Announcement Announcement Module
Collapse
No announcement yet.
ACEGI 0.8.2 + CAS 3.0: Global logout and user refresh Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • ACEGI 0.8.2 + CAS 3.0: Global logout and user refresh

    Hi,

    I use ACEGI and CAS to secure several webapps

    Being authenticaed in webapp A, I open a browser on webapp B -> I am authenticated. Fine.

    Then I logout in webapp A. I then I try to access a protected page on webapp A => I am still authenticated !!!

    Reason found: When I logout, CAS destroys th TGC. Fine. But the ticket is still in the CasAuthenticationProvider's statelessTicketCache. As a consequence, the CasAuthentication never detects the user logged out.

    Here is the code of the CasAuthenticationProvider that leads me to say that:

    Code:
    (...)
    public class CasAuthenticationProvider implements AuthenticationProvider{
    (...)
    public Authentication authenticate(Authentication authentication)
    (...)
    if (stateless) {
                // Try to obtain from cache
                result = statelessTicketCache.getByTicketId(authentication.getCredentials()
                                                                          .toString());
            }
    
            if (result == null) {
                result = this.authenticateNow(authentication);
            }
    
            if (stateless) {
                // Add to cache
                statelessTicketCache.putTicketInCache(result);
            }
    (...)
    }
    }
    Would it be possible for the CasAuthenticationProvider to try to get the TGC before doing such, and launch authenticateNow if not found ? If yes, is it planned in a future version of ACEGI ?

    Moreover, this would to an esay global logout for all webapps, given that none would find the TGC, and would therefore be in a "logout state".


    This was my first issue. My second one is as follows:

    When My CasAuthenticationToken is upated in webapp A, i do not have any mean to fire the change to webapp B. Do anyone knows how to do this ?

    Thanks in advance,

  • #2
    The behaviour you are observing is expected in CAS 2. If you logout of the CAS server, it has no way of notifying already running applications of your logout. Please check the CAS mailing lists for further information, eg http://tp.its.yale.edu/pipermail/cas...ry/001010.html.

    Comment


    • #3
      Hi Ben,

      Thanks for your advice. Actually, we resolved the problem using a specific cookie that every waebapp read in order to know whether the identified user is still logged or not.

      Comment

      Working...
      X