> Is there any loss of .net integration going this route? There could be loss of integration/functionality in the application using CAS if they expect a more native authentication/authorization framework like Forms.
> Could I still > take an app that is current using Forms authN and switch to CAS with a > simple web.conf switch? That's an ambitious goal, and one that will be hard to meet in the Windows world. Since .NET is heavily integrated with the Windows environment, the notion of pluggable authentication is much less developed than in other frameworks. I can certainly see the value in avoiding application changes to use CAS authentication, but I do think it represents additional work if it's even possible at all. > Any thoughts on where to stash the ICasPrincipal between requests? In a module-scope data structure like a dictionary. My impl relied on a secure cookie with a cryptographically strong value (hash of ticket validation date + secure random + netid); that could be used as the key to look up the principal. We'd need an out-of-band worker process to periodically sweep that data structure for orphaned sessions, but that should be straightforward. M -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
