ACEGI 0.8.2 + CAS 3.0: Global logout and user refresh
Hi,
I use ACEGI and CAS to secure several webapps
Being authenticaed in webapp A, I open a browser on webapp B -> I am authenticated. Fine.
Then I logout in webapp A. I then I try to access a protected page on webapp A => I am still authenticated !!!
Reason found: When I logout, CAS destroys th TGC. Fine. But the ticket is still in the CasAuthenticationProvider's statelessTicketCache. As a consequence, the CasAuthentication never detects the user logged out.
Here is the code of the CasAuthenticationProvider that leads me to say that:
Would it be possible for the CasAuthenticationProvider to try to get the TGC before doing such, and launch authenticateNow if not found ? If yes, is it planned in a future version of ACEGI ?Code:(...) public class CasAuthenticationProvider implements AuthenticationProvider{ (...) public Authentication authenticate(Authentication authentication) (...) if (stateless) { // Try to obtain from cache result = statelessTicketCache.getByTicketId(authentication.getCredentials() .toString()); } if (result == null) { result = this.authenticateNow(authentication); } if (stateless) { // Add to cache statelessTicketCache.putTicketInCache(result); } (...) } }
Moreover, this would to an esay global logout for all webapps, given that none would find the TGC, and would therefore be in a "logout state".
This was my first issue. My second one is as follows:
When My CasAuthenticationToken is upated in webapp A, i do not have any mean to fire the change to webapp B. Do anyone knows how to do this ?
Thanks in advance,
