Single Sign out
Scott Battaglia
scott.battaglia at gmail.com
Thu Jan 31 14:46:10 EST 2008
Have you set up the signout filter and session listener in the client
applications?
-Scott
On Jan 31, 2008 1:39 PM, Krishna bhimanathini <krishna7904 at yahoo.com> wrote:
> Yes, both the application are using CAS java Client 3.1 RC1.
> In the logoutController.java of CAS Server, I am getting
> request.getParameter("service") as null. How do I set this parameter so
> that it posts the logout information to all the application?
>
> Thanks
> Krishna
>
> ----- Original Message ----
> From: "cas-request at tp.its.yale.edu" <cas-request at tp.its.yale.edu>
> To: cas at tp.its.yale.edu
> Sent: Thursday, January 31, 2008 11:41:38 AM
> Subject: cas Digest, Vol 56, Issue 52
>
> Send cas mailing list submissions to
> cas at tp.its.yale.edu
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://tp.its.yale.edu/mailman/listinfo/cas
> or, via email, send a message with subject or body 'help' to
> cas-request at tp.its.yale.edu
>
> You can reach the person managing the list at
> cas-owner at tp.its.yale.edu
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of cas digest..."
>
>
> Today's Topics:
>
> 1. Re: trying to track down jaas memory leak (David Spencer)
> 2. Adding a customized header to POST (Robert, Brice)
> 3. Re: SEVERE: Error filterStart (Ole Ersoy)
> 4. Re: CAS 3.1 RC1 client (Scott Battaglia)
> 5. Login view ( Wilson Fran?a )
> 6. Re: SEVERE: Error filterStart (Scott Battaglia)
> 7. RE: trying to track down jaas memory leak (Brad A Cupit)
> 8. Re: Single Sign out (Scott Battaglia)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 31 Jan 2008 09:46:47 +0000
> From: David Spencer <David.Spencer at bristol.ac.uk>
> Subject: Re: trying to track down jaas memory leak
> To: Yale CAS mailing list <cas at tp.its.yale.edu>
> Message-ID: <571645C14B0A452A2E2C8569 at cse-djs.cse.bris.ac.uk>
> Content-Type: text/plain; charset=us-ascii; format=flowed
>
> Sorry - it was late at night and I got my TCP and UDP back-to-front.
>
> com.sun.security.auth.module.Krb5LoginModule will ordinarily use UDP
> sockets
> and it is these that we were seeing accumulating.
>
> A "udp_preference_limit" can be set in the kerberos configuration (
> krb5.conf)
> and if the size of the message is greater than this limit TCP is used
> instead.
> By setting the udp_preference_limit to 1, we forced all messages to be
> sent by
> TCP and our UDP socket leak went away.
>
> Sorry if I've confused anyone!
> Dave
>
> --On 30 January 2008 23:06 +0000 David Spencer <
> David.Spencer at bristol.ac.uk>
> wrote:
>
> > Brad,
> >
> > Possibly an unrelated problem and I don't have all the details to hand
> but
> > will look them up tomorrow at work if it seems relevant to you.
> >
> > We ran into a problem with com.sun.security.auth.module.Krb5LoginModulethat
> > caused our CAS server to gradually accumulate TCP sockets and eventually
> fall
> > over when it had used up all the socket resources on the box. This was
> Java 5
> > on some flavour of Linux. We hadn't seen the problem running the same
> code on
> > Solaris. I think we would have been running with a larger heap than
> 256Mb so
> > we perhaps hit a socket resource problem before we hit the memory limit
> you
> > are seeing?
> >
> > A bit of digging showed that it was forgetting to close the TCP socket
> but it
> > also showed that the section that dealt with UDP sockets didn't have the
> same
> > problem. We asked the module to always use UDP sockets and the leak went
> > away. CAS service was running uninterrupted throughout 2007.
> >
> > I'll dig out the details in the morning.
> > Dave
> >
> >
> > --On 30 January 2008 16:22 -0600 Brad A Cupit <brad at lsu.edu> wrote:
> >
> >>
> >>
> >> Hello,
> >>
> >> We have a CAS server using JAAS + Kerberos to authenticate users
> against
> >> Active Directory. We started seeing OutOfMemoryErrors with the default
> Xmx
> >> (of 64m) which we have since bumped up to 256m. We haven't had
> >> OutOfMemoryErrors since then, but the memory usage keeps rising.
> >>
> >>
> >>
> >> I've hooked up JProfiler to try and see where the memory is going, and
> >> noticed that it goes up with each request, and running the garbage
> collector
> >> (via System.gc()) doesn't reclaim many of the objects. I'm sure we just
> have
> >> a configuration error of sorts, but I've spent a few days and can't
> seem to
> >> figure it out.
> >>
> >>
> >>
> >> JProfiler tells me that after a few requests (500 or so), we have an
> enormous
> >> number of LinkedHashMap$Entry objects, as well as
> >> java.security.Provider$ServiceKey, java.security.Provider$Service, and
> >> HashMap$Entry instances.
> >>
> >>
> >>
> >> I've also noticed that instances of com.sun.crypto.provider.SunJCE go
> up by 2
> >> per request, and don't get reclaimed with garbage collection.
> >>
> >>
> >>
> >> JProfiler's cumulative allocations point to
> >> javax.security.auth.login.LoginContext.login() method, but I've checked
> out
> >> the code and stepped through it with a debugger, but can't see anything
> wrong
> >> (no creation of instances that would be uncollectable by the gc).
> >>
> >>
> >>
> >> If it helps, here's our jaas.conf file:
> >>
> >>
> >>
> >> CAS {
> >>
> >> com.sun.security.auth.module.Krb5LoginModule required
> client=TRUE
> >> debug=FALSE useTicketCache=FALSE;
> >>
> >> };
> >>
> >>
> >>
> >> I'm going to try to setup CAS to use the LDAP authentication handler to
> see
> >> if the problem is strictly JAAS related.
> >>
> >>
> >>
> >> Has anyone seen issues like this before?
> >>
> >>
> >>
> >> Thanks in advance!
> >>
> >>
> >>
> >> Brad Cupit
> >> Louisiana State University - UIS
> >> e-mail: brad at lsu.edu
> >> office: 225.578.4774
> >>
> >>
> >
> >
> >
> > ----------------------
> > David Spencer
> > Information Systems and Computing
> > University of Bristol
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
> ----------------------
> David Spencer
> Information Systems and Computing
> University of Bristol
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 31 Jan 2008 09:53:26 -0500
> From: "Robert, Brice" <Brice.Robert at alliancebernstein.com>
> Subject: Adding a customized header to POST
> To: <cas at tp.its.yale.edu>
> Message-ID:
> <830D204DEB08F84890EA3D3A8F1289C302A1F2AD at METROEVS3.ac.lp.acml.com>
> Content-Type: text/plain; charset="us-ascii"
>
> Scott,
>
>
>
> Thanks, for the answer
>
>
>
> >(see the one we use as an example)
>
> If you are talking about the dynamicRedirectViewSelector provided in
> CAS-CORE, I replaced it with my own one.
>
> But I can't get the the HttpServerResponse to set the header like
> httpost.addHeader("USER", "myself");
>
> Placed just before the below code and used several other ones.
>
>
>
> return new ExternalRedirect(service.getResponse(ticket).getUrl());
>
> <end-state id="redirect" view="bean:dynamicRedirectViewSelector" />
>
>
>
> How to we update the Response in CAS withtout creating a new httpClient
>
> I might be missing a link where to find the appropriate examples. Would
> you please advise?
