ACEGI 0.8.2 + CAS 3.0: Global logout and user refresh
Hi,
I use ACEGI and CAS to secure several webapps
Being authenticaed in webapp A, I open a browser on webapp B -> I am authenticated. Fine.
Then I logout in webapp A. I then I try to access a protected page on webapp A => I am still authenticated !!!
Reason found: When I logout, CAS destroys th TGC. Fine. But the ticket is still in the CasAuthenticationProvider's statelessTicketCache. As a consequence, the CasAuthentication never detects the user logged out.
Here is the code of the CasAuthenticationProvider that leads me to say that:
Code:
(...)
public class CasAuthenticationProvider implements AuthenticationProvider{
(...)
public Authentication authenticate(Authentication authentication)
(...)
if (stateless) {
// Try to obtain from cache
result = statelessTicketCache.getByTicketId(authentication.getCredentials()
.toString());
}
if (result == null) {
result = this.authenticateNow(authentication);
}
if (stateless) {
// Add to cache
statelessTicketCache.putTicketInCache(result);
}
(...)
}
}
Would it be possible for the CasAuthenticationProvider to try to get the TGC before doing such, and launch authenticateNow if not found ? If yes, is it planned in a future version of ACEGI ?
Moreover, this would to an esay global logout for all webapps, given that none would find the TGC, and would therefore be in a "logout state".
This was my first issue. My second one is as follows:
When My CasAuthenticationToken is upated in webapp A, i do not have any mean to fire the change to webapp B. Do anyone knows how to do this ?
Thanks in advance,
