> If my application's session times out and CAS's SSO session is still valid, > then attempting to access a different Url on my application (by clicking a > link, for example) causes a redirection to /cas/login and back with a new > ticket. All this happens transparently to the user (i.e, not asked to login > again).
You have just described a particular flow of single sign-on, so the behavior is by design. > How is this actually handled by CAS? The browser still contains the CASTGC cookie containing the ticket-granting ticket (TGT). Your application's AuthenticationFilter fires when it identifies a non-existent session, redirects to CAS with CASTGC intact, and CAS uses the TGT in the cookie to transparently generate a service ticket and redirect back to your application. Your application subsequently validates the ticket successfully and allows the user to access your service. Note that the user would have to reauthenticate if the CAS TGT had expired, but by default TGT lifetimes are on the order of hours while Tomcat sessions are on the order of minutes. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