>
>
>
> In the mean time, I was able to get examples from the French University
> (I read French) but it still doesn't help me adding my customized Http
> Header,
>
> Meanwhile it helped me redirecting the page when using IE6 (through a
> Javascript code)
>
> http://doc-cri.univ-nancy2.fr/public/?contentId=3841
>
>
>
> Thanks,
>
> Brice
>
>
>
>
> -----------------------------------------
> The information contained in this transmission may be privileged and
> confidential and is intended only for the use of the person(s) named
> above. If you are not the intended recipient, or an employee or agent
> responsible
> for delivering this message to the intended recipient, any review,
> dissemination,
> distribution or duplication of this communication is strictly prohibited.
> If you are
> not the intended recipient, please contact the sender immediately by reply
> e-mail
> and destroy all copies of the original message. Please note that we do not
> accept
> account orders and/or instructions by e-mail, and therefore will not be
> responsible
> for carrying out such orders and/or instructions. If you, as the intended
> recipient
> of this message, the purpose of which is to inform and update our clients,
> prospects
> and consultants of developments relating to our services and products,
> would not
> like to receive further e-mail correspondence from the sender, please
> "reply" to the
> sender indicating your wishes. In the U.S.: 1345 Avenue of the Americas,
> New York,
> NY 10105.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://tp.its.yale.edu/pipermail/cas/attachments/20080131/804e5ded/attachment-0001.html
>
> ------------------------------
>
> Message: 3
> Date: Thu, 31 Jan 2008 09:30:29 -0600
> From: Ole Ersoy <ole.ersoy at gmail.com>
> Subject: Re: SEVERE: Error filterStart
> To: Yale CAS mailing list <cas at tp.its.yale.edu>
> Message-ID: <47A1E995.4070206 at gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Hi Scott,
>
> Looks like we may have crossed messages. After completing steps six in
> the demo tutorial:
>
> http://www.ja-sig.org/wiki/display/CASUM/Demo
>
> I fired it up and got the exception. The only log message was SEVER:
> Error FilterStart. Turns out that I also needed to add commons-logging,
> which I found out by just doing a fresh maven webapp, with the cas client
> dependency specified. I did add an exlusion element within the cas
> dependency element to exclude the servlet transitive dependency, such that
> the tomcat plugin did not bundle the servlet 2.3 jar with the other
> transitive dependencies (commons-logging). I'm sure this is preaching to
> the quire...if the servlet dependency has scope set to provided, then others
> deploying the cas client get to skip the exclusion step. Tomcat 6 detects
> and logs that the dependency is there, and still uses 2.5, so it's only to
> avoid bloat.
>
> Thanks for all the brilliant work on CAS,
> - Ole
>
>
>
>
> Scott Battaglia wrote:
> > Are any other messages showing up in your catalina.out? CAS Client for
> > Java 3.1 is where we will be putting our development efforts going
> > forward. However, the version you are using should still work fine.
> >
> > -Scott
> >
> > On Jan 30, 2008 5:43 PM, Ole Ersoy <ole.ersoy at gmail.com
> > <mailto:ole.ersoy at gmail.com>> wrote:
> >
> > Hi,
> >
> > I'm trying to get the wiki example setup on Tomcat 6.0.14 and I get
> > a SEVERE: Error filterStart, in the log during startup, which causes
> > the /examples app to startup to fail. I have https working fine,
> > and my web.xml cas filter is setup like this:
> >
> > <filter>
> > <filter-name>CAS Filter</filter-name>
> > <filter-class>edu.yale.its.tp.cas.client.filter.CASFilter
> </filter-class>
> > <init-param>
> > <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
> > <param-value>https://localhost.localdomain:8443/cas/login
> </param-value>
> > </init-param>
> > <init-param>
> > <param-name>edu.yale.its.tp.cas.client.filter.validateUrl
> </param-name>
> > <param-value>https://localhost.localdomain:8443/cas/serviceValidate
> </param-value>
> > </init-param>
> > <init-param>
> > <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
> > <param-value>localhost.localdomain:8080</param-value>
> > </init-param>
> > </filter>
> >
> > <filter-mapping>
> > <filter-name>CAS Filter</filter-name>
> > <url-pattern>/servlet/HelloWorldExample</url-pattern>
> > </filter-mapping>
> >
> > Any ideas on how to debug this? Also it seems like there are 2 cas
> > clients. Right now I'm using 2.1.1. Should I be using 3.1 with
> > Tomcat 6?
> >
> > Thanks,
> > - Ole
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu <mailto:cas at tp.its.yale.edu>
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
> >
> >
> >
> > --
> > -Scott Battaglia
> >
> > LinkedIn: http://www.linkedin.com/in/scottbattaglia
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas
>
>
> ------------------------------
>
> Message: 4
> Date: Thu, 31 Jan 2008 11:20:47 -0500
> From: "Scott Battaglia" <scott.battaglia at gmail.com>
> Subject: Re: CAS 3.1 RC1 client
> To: "Yale CAS mailing list" <cas at tp.its.yale.edu>
> Message-ID:
> <1bbd36a10801310820r6d3dea2dg336636ec76872848 at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> On Jan 31, 2008 2:23 AM, Marat Radchenko <slonopotamusorama at gmail.com>
> wrote:
>
> >
> >
> > <snip />
> >
> > >
> > > > 3) SingleSignOutHttpSessionListener ticket/session mapping won't
> > > > survive server restart (even if sessions are not lost). That would
> be ok if
> > > > there were any possibility to inject smarter-than-hashmap storage.
> However
> > > > it isn't possible, so the only way is a full rewrite. Additionally,
> it will
> > > > have troubles in case of many sessions because it stores all of them
> in
> > > > memory.
> > >
> > >
> > If you had a JIRA issue I can attempt to make it similar to the
> > > ProxyReceptorServlet where we provide the base and you implement two
> methods
> > > that do the delete/retrieval. Though memory should not be an issue as
> they
> > > are only references to the session objects that already exist. And
> those
> > > references should be deleted when the session expires.
> > >
> >
> > Well, actually thing are not so simple. Servlet container (if properly
> > configured) can serialize sessions to persistet store (disk, db or
> whatever)
> > in order to free memory. But current implementation
> > of SingleSignOutHttpSessionListener will still hold references thus
> > preventing sessions from being garbage collected.
> >
>
> True, it will hold on to it. Its designed for the "in-memory" case. If
> we
> don't store the reference in memory then I don't know how to gain a
> reference to that session. I don't think the Servlet API exposes a
> method,
> does it? I'd prefer not to use container specific versions if possible
> (because I'm assuming individual containers have a method of retrieving a
> session based on id).
>
> <snip />
>
> >
> > > Yes, actually it can still be configured via Spring. All of the
> filters
> > > should have setters for their various properties. We haven't done
> extensive
> > > testing with it, but the goal was to allow you to either use the
> web.xmlfor simple cases, or utilizing something else like Spring.
> > >
> >
> >
> > Oh. It's my fault, a little misunderstanding of source :) I'm taking my
> words back, it really can be configured via spring.
> >
>
> I resolved your JIRA issue about the "totally broken" part :-). It should
> actually now work in Spring. I added some test cases and a simple Spring
> configuration example. If we don't resolve the above Session stuff soon
> I'll cut an RC3 so other people can try out the fix for the Spring stuff
> (though you can also check it out from Subversion)
>
> -Scott
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://tp.its.yale.edu/pipermail/cas/attachments/20080131/d32f7d5b/attachment-0001.html
>
> ------------------------------
>
> Message: 5
> Date: Thu, 31 Jan 2008 14:27:14 -0200
> From: " Wilson Fran?a " <wilsonrf at gmail.com>
> Subject: Login view
> To: "Yale CAS mailing list" <cas at tp.its.yale.edu>
> Message-ID:
> <e17f429d0801310827m3d087255m15b5c33dd8be6ab2 at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi,
> is possible to have an authentication form on IFRAME instead of
> casLoginView.jsp?
> I want to use the same form in two/more app's, without the user know that
> authentication form is outside de app.
>
> Thanx.
>
> PS: sorry the poor english
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://tp.its.yale.edu/pipermail/cas/attachments/20080131/2efc08d2/attachment-0001.html
>
> ------------------------------
>
> Message: 6
> Date: Thu, 31 Jan 2008 11:28:32 -0500
> From: "Scott Battaglia" <scott.battaglia at gmail.com>
> Subject: Re: SEVERE: Error filterStart
> To: "Yale CAS mailing list" <cas at tp.its.yale.edu>
> Message-ID:
> <1bbd36a10801310828l4c91dca3pc0d5a666d03683c3 at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Ole, which CAS client are you using? If its the 2.x one then I'm not sure
> we can update any of those POMs. If its 3.1 then I still have time to
> update it.
>
> Thanks
> -Scott
>
> On Jan 31, 2008 10:30 AM, Ole Ersoy <ole.ersoy at gmail.com> wrote:
>
> > Hi Scott,
> >
> > Looks like we may have crossed messages. After completing steps six in
> > the demo tutorial:
> >
> > http://www.ja-sig.org/wiki/display/CASUM/Demo
> >
> > I fired it up and got the exception. The only log message was SEVER:
> > Error FilterStart. Turns out that I also needed to add commons-logging,
> > which I found out by just doing a fresh maven webapp, with the cas
> client
> > dependency specified. I did add an exlusion element within the cas
> > dependency element to exclude the servlet transitive dependency, such
> that
> > the tomcat plugin did not bundle the servlet 2.3 jar with the other
> > transitive dependencies (commons-logging). I'm sure this is preaching
> to
> > the quire...if the servlet dependency has scope set to provided, then
> others
> > deploying the cas client get to skip the exclusion step. Tomcat 6
> detects
> > and logs that the dependency is there, and still uses 2.5, so it's only
> to
> > avoid bloat.
> >
> > Thanks for all the brilliant work on CAS,
> > - Ole
> >
> >
> >
> >
> > Scott Battaglia wrote:
> > > Are any other messages showing up in your catalina.out? CAS Client
> for
> > > Java 3.1 is where we will be putting our development efforts going
> > > forward. However, the version you are using should still work fine.
> > >
> > > -Scott
> > >
> > > On Jan 30, 2008 5:43 PM, Ole Ersoy <ole.ersoy at gmail.com
> > > <mailto:ole.ersoy at gmail.com>> wrote:
> > >
> > > Hi,
> > >
> > > I'm trying to get the wiki example setup on Tomcat 6.0.14 and I get
> > > a SEVERE: Error filterStart, in the log during startup, which
> causes
> > > the /examples app to startup to fail. I have https working fine,
> > > and my web.xml cas filter is setup like this:
> > >
> > > <filter>
> > > <filter-name>CAS Filter</filter-name>
> > > <filter-class>edu.yale.its.tp.cas.client.filter.CASFilter
> > </filter-class>
> > > <init-param>
> > > <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
> > > <param-value>https://localhost.localdomain:8443/cas/login
> > </param-value>
> > > </init-param>
> > > <init-param>
> > > <param-name>edu.yale.its.tp.cas.client.filter.validateUrl
> > </param-name>
> > > <param-value>https://localhost.localdomain:8443/cas/serviceValidate
> > </param-value>
> > > </init-param>
> > > <init-param>
> > > <param-name>edu.yale.its.tp.cas.client.filter.serverName
> > </param-name>
> > > <param-value>localhost.localdomain:8080</param-value>
> > > </init-param>
> > > </filter>
> > >
> > > <filter-mapping>
> > > <filter-name>CAS Filter</filter-name>
> > > <url-pattern>/servlet/HelloWorldExample</url-pattern>
> > > </filter-mapping>
> > >
> > > Any ideas on how to debug this? Also it seems like there are 2 cas
> > > clients. Right now I'm using 2.1.1. Should I be using 3.1 with
> > > Tomcat 6?
> > >
> > > Thanks,
> > > - Ole
> > > _______________________________________________
> > > Yale CAS mailing list
> > > cas at tp.its.yale.edu <mailto:cas at tp.its.yale.edu>
> > > http://tp.its.yale.edu/mailman/listinfo/cas
> > >
> > >
> > >
> > >
> > > --
> > > -Scott Battaglia
> > >
> > > LinkedIn: http://www.linkedin.com/in/scottbattaglia
> > >
> > >
> > >
> ------------------------------------------------------------------------
> > >
> > > _______________________________________________
> > > Yale CAS mailing list
> > > cas at tp.its.yale.edu
> > > http://tp.its.yale.edu/mailman/listinfo/cas
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
>
>
>
> --
> -Scott Battaglia
>
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://tp.its.yale.edu/pipermail/cas/attachments/20080131/88dd405c/attachment-0001.html
>
> ------------------------------
>
> Message: 7
> Date: Thu, 31 Jan 2008 10:41:11 -0600
> From: "Brad A Cupit" <brad at lsu.edu>
> Subject: RE: trying to track down jaas memory leak
> To: "Yale CAS mailing list" <cas at tp.its.yale.edu>
> Message-ID: <1D5C148F9259BC47BC3CBD2F76ABA205BFD643 at email002.lsu.edu>
> Content-Type: text/plain; charset="US-ASCII"
>
> I added
> udp_preference_limit = 1
> in the [libdefaults] section of the /etc/krb5.conf, but it didn't seem
> to address the issue. We are running on Linux (RHEL) with Java 1.6.0_03.
>
> We have seen an unusually large number of blocked threads after a few
> hundred requests, and after enough connections Tomcat stops responding.
> There could be several things wrong with our environment such as a
> broken connection to Active Directory or a broken connection to Domino
> (custom code we wrote to generate an LtpaToken for single sign on to
> Lotus Notes apps).
>
> We have not seen an OutOfMemoryError since changing Xmx from 64m (the
> default) to 256m, however, the memory is still growing and eventually
> Tomcat becomes unresponsive, presumably due to the number of blocked
> threads.
>
> I'll continue to narrow down the areas which could be a problem, and
> repost to this list as I find more information.
>
> Thanks for the help so far!
>
> Brad Cupit
> Louisiana State University - UIS
>
> -----Original Message-----
> From: cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu]
> On Behalf Of David Spencer
> Sent: Thursday, January 31, 2008 3:47 AM
> To: Yale CAS mailing list
> Subject: Re: trying to track down jaas memory leak
>
> Sorry - it was late at night and I got my TCP and UDP back-to-front.
>
> com.sun.security.auth.module.Krb5LoginModule will ordinarily use UDP
> sockets
> and it is these that we were seeing accumulating.
>
> A "udp_preference_limit" can be set in the kerberos configuration
> (krb5.conf)
> and if the size of the message is greater than this limit TCP is used
> instead.
> By setting the udp_preference_limit to 1, we forced all messages to be
> sent by
> TCP and our UDP socket leak went away.
>
> Sorry if I've confused anyone!
> Dave
>
> --On 30 January 2008 23:06 +0000 David Spencer
> <David.Spencer at bristol.ac.uk>
> wrote:
>
> > Brad,
> >
> > Possibly an unrelated problem and I don't have all the details to hand
> but
> > will look them up tomorrow at work if it seems relevant to you.
