CAS concurrent session control across multiple web applications

[donaldtse118]

Hi all,

I am now configuring 2 web applications( said webApp A, webApp B)
with the feature
1. concurrent session control ( late comer kick the previous user )
2. single sign in/out feature

They are connected to same CAS server, but I found concurrent session control across multiple applications:

Use case 1 :
1. login from machine I, connect to webApp A, login CAS
2. login from machine II, connect to webApp A, login CAS
3. reload webApp A on machine I, session lost, jump to CAS login page ( Expected Result )

Use case 2 :
1. login from machine I, connect to webApp A, login CAS
2. login from machine II, connect to webApp B, login CAS
3. reload webApp A on machine I, session still exist, able to show secured page at webApp A ( Unexpected result )

Use case 3 :
1. login from machine I, connect to webApp A, login CAS
1. login from machine I, connect to webApp B, no need to login CAS( single sign in )
2. login from machine II, connect to webApp B.
3. reload webApp B on machine I, session lost, jump to CAS login page ( concurrent session control, Expected Result )
4. reload webApp A on machine I, session lost, jump to CAