we can
> > > > > > > > > > > > > > > start working on 3.1.1). I've done some
> testing
> > of
> > > it
> > > > > > > locally. Has anyone
> > > > > > > > > > > > > > > else tested it that can say it works well?
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > Thanks
> > > > > > > > > > > > > > > -Scott
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > --
> > > > > > > > > > > > > > > -Scott Battaglia
> > > > > > > > > > > > > > > LinkedIn:
> > > > > > > http://www.linkedin.com/in/scottbattaglia
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > >
> > > > > > > _______________________________________________
> > > > > > > > > > > > > > > Yale CAS mailing list
> > > > > > > > > > > > > > > cas at tp.its.yale.edu
> > > > > > > > > > > > > > >
> > > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > _______________________________________________
> > > > > > > > > > > > > > Yale CAS mailing list
> > > > > > > > > > > > > > cas at tp.its.yale.edu
> > > > > > > > > > > > > >
> > > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > > --
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > > -Scott Battaglia
> > > > > > > > > > > > >
> > > > > > > > > > > > > LinkedIn:
> > > > > > > http://www.linkedin.com/in/scottbattaglia
> > > > > > > > > > > > >
> > > > > _______________________________________________
> > > > > > > > > > > > >
> > > > > > > > > > > > > Yale CAS mailing list
> > > > > > > > > > > > > cas at tp.its.yale.edu
> > > > > > > > > > > > >
> > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > _______________________________________________
> > > > > > > > > > > > Yale CAS mailing list
> > > > > > > > > > > > cas at tp.its.yale.edu
> > > > > > > > > > > >
> > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > --
> > > > > > > > > > > -Scott Battaglia
> > > > > > > > > > >
> > > > > > > > > > > LinkedIn:
> > > > > http://www.linkedin.com/in/scottbattaglia
> > > > > > > > > > >
> > > _______________________________________________
> > > > > > > > > > >
> > > > > > > > > > > Yale CAS mailing list
> > > > > > > > > > > cas at tp.its.yale.edu
> > > > > > > > > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > _______________________________________________
> > > > > > > > > > Yale CAS mailing list
> > > > > > > > > > cas at tp.its.yale.edu
> > > > > > > > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > -Scott Battaglia
> > > > > > > > >
> > > > > > > > > LinkedIn:
> > > http://www.linkedin.com/in/scottbattaglia
> > > > > > > > > _______________________________________________
> > > > > > > > >
> > > > > > > > > Yale CAS mailing list
> > > > > > > > > cas at tp.its.yale.edu
> > > > > > > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > _______________________________________________
> > > > > > > > Yale CAS mailing list
> > > > > > > > cas at tp.its.yale.edu
> > > > > > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > -Scott Battaglia
> > > > > > >
> > > > > > > LinkedIn: http://www.linkedin.com/in/scottbattaglia
> > > > > > > _______________________________________________
> > > > > >
> > > > > >
> > > > > >
> > > > > > > Yale CAS mailing list
> > > > > > > cas at tp.its.yale.edu
> > > > > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > > > >
> > > > > > >
> > > > > > _______________________________________________
> > > > > > Yale CAS mailing list
> > > > > > cas at tp.its.yale.edu
> > > > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > -Scott Battaglia
> > > > >
> > > > > LinkedIn: http://www.linkedin.com/in/scottbattaglia
> > > > > _______________________________________________
> > > > > Yale CAS mailing list
> > > > > cas at tp.its.yale.edu
> > > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > >
> > > > >
> > > > _______________________________________________
> > > > Yale CAS mailing list
> > > > cas at tp.its.yale.edu
> > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > >
> > >
> > >
> > >
> > > --
> > > -Scott Battaglia
> > >
> > > LinkedIn: http://www.linkedin.com/in/scottbattaglia
> > > _______________________________________________
> > > Yale CAS mailing list
> > > cas at tp.its.yale.edu
> > > http://tp.its.yale.edu/mailman/listinfo/cas
> > >
> > >
> >
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
> >
>
>
> --
> -Scott Battaglia
>
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://tp.its.yale.edu/pipermail/cas/attachments/20080130/64a5f5b4/attachment.html
>
> ------------------------------
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
> End of cas Digest, Vol 56, Issue 49
> ***********************************
>
>
> ------------------------------
> Looking for last minute shopping deals? Find them fast with Yahoo! Search.<http://us.rd.yahoo.com/evt=51734/*http://tools.search.yahoo.com/newsearch/category.php?category=shopping>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
--
-Scott Battaglia
LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20080131/9b48c5b7/attachment-0001.html
More information about the cas
mailing list