> >
> > We ran into a problem with
> com.sun.security.auth.module.Krb5LoginModule that
> > caused our CAS server to gradually accumulate TCP sockets and
> eventually fall
> > over when it had used up all the socket resources on the box. This was
> Java 5
> > on some flavour of Linux. We hadn't seen the problem running the same
> code on
> > Solaris. I think we would have been running with a larger heap than
> 256Mb so
> > we perhaps hit a socket resource problem before we hit the memory
> limit you
> > are seeing?
> >
> > A bit of digging showed that it was forgetting to close the TCP socket
> but it
> > also showed that the section that dealt with UDP sockets didn't have
> the same
> > problem. We asked the module to always use UDP sockets and the leak
> went
> > away. CAS service was running uninterrupted throughout 2007.
> >
> > I'll dig out the details in the morning.
> > Dave
> >
> >
> > --On 30 January 2008 16:22 -0600 Brad A Cupit <brad at lsu.edu> wrote:
> >
> >>
> >>
> >> Hello,
> >>
> >> We have a CAS server using JAAS + Kerberos to authenticate users
> against
> >> Active Directory. We started seeing OutOfMemoryErrors with the
> default Xmx
> >> (of 64m) which we have since bumped up to 256m. We haven't had
> >> OutOfMemoryErrors since then, but the memory usage keeps rising.
> >>
> >>
> >>
> >> I've hooked up JProfiler to try and see where the memory is going,
> and
> >> noticed that it goes up with each request, and running the garbage
> collector
> >> (via System.gc()) doesn't reclaim many of the objects. I'm sure we
> just have
> >> a configuration error of sorts, but I've spent a few days and can't
> seem to
> >> figure it out.
> >>
> >>
> >>
> >> JProfiler tells me that after a few requests (500 or so), we have an
> enormous
> >> number of LinkedHashMap$Entry objects, as well as
> >> java.security.Provider$ServiceKey, java.security.Provider$Service,
> and
> >> HashMap$Entry instances.
> >>
> >>
> >>
> >> I've also noticed that instances of com.sun.crypto.provider.SunJCE go
> up by 2
> >> per request, and don't get reclaimed with garbage collection.
> >>
> >>
> >>
> >> JProfiler's cumulative allocations point to
> >> javax.security.auth.login.LoginContext.login() method, but I've
> checked out
> >> the code and stepped through it with a debugger, but can't see
> anything wrong
> >> (no creation of instances that would be uncollectable by the gc).
> >>
> >>
> >>
> >> If it helps, here's our jaas.conf file:
> >>
> >>
> >>
> >> CAS {
> >>
> >> com.sun.security.auth.module.Krb5LoginModule required
> client=TRUE
> >> debug=FALSE useTicketCache=FALSE;
> >>
> >> };
> >>
> >>
> >>
> >> I'm going to try to setup CAS to use the LDAP authentication handler
> to see
> >> if the problem is strictly JAAS related.
> >>
> >>
> >>
> >> Has anyone seen issues like this before?
> >>
> >>
> >>
> >> Thanks in advance!
> >>
> >>
> >>
> >> Brad Cupit
> >> Louisiana State University - UIS
> >> e-mail: brad at lsu.edu
> >> office: 225.578.4774
> >>
> >>
> >
> >
> >
> > ----------------------
> > David Spencer
> > Information Systems and Computing
> > University of Bristol
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
> ----------------------
> David Spencer
> Information Systems and Computing
> University of Bristol
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
> ------------------------------
>
> Message: 8
> Date: Thu, 31 Jan 2008 11:41:22 -0500
> From: "Scott Battaglia" <scott.battaglia at gmail.com>
> Subject: Re: Single Sign out
> To: "Yale CAS mailing list" <cas at tp.its.yale.edu>
> Message-ID:
> <1bbd36a10801310841m50e92b84y211212bed5e59ed3 at mail.gmail.com>
>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Are both application 1 and application utilizing a CAS client that
> supports
> Single Sign Out?
>
> Thanks
> -Scott
>
> On Jan 30, 2008 10:38 AM, Krishna bhimanathini <krishna7904 at yahoo.com>
> wrote:
>
> > At the application level I called session.invalidate() and redirected to
> > https://myserver/cas/logout on logout. CAS logs me out from application
> 1
> > but not from the other application 2. If I try to access the application
> 2
> > in the same browser CAS doesn't ask for credentials.
> >
> > I am not sure what I have missed, I tried debugging
> AuthenticationFilter
> > it checks for ticket null, session variable CONST_CAS_ASSERTION null.
> Here
> > I find ticket is null and session variable is still not null for the
> > application 2 where logout was not called hence AuthenticationFilter
> doesn't
> > redirect to CAS server for authentication.
> >
> > Please let me know where do I debug to solve this issue.
> >
> > Thanks
> > Krishna
> >
> > ----- Original Message ----
> > From: "cas-request at tp.its.yale.edu" <cas-request at tp.its.yale.edu>
> > To: cas at tp.its.yale.edu
> > Sent: Wednesday, January 30, 2008 8:23:50 AM
> > Subject: cas Digest, Vol 56, Issue 49
> >
> > Send cas mailing list submissions to
> > cas at tp.its.yale.edu
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> > http://tp.its.yale.edu/mailman/listinfo/cas
> > or, via email, send a message with subject or body 'help' to
> > cas-request at tp.its.yale.edu
> >
> > You can reach the person managing the list at
> > cas-owner at tp.its.yale.edu
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of cas digest..."
> >
> >
> > Today's Topics:
> >
> > 1. Re: Security concern with CAS cluster (Barrow H Kwan)
> > 2. Single Sign out (Krishna bhimanathini)
> > 3. Re: Single Sign out (=?GB2312?B?wfnL6r7Nuty/4Q==?=)
> > 4. Re: CAS 3.1 RC1 client (Marat Radchenko)
> > 5. Re: CAS 3.1 RC1 client (Scott Battaglia)
> >
> >
> > ----------------------------------------------------------------------
> >
> > Message: 1
> > Date: Tue, 29 Jan 2008 14:59:19 -0600
> > From: Barrow H Kwan <bhkwan at thoughtworks.com>
> > Subject: Re: Security concern with CAS cluster
> > To: Yale CAS mailing list <cas at tp.its.yale.edu>
> > Cc: "Yale CAS mailing list" <cas at tp.its.yale.edu>,
> > cas-bounces at tp.its.yale.edu
> > Message-ID:
> > <
> >
> OF34162DFC.FB9D195C-ON862573DF.00733A05-882573DF.00734C25 at thoughtworks.com
> > >
> >
> > Content-Type: text/plain; charset="us-ascii"
> >
> > thanks Scott,
> >
> > option a is exactly what I am trying to implement and it seems working
> > great so far.
> >
> >
> > =================
> > Barrow Kwan
> > ThoughtWorks, Inc.
> >
> > New from ThoughtWorks: Mingle, an Agile project management application.
> > Mingle. Project Intelligence. Powerfully Simple.
> > More at http://studios.thoughtworks.com
> >
> >
> >
> >
> > "Scott Battaglia" <scott.battaglia at gmail.com>
> > Sent by: cas-bounces at tp.its.yale.edu
> > 01/29/08 12:28 PM
> > Please respond to
> > Yale CAS mailing list <cas at tp.its.yale.edu>
> >
> >
> > To
> > "Yale CAS mailing list" <cas at tp.its.yale.edu>
> > cc
> >
> > Subject
> > Re: Security concern with CAS cluster
> >
> >
> >
> >
> >
> >
> > On Jan 28, 2008 1:01 AM, Barrow H Kwan <bhkwan at thoughtworks.com> wrote:
> >
> >
> > If I have setup app1.example.com to authenticate cas1.example.com and
> > app2.example.com to authenticate cas2.example.com.
