I want to share my own experince about the sincronized timeout Read this carefully because it most be a little dark but trust me it works Cases: 1- user want to logout, the logout controller in any of the webapps should redirrect to /logout in CAS and all webapps should destroy the session 2- user close the browser or leave the navigation in the site, the current webapp recognize that and after some time it send the event to CAS (new servlet that catch webapp events), CAS wait some time for new authentication events of the user who close the browser or leave the navigation in the site, if no new authentication events of the user happen, CAS send destroys all sessions of the user in all webapps. 3- user leave the navigation on the current webapp but switch to other webapp on the system, after the new webapp authenticate the user, it send the authentication event to CAS (to the new servlet the catch webapp events) to invalidate all petitions to logout sessions in all webapps, note that this event it send to CAS first of the event logout described in step 2. 4- user with admin rights want to logout an specific user To complete this task CAS need to save some aditional data about users like username, ip address, user last request, if the user browser is close or if the user leave the navigation on the system, and the global session id of the user that may be and bd id or the same CAS service ticket id. the new servlet named for me as CheckLogoutServletServer proccess 3 URLs: 1- /CheckLogout/Open 2- /CheckLogout/Close 3- /CheckLogout/Del In the 1 URL the CheckLogoutServletServer expect for the service ticket id to update the last request of the user to actual time and set to false the value that indicate that the user browser is close or the user leave the navigation on the system. This is to indicate that the user has been logon in one webapp on the system or return to another previusly leaved. In the 2 URL the CheckLogoutServletServer expect for the service ticket id to update the last request of the user to a past time near the timeout (TimetoExpire value configured) and set to true the value that indicate that the user browser is close or the user leave the navigation on the system, only if the time interval of last request and actual time is >= that the TimetoExpire value configured, to check if the user has passed to another webapp on the system. In the 3 URL the CheckLogoutServletServer expect for the global session id to logout the user sessions in all webapps using the ticket invalidation system of CAS. The users registry that contain the user data saved most have a thread to monitor the session that have the value that indicate that the user browser is close or the user leave the navigation on the system set to true to check if the last request is >= that the session timeout of the CAS. The users registry most have access to the tickets registry of CAS. The webapps most save the ticket service id of the users to send it to CheckLogoutServletServer when: 1- the user has login in the webapp, ticket service id most be send to /CheckLogout/Open 2- is detected that the user browser is close or if the user leave the navigation on the system /CheckLogout/Close 3- the user is return to the webapp when the info to /CheckLogout/Close has been send and CAS has not send the info to invalidate the session in all webapps of the system yet To send the info to CheckLogoutServletServer you can use the class HTTPClient provided by CAS All of this is has been designed for webapps that use Acegi but with this info is most be extensible to any webapp. to any question report throw this mailing list, but it most be before july 20 of 2008. Latter I will share my solution to JCAPTCHA integration with CAS.
<<winmail.dat>>
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
