> -----Original Message----- > From: trac-users@googlegroups.com [mailto:trac-us...@googlegroups.com] > On Behalf Of Eirik Schwenke > Sent: Monday, March 08, 2010 10:07 AM > To: trac-users@googlegroups.com > Subject: Re: [Trac] TracCasPlugin performs unwanted logout (or single > sign out) > > Giuseppe Sollazzo skrev 08. mars 2010 09:54: > > Hi Noah, > > well... theoretically you are at least partially right. But that's > not > > the case when discussing a real implementation and I can explain why. > > > > The point with CAS is that it offers an *optional* single sign out > > procedure. Most applications/implementations won't log out the full > CAS > > session. In most installs I've seen, there is no interest for a > single > > sign out, or when such interest is valid, single sign out is > performed > > using a centralized "logout" web application (generally it's the > > corporate portal). > > > > There are many reasons for doing this, but the very simple one (the > one > > most sysadmin give when asked) is that most users are fine with a > > centralized login, but would not assume to have logged out globally. > In > > environment with thousands of users, all of them very diverse (wrt to > IT > > skills), it's not advisable (and it's common practice) to have a > single > > sign out, but just a single sign on. > > > > That's why configuring most applications (I've had experience with > > Moodle, Plone, Apache, and some others) you get asked, in the > > configuration files/gui, to specify entry points for both /login and > > /logout. Actually, all apps so far allow that, except trac. > > <end-of-day-off-topic-rant> > The above (varying levels of IT competence) is *exactly* why Single > Sign > On without Single Sign Out is always going to be a huge security > issue. > > I think the general reason for requiring Single Sign Out via a global > portal is that most "enterprise" system is horrible, broken insecure > crap -- and the contractors couldn't be bothered to care about security > of the sytems involved, or read enough of a spec to be able to actually > *provide* single sign out... > </rant> > > > So the question is still valid :-) Is there a known way of avoiding > > single sign out? > > Looking at: > > http://trac-hacks.org/browser/traccasplugin/0.11/traccas/traccas.py > > it would appear the way the cas plugins check to see if a user i logged > in, is by checking for a valid CAS ticket (which is exactly what you > would expect it to do). > > And the logout-call invalidates the CAS ticket.
You can change the URL used for logout if you want ([cas] logout_path), but without single-sign-out you should probably just be using AccountManager+LdapAuth. --Noah -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To post to this group, send email to trac-us...@googlegroups.com. To unsubscribe from this group, send email to trac-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/trac-users?hl=en.