> >
> > If I configured cas1 and cas2 in a cluster, is it possible for me to
> login
> >
> > once ( either cas1 or cas2 ) and access both app1 and app2 ?
> >
> > If you configured CAS in a cluster, I would recommend something like the
> > following, either:
> > (a) make it so that both CAS instances appear to be under the same
> domain
> > (i.e. cas.example.com) or
> > (b) create domains such that you have cas1.sso.example.com and
> > cas2.sso.example.com and ensure that nothing else gets put under the
> > sso.example.com domain. Why? Because in order for those two servers to
> > see the cookie it would have be domain scoped to sso.example.com and you
> > don't want any other applications/services to see it.
> >
> > The problem with (b) is that it provides no failover (if cas2 is down
> > app2, cannot use cas1).
> >
> > -Scott
> >
> >
> >
> > =================
> > Barrow Kwan
> > ThoughtWorks, Inc.
> >
> > New from ThoughtWorks: Mingle, an Agile project management application.
> > Mingle. Project Intelligence. Powerfully Simple.
> > More at http://studios.thoughtworks.com
> >
> >
> >
> > "Scott Battaglia" <scott.battaglia at gmail.com>
> > Sent by: cas-bounces at tp.its.yale.edu
> > 01/27/08 11:42 AM
> >
> >
> > Please respond to
> >
> > Yale CAS mailing list <cas at tp.its.yale.edu>
> >
> >
> > To
> > "Yale CAS mailing list" <cas at tp.its.yale.edu>
> > cc
> >
> > Subject
> > Re: Security concern with CAS cluster
> >
> >
> >
> >
> >
> >
> >
> >
> > If you've configured app.example.com to authenticate to cas.example.com,
> > its impossible for it to utilize the fake CAS server (because it would
> > explicitly configured to use cas.example.com). (my guess would be your
> > cas.example.com session was still active).
> >
> > That said, your cookieDomain for your TicketGrantingTIcket should be as
> > restrictive as possible. It should use cas.example.com and not
> > example.com. Exposing the cookie to more domains than necessary exposes
> > your TGT to applications that should not have access to it.
> >
> > Setting a max cookie age of -1 means that its only valid for the
> duration
> > of the browser session (i.e. until you completely exit the
> > browser...though if you exit/restart quick enough it may still be in
> > there).
> >
> > -Scott
> >
> > On Jan 27, 2008 12:59 AM, Barrow H Kwan <bhkwan at thoughtworks.com> wrote:
> >
> > After I added "cookieDomain" in cas-servlet.xml under bean
> > "warnCookieGenerator" and "ticketGrantingTicketCookieGenerator" ( eg
> with
> >
> > value="example.com" ). I can use a fake CAS server to authenticate ( eg
> > use the sample username=password ) and access any other CAS server under
> > the example.com domain.
> >
> > Basically, if I have a production CAS server, cas.example.com and an
> app,
> >
> > app.example.com. I connect to app.example.com, it redirect me to
> > cas.example.com, then I login ( backend is LDAP ) and it let me access
> > app.example.com. Now I setup another CAS server called
> > fake-cas.example.com ( with the cookieDomain set ) that use
> > username=password for authentication. I open my browser and go to
> > fake-cas.example.com and login with username=password. then go to
> > app.example.com, it let me in without login through cas.example.com.
> >
> > is this a security hole or it is because of my setting? also in the
> > instruction "http://www.ja-sig.org/wiki/display/CASUM/Clustering+CAS" ,
> > the cookieMaxAge is -1, does it mean the cookie will not expire at all ?
> >
> >
> >
> > =================
> > Barrow Kwan
> > ThoughtWorks, Inc.
> >
> > New from ThoughtWorks: Mingle, an Agile project management application.
> > Mingle. Project Intelligence. Powerfully Simple.
> > More at http://studios.thoughtworks.com
> >
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
> >
> >
> >
> > --
> > -Scott Battaglia
> >
> > LinkedIn: http://www.linkedin.com/in/scottbattaglia
> > _______________________________________________
> >
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
> >
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
> >
> >
> >
> > --
> > -Scott Battaglia
> >
> > LinkedIn: http://www.linkedin.com/in/scottbattaglia
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL:
> >
> http://tp.its.yale.edu/pipermail/cas/attachments/20080129/4b7df809/attachment-0001.html
> > -------------- next part --------------
> > A non-text attachment was scrubbed...
> > Name: smime.p7s
> > Type: application/x-pkcs7-signature
> > Size: 5256 bytes
> > Desc: S/MIME Cryptographic Signature
> > Url :
> >
> http://tp.its.yale.edu/pipermail/cas/attachments/20080129/4b7df809/attachment-0001.bin
> >
> > ------------------------------
> >
> > Message: 2
> > Date: Tue, 29 Jan 2008 13:01:36 -0800 (PST)
> > From: Krishna bhimanathini <krishna7904 at yahoo.com>
> > Subject: Single Sign out
> > To: cas at tp.its.yale.edu
> > Message-ID: <484845.88375.qm at web60822.mail.yahoo.com>
> > Content-Type: text/plain; charset="us-ascii"
> >
> > Hello
> >
> > I am using CAS server 3.1.1 and CAS java Client 3.1 RC1 for Single Sign
> On
> > in two applications in different domains. I am having no issues in doing
> > Single Sign On, thanks to entire team for making it available.
> >
> > Is it possible to logout the user from all the application when he
> logouts
> > from one application.
> >
> > Thanks for you help in advance
> > Krishna
> >
> >
> >
> >
> ____________________________________________________________________________________
> > Looking for last minute shopping deals?
> > Find them fast with Yahoo! Search.
> > http://tools.search.yahoo.com/newsearch/category.php?category=shopping
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL:
> >
> http://tp.its.yale.edu/pipermail/cas/attachments/20080129/8da2ecea/attachment-0001.html
> >
> > ------------------------------
> >
> > Message: 3
> > Date: Wed, 30 Jan 2008 09:04:00 +0800
> > From: "=?GB2312?B?wfnL6r7Nuty/4Q==?=" <chencao0524 at gmail.com>
> > Subject: Re: Single Sign out
> > To: "Yale CAS mailing list" <cas at tp.its.yale.edu>
> > Message-ID:
> > <66fa303b0801291704u15cc781at4c287262b1111153 at mail.gmail.com>
> > Content-Type: text/plain; charset="gb2312"
> >
> > Yes, CAS server 3.1.1 supports Single Sign Out now! If you want to
> logout,
> > visit https://your.cas.server/cas/logout, than you could logout all
> > applications. Below is the doc
> > http://www.ja-sig.org/wiki/display/CASC/CAS+Client+for+Java+3.1
> > http://www.ja-sig.org/wiki/display/CASC/Configuring+Single+Sign+Out
> >
> >
> > 2008/1/30, Krishna bhimanathini <krishna7904 at yahoo.com>:
> > >
> > > Hello
> > >
> > >
> > >
> > > I am using CAS server 3.1.1 and CAS java Client 3.1 RC1 for Single
> Sign
> > On
> > > in two applications in different domains. I am having no issues in
> > > doing Single Sign On, thanks to entire team for making it available.
> > >
> > >
> > >
> > > Is it possible to logout the user from all the application when he
> > logouts
> > > from one application.
