Hi Garey First, using a ticket as a session identifier is a security risk. Normally, a CAS ticket is validated once. Geoserver sends the ticket to the CAS server and receives the user name.
Upon successful validation, the CAS server removes the ticket from its ticket registry. The following scenario is possible: 1) Geoserver receives a ticket "ST-123456". 2) The ticket is validated and the user name is "user1". The CAS server removes the ticket from its registry. 3) If the ticket is a session identifier, Geoserver has to remember the ticket value. 4) A new user "user2" requires a CAS ticket. It is unlikely but possible that the new user gets an identical ticket "ST-123456". 5) Geoserver receives the ticket (the session identifier) and "user2" has the same privileges as "user1". This is not correct. I did some investigations last weekend and I think I will do it the following way. - Concerning Geoserver there is no difference between service tickets and proxy tickets, the important fact is to retrieve the user name by validating the ticket. - I will add a configuration option "allowSessionCreation". Enabled means that GeoServer will create a http session, sending back a cookie to the client. If this option is disabled, no cookie is sent back and a new ticket is required for each request. In your scenario, you should use "allowSessionCreation=true". This will work well for browser clients. OpenGeoPortal has to retransmit the cookie for each request. I will keep you informed Christian Zitat von Garey Mills <gmi...@library.berkeley.edu>: > Christian - > > Please see the discussion below. I have an application > (OpenGeoPortal) that will be making repeated requests to Geoserver > inside of one person's session (in OpenGeoPortal). Generating a new > proxy ticket for each request does not look like a good fit for that > use. > > Is there any way to allow repeated use of a given proxy ticket? > > Garey Mills > > > -------- Original Message -------- > Subject: Re: [cas-user] Question about CAS proxy tickets > Date: Fri, 07 Sep 2012 17:04:44 -0400 > From: William G. Thompson, Jr. <wgt...@gmail.com> > Reply-To: cas-u...@lists.jasig.org > To: cas-u...@lists.jasig.org > > > > On Fri, Sep 7, 2012 at 2:50 PM, Garey Mills > <gmi...@library.berkeley.edu> wrote: >> Hello - >> >> I am trying to get a CAS-protected Java servlet app to use a web >> service, so as I understand it the web service will have to accept proxy >> tickets. >> I am told by the person who is CASifying the web service that I will >> have to send a new proxy ticket with each request to the web service. Is >> this doable? Is it usual? Does it make sense? > > Doable? yes > > Usual? hard to say > > Does it make sense? maybe. If the servlet app is making very > infrequent requests to the target web service, getting a new proxy > ticket for each request could be reasonable. If the app is making > frequent repeated requests or has to carry on a stateful conversation > you might want to consider using the PT as a sort of session > identifier (or some other mechanism) for repeated requests after > validation. > > Best, > Bill > > >> >> Thanks for any input; >> >> -- >> Garey Mills >> Library Systems Office >> UC Berkeley >> >> >> -- >> You are currently subscribed to cas-u...@lists.jasig.org as: >> wgt...@gmail.com >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to cas-u...@lists.jasig.org as: > gmi...@library.berkeley.edu > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > > ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Geoserver-users mailing list Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