> > >
> > >
> > >
> > > Thanks for you help in advance
> > >
> > > Krishna
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > ------------------------------
> > > Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try
> > it
> > > now.<
> >
> http://us.rd.yahoo.com/evt=51733/*http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
> > >
> > >
> > > _______________________________________________
> > > Yale CAS mailing list
> > > cas at tp.its.yale.edu
> > > http://tp.its.yale.edu/mailman/listinfo/cas
> > >
> > >
> >
> >
> > --
> > Regards
> > CC.
> >
> > ///
> > (. .)
> > -----ooO--(_)--Ooo-----
> >
> > ????
> >
> > ???????????? ????????????
> > ????????????
> >
> > ??????????????????????197????????????????13??
> > ??????020-22387935
> > ??????020-22387960
> > ??????510600
> > ??????http://www.ce.net.cn
> > QQ??5027277
> > MSN??chencao0524 at hotmail.com
> > E-mail??chencao0524 at gmail.com
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL:
> >
> http://tp.its.yale.edu/pipermail/cas/attachments/20080130/51c664b2/attachment-0001.html
> >
> > ------------------------------
> >
> > Message: 4
> > Date: Wed, 30 Jan 2008 10:10:58 +0300
> > From: "Marat Radchenko" <slonopotamusorama at gmail.com>
> > Subject: Re: CAS 3.1 RC1 client
> > To: "Yale CAS mailing list" <cas at tp.its.yale.edu>
> > Message-ID:
> > <b944a51b0801292310tc099546g17f330af311d583a at mail.gmail.com>
> > Content-Type: text/plain; charset="utf-8"
> >
> > I'd like to tell my thoughts about cas-client-3.1.
> >
> > 1) It no longer depends on cas-server-core. That's great. Much more
> simple
> > config (plain strings/urls instead of ServiceImpl)
> > 2) SpringConfiguredProxyReceptorServlet suddenly disappeared. That's
> > annoying (backward-compatibility lost). It was replaced with
> > Cas20ProxyReceivingTicketValidationFilter.
> > 3) SingleSignOutHttpSessionListener ticket/session mapping won't survive
> > server restart (even if sessions are not lost). That would be ok if
> there
> > were any possibility to inject smarter-than-hashmap storage. However it
> > isn't possible, so the only way is a full rewrite. Additionally, it will
> > have troubles in case of many sessions because it stores all of them in
> > memory.
> > 4) The worst thing: AbstractConfigurationFilter and all its descendants
> > cannot be configured from spring anymore. We use multiple profiles and
> > separate settings in .properties file. However in order to upgrade to
> > cas-client-3.1 we will have to do one of the following:
> > a) extend filter and add spring-friendly configuration means
> > b) create multiple web.xml files (i strongly dislike this option)
> > c) backport required stuff to cas-client-3.0
> >
> > Hope this feedback will help. I'm ready to discuss above problems so we
> > could find ways to solve them.
> >
> > 2008/1/29, Scott Battaglia <scott.battaglia at gmail.com>:
> > > The RC2 binary and source jars in the repo. I'm having trouble having
> > it
> > > generate the javadocs so those are not in there right now.
> > >
> > > -Scott
> > >
> > >
> > > On Jan 29, 2008 9:37 AM, Marat Radchenko <slonopotamusorama at gmail.com>
> > > wrote:
> > >
> > > > Additionally, please add sources and javadoc jar to repo. Thanks.
> > > >
> > > > 2008/1/29, Scott Battaglia <scott.battaglia at gmail.com>:
> > > >
> > > >
> > > >
> > > > > I'm building an RC2 shortly. When that happens I'll make sure all
> > of
> > > the
> > > > > correct stuff ends up in the repo ;-)
> > > > >
> > > > > Thanks
> > > > > -Scott
> > > > >
> > > > >
> > > > > On Jan 28, 2008 8:09 AM, Marat Radchenko <
> > slonopotamusorama at gmail.com>
> > > > > wrote:
> > > > >
> > > > > > maven repo error:
> > > > > > cas-client-core-3.1-RC1 uses cas-client-3.1-RC1 as parent pom.
> > > > > > But there isn't any in
> > > > > >
> > > > >
> > > http://developer.ja-sig.org/maven2/org/jasig/cas/cas-client/
> > > > > >
> > > > > >
> > > > > > 2008/1/28, Scott Battaglia <scott.battaglia at gmail.com>:
> > > > > >
> > > > > >
> > > > > >
> > > > > > > Thanks! I'll look at this tomorrow at work.
> > > > > > >
> > > > > > > -Scott
> > > > > > >
> > > > > > >
> > > > > > > On Jan 25, 2008 3:18 PM, rg <rg4312 at gmail.com> wrote:
> > > > > > > > Great! I have created the JIRA:
> > > > > > > > http://www.ja-sig.org/issues/browse/CASC-34
> > > > > > > >
> > > > > > > >
> > > > > > > > -rg
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > On Jan 25, 2008 2:28 PM, Scott Battaglia
> > > <scott.battaglia at gmail.com>
> > > > > > > wrote:
> > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Adding a template method sounds relatively reasonable.
> If
> > you
> > > can
> > > > > > > create a JIRA issue to track it that would be great. I'll
> also
> > > probably
> > > > > > > look into whether it makes sense to add one for failure too.
> > > > > > > > >
> > > > > > > > > -Scott
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > On Jan 25, 2008 2:19 PM, rg <rg4312 at gmail.com> wrote:
> > > > > > > > >
> > > > > > > > > > I was afraid you were going to ask that question ;)
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > Basically it's to deal with a scenario I mentioned in a
> > prior
> > > > > email.
> > > > > > > See question #1 here:
> > > > > > > > > >
> > > > > > >
> > > > >
> > > http://article.gmane.org/gmane.comp.java.jasig.cas.user/4230
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > How I am dealing with this scenario, is I created my own
> > > > > > > ExpirationPolicy which looks in a database for the last
> accessed
> > > time
> > > > > for
> > > > > > > the users ticket grating ticket OR service ticket. When the
> > user
> > > makes
> > > > > an
> > > > > > > http request to a service webapp, an internal web service call
> > will
> > > be
> > > > > made
> > > > > > > to update this "last accessed time" in the database. What
> that
> > > means is
> > > > > I
> > > > > > > need to hold onto the service ticket IDs in the http session
> for
> > > each
> > > > > > > service.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > The problem I have is finding the appropriate place in
> the
> > > > > lifecycle
> > > > > > > of the service ticket validation http request to put the
> service
> > > ticket
> > > > > ID
> > > > > > > in the http session. This is what I want to do right after
> the
> > > ticket
> > > > > is
> > > > > > > validated. And now that I think about it a little more, the
> > > template
> > > > > method
> > > > > > > would need to be something like:
> > > > > > > > > > onServiceTicketSuccess(ServletRequest,
> > > > > > > ServletResponse, Assertion)
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > I'm guessing you are going to have a negative reaction
> to
> > what
> > > I
> > > > > just
> > > > > > > described. But know that I have control over the CAS webapp,
> > and
> > > every
> > > > > > > single webapp that uses CAS for authentication. This is a
> > closed
> > > system
> > > > > > > with only my webapps.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > -rg
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > On Jan 25, 2008 11:39 AM, Scott Battaglia
> > > > > <scott.battaglia at gmail.com>
> > > > > > > wrote:
> > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > rg,
> > > > > > > > > > >
> > > > > > > > > > > What's your use case for the functionality that needs
> to
> > > happen
> > > > > > > after a successful service ticket validation? This way we can
> > > figure
> > > > > out
> > > > > > > the best way to make the library extendable.
> > > > > > > > > > >
> > > > > > > > > > > -Scott
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > On Jan 25, 2008 9:55 AM, rg <rg4312 at gmail.com> wrote:
> > > > > > > > > > >
> > > > > > > > > > > > I have been using the 3.1 RC1 client for a few days
> in
> > the
> > > > > > > prototype I'm building. So my perspective of the release
> client
> > is
> > > > > limited,
> > > > > > > but, so far I haven't seen any bugs.
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > One change that i would like to be considered is to
> > change
> > > > > > > Cas20ProxyReceivingTicketValidationFilter to NOT be
> > > > > marked
> > > > > > > final, and to have a new template method
> > > > > > > onServiceTicketSuccess() declared in
> > > > > > > AbstractTicketValidationFilter and called in doFilter()
> > > > > > > after this.ticketValidator.validate(). This way I can extend
> > > > > > > Cas20ProxyReceivingTicketValidationFilter and
> > > override
> > > > > > > onServiceTicketSuccess().
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > I understand the goal to keep certain things final,
> > but,
> > > all i
> > > > > > > want to do is add some code on successful service ticket
> > validation,
> > > and
> > > > > I
> > > > > > > don't see any way to do it currently.
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > thanks,
> > > > > > > > > > > > -rg
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > On Jan 24, 2008 10:18 AM, Scott Battaglia
> > > > > > > <scott.battaglia at gmail.com> wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > > It can be found here:
> > > > > > > > > > > > >
> > > > > > >
> > > > >
> > >
> >
> http://www.ja-sig.org/downloads/cas-clients/cas-client-3.1-RC1-release.zip
> > > > > > > > > > > > >
> > > > > > > > > > > > > Documentation can be found here:
> > > > > > > > > > > > >
> > > > > > >
> > > > >
> > > http://www.ja-sig.org/wiki/display/CASC/CAS+Client+for+Java+3.1
> > > > > > > > > > > > >
> > > > > > > > > > > > > If you can try it out and give us any feedback
> that
> > > would be
> > > > > > > great. We're looking to do a release soon so we can
> incorporate
> > it
> > > into
> > > > > the
> > > > > > > next version of Acegi.
> > > > > > > > > > > > >
> > > > > > > > > > > > > -Scott
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > > On Jan 24, 2008 4:11 AM, Marat Radchenko
> > > > > > > <slonopotamusorama at gmail.com> wrote:
> > > > > > > > > > > > >
> > > > > > > > > > > > > > Where I can download it?
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > 2008/1/23, Scott Battaglia
> > > <scott.battaglia at gmail.com>:
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > > Folks--
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > We want to get ready to do the CAS 3.1 client
> > > release
> > > > > for
> > > > > > > Java (so we can
> > > > > > > > > > > > > > > start working on 3.1.1). I've done some
> testing
> > of
> > > it
> > > > > > > locally. Has anyone
> > > > > > > > > > > > > > > else tested it that can say it works well?
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > Thanks
> > > > > > > > > > > > > > > -Scott
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > --
> > > > > > > > > > > > > > > -Scott Battaglia
> > > > > > > > > > > > > > > LinkedIn:
> > > > > > > http://www.linkedin.com/in/scottbattaglia
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > >
> > > > > > > _______________________________________________
> > > > > > > > > > > > > > > Yale CAS mailing list
> > > > > > > > > > > > > > > cas at tp.its.yale.edu
> > > > > > > > > > > > > > >
> > > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > _______________________________________________
> > > > > > > > > > > > > > Yale CAS mailing list
> > > > > > > > > > > > > > cas at tp.its.yale.edu
> > > > > > > > > > > > > >
> > > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > > --
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > > -Scott Battaglia
> > > > > > > > > > > > >
> > > > > > > > > > > > > LinkedIn:
> > > > > > > http://www.linkedin.com/in/scottbattaglia
> > > > > > > > > > > > >
> > > > > _______________________________________________
> > > > > > > > > > > > >
> > > > > > > > > > > > > Yale CAS mailing list
> > > > > > > > > > > > > cas at tp.its.yale.edu
> > > > > > > > > > > > >
> > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > _______________________________________________
> > > > > > > > > > > > Yale CAS mailing list
> > > > > > > > > > > > cas at tp.its.yale.edu
> > > > > > > > > > > >
> > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > --
> > > > > > > > > > > -Scott Battaglia
> > > > > > > > > > >
> > > > > > > > > > > LinkedIn:
> > > > > http://www.linkedin.com/in/scottbattaglia
> > > > > > > > > > >
> > > _______________________________________________
> > > > > > > > > > >
> > > > > > > > > > > Yale CAS mailing list
> > > > > > > > > > > cas at tp.its.yale.edu
> > > > > > > > > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > _______________________________________________
> > > > > > > > > > Yale CAS mailing list
> > > > > > > > > > cas at tp.its.yale.edu
> > > > > > > > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > -Scott Battaglia
> > > > > > > > >
> > > > > > > > > LinkedIn:
> > > http://www.linkedin.com/in/scottbattaglia
> > > > > > > > > _______________________________________________
> > > > > > > > >
> > > > > > > > > Yale CAS mailing list
> > > > > > > > > cas at tp.its.yale.edu
> > > > > > > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > _______________________________________________
> > > > > > > > Yale CAS mailing list
> > > > > > > > cas at tp.its.yale.edu
> > > > > > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > -Scott Battaglia
> > > > > > >
> > > > > > > LinkedIn: http://www.linkedin.com/in/scottbattaglia
> > > > > > > _______________________________________________
> > > > > >
> > > > > >
> > > > > >
> > > > > > > Yale CAS mailing list
> > > > > > > cas at tp.its.yale.edu
> > > > > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > > > >
> > > > > > >
> > > > > > _______________________________________________
> > > > > > Yale CAS mailing list
> > > > > > cas at tp.its.yale.edu
> > > > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > -Scott Battaglia
> > > > >
> > > > > LinkedIn: http://www.linkedin.com/in/scottbattaglia
> > > > > _______________________________________________
> > > > > Yale CAS mailing list
> > > > > cas at tp.its.yale.edu
> > > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > > >
> > > > >
> > > > _______________________________________________
> > > > Yale CAS mailing list
> > > > cas at tp.its.yale.edu
> > > > http://tp.its.yale.edu/mailman/listinfo/cas
> > > >
> > >
> > >
> > >
> > > --
> > > -Scott Battaglia
> > >
> > > LinkedIn: http://www.linkedin.com/in/scottbattaglia
> > > _______________________________________________
> > > Yale CAS mailing list
> > > cas at tp.its.yale.edu
> > > http://tp.its.yale.edu/mailman/listinfo/cas
> > >
> > >
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL:
> >
> http://tp.its.yale.edu/pipermail/cas/attachments/20080130/2bc24a08/attachment-0001.html
> >
> > ------------------------------
> >
> > Message: 5
> > Date: Wed, 30 Jan 2008 08:22:45 -0500
> > From: "Scott Battaglia" <scott.battaglia at gmail.com>
> > Subject: Re: CAS 3.1 RC1 client
> > To: "Yale CAS mailing list" <cas at tp.its.yale.edu>
> > Message-ID:
> > <1bbd36a10801300522n50b21358wf68200d67176cd5 at mail.gmail.com>
> > Content-Type: text/plain; charset="iso-8859-1"
> >
> > On Jan 30, 2008 2:10 AM, Marat Radchenko <slonopotamusorama at gmail.com>
> > wrote:
> >
> > > I'd like to tell my thoughts about cas-client-3.1.
> > >
> > > 1) It no longer depends on cas-server-core. That's great. Much more
> > simple
> > > config (plain strings/urls instead of ServiceImpl)
> >
> > Yes, I thought that would be simpler ;-)
> >
> > >
> > > 2) SpringConfiguredProxyReceptorServlet suddenly disappeared. That's
> > > annoying (backward-compatibility lost). It was replaced with
> > > Cas20ProxyReceivingTicketValidationFilter.
> >
> > Yes, it was removed on purpose as it depended on Spring entirely, which
> > this
> > library doesn't.
> >
> > >
> > > 3) SingleSignOutHttpSessionListener ticket/session mapping won't
> survive
> > > server restart (even if sessions are not lost). That would be ok if
> > there
> > > were any possibility to inject smarter-than-hashmap storage. However
> it
> > > isn't possible, so the only way is a full rewrite. Additionally, it
> will
> > > have troubles in case of many sessions because it stores all of them
> in
> > > memory.
> >
> >
> > If you had a JIRA issue I can attempt to make it similar to the
> > ProxyReceptorServlet where we provide the base and you implement two
> > methods
> > that do the delete/retrieval. Though memory should not be an issue as
> > they
> > are only references to the session objects that already exist. And
> those
> > references should be deleted when the session expires.
> >
> > >
> > > 4) The worst thing: AbstractConfigurationFilter and all its
> descendants
> > > cannot be configured from spring anymore. We use multiple profiles and
> > > separate settings in .properties file. However in order to upgrade to
> > > cas-client-3.1 we will have to do one of the following:
> > > a) extend filter and add spring-friendly configuration means
> > > b) create multiple web.xml files (i strongly dislike this option)
> > > c) backport required stuff to cas-client-3.0
> >
> >
> > Yes, actually it can still be configured via Spring. All of the filters
> > should have setters for their various properties. We haven't done
> > extensive
> > testing with it, but the goal was to allow you to either use the
> web.xmlfor
> > simple cases, or utilizing something else like Spring.
> >
> > We have some information on it here:
> >
> >
> http://www.ja-sig.org/wiki/display/CASC/Configuring+the+JA-SIG+CAS+Client+for+Java+using+Spring
> > (though it does look like I have one typo related to the
> > proxycallbackUrl.)
> >
> > Hope that helps. Thanks for the feedback.
> > -Scott
> >
> >
> > >
> > >
> > > Hope this feedback will help. I'm ready to discuss above problems so
> we
> > > could find ways to solve them.
> > >
> > >
> > > 2008/1/29, Scott Battaglia <scott.battaglia at gmail.com>:
> > > > The RC2 binary and source jars in the repo. I'm having trouble
> having
> > > it
> > > > generate the javadocs so those are not in there right now.
> > > >
> > > > -Scott
> > > >
> > > >
> > > > On Jan 29, 2008 9:37 AM, Marat Radchenko <
> slonopotamusorama at gmail.com>
> > > > wrote:
> > > >
> > > > > Additionally, please add sources and javadoc jar to repo. Thanks.
> > > > >
> > > > > 2008/1/29, Scott Battaglia <scott.battaglia at gmail.com>:
> > > > >
> > > > >
> > > > >
> > > > > > I'm building an RC2 shortly. When that happens I'll make sure
> all
> > > of
> > > > the
> > > > > > correct stuff ends up in the repo ;-)
> > > > > >
> > > > > > Thanks
> > > > > > -Scott
> > > > > >
> > > > > >
> > > > > > On Jan 28, 2008 8:09 AM, Marat Radchenko <
> > > slonopotamusorama at gmail.com>
> > > > > > wrote:
> > > > > >
> > > > > > > maven repo error:
> > > > > > > cas-client-core-3.1-RC1 uses cas-client-3.1-RC1 as parent pom.
> > > > > > > But there isn't any in
> > > > > > >
> > > > > >
> > > > http://developer.ja-sig.org/maven2/org/jasig/cas/cas-client/
> > > > > > >
> > > > > > >
> > > > > > > 2008/1/28, Scott Battaglia <scott.battaglia at gmail.com>:
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > > Thanks! I'll look at this tomorrow at work.
> > > > > > > >
> > > > > > > > -Scott
> > > > > > > >
> > > > > > > >
> > > > > > > > On Jan 25, 2008 3:18 PM, rg <rg4312 at gmail.com> wrote:
> > > > > > > > > Great! I have created the JIRA:
> > > > > > > > > http://www.ja-sig.org/issues/browse/CASC-34
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > -rg
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > On Jan 25, 2008 2:28 PM, Scott Battaglia
> > > > <scott.battaglia at gmail.com>
> > > > > > > > wrote:
> > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > Adding a template method sounds relatively reasonable.
> If
> > > you
> > > > can
> > > > > > > > create a JIRA issue to track it that would be great. I'll
> > also
> > > > probably
> > > > > > > > look into whether it makes sense to add one for failure too.
> > > > > > > > > >
> > > > > > > > > > -Scott
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > On Jan 25, 2008 2:19 PM, rg <rg4312 at gmail.com> wrote:
> > > > > > > > > >
> > > > > > > > > > > I was afraid you were going to ask that question ;)
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > Basically it's to deal with a scenario I mentioned in
> a
> > > prior
> > > > > > email.
> > > > > > > > See question #1 here:
> > > > > > > > > > >
> > > > > > > >
> > > > > >
> > > > http://article.gmane.org/gmane.comp.java.jasig.cas.user/4230
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > How I am dealing with this scenario, is I created my
> own
> > > > > > > > ExpirationPolicy which looks in a database for the last
> > accessed
> > > > time
> > > > > > for
> > > > > > > > the users ticket grating ticket OR service ticket. When the
> > > user
> > > > makes
> > > > > > an
> > > > > > > > http request to a service webapp, an internal web service
> call
> > > will
> > > > be
> > > > > > made
> > > > > > > > to update this "last accessed time" in the database. What
> > that
> > > > means is
> > > > > > I
> > > > > > > > need to hold onto the service ticket IDs in the http session
> > for
> > > > each
> > > > > > > > service.
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > The problem I have is finding the appropriate place in
> > the
> > > > > > lifecycle
> > > > > > > > of the service ticket validation http request to put the
> > service
> > > > ticket
> > > > > > ID
> > > > > > > > in the http session. This is what I want to do right after
> > the
> > > > ticket
> > > > > > is
> > > > > > > > validated. And now that I think about it a little more, the
> > > > template
> > > > > > method
> > > > > > > > would need to be something like:
> > > > > > > > > > > onServiceTicketSuccess(ServletRequest,
> > > > > > > > ServletResponse, Assertion)
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > I'm guessing you are going to have a negative reaction
> > to
> > > what
> > > > I
> > > > > > just
> > > > > > > > described. But know that I have control over the CAS
> webapp,
> > > and
> > > > every
> > > > > > > > single webapp that uses CAS for authentication. This is a
> > > closed
> > > > system
> > > > > > > > with only my webapps.
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > -rg
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > On Jan 25, 2008 11:39 AM, Scott Battaglia
> > > > > > <scott.battaglia at gmail.com>
> > > > > > > > wrote:
> > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > rg,
> > > > > > > > > > > >
> > > > > > > > > > > > What's your use case for the functionality that
> needs
> > to
> > > > happen
> > > > > > > > after a successful service ticket validation? This way we
> can
> > > > figure
> > > > > > out
> > > > > > > > the best way to make the library extendable.
> > > > > > > > > > > >
> > > > > > > > > > > > -Scott
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > >
> ...
>
> [Message clipped]
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
--
-Scott Battaglia
LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20080131/52fadcd9/attachment-0001.html
More information about the cas
mailing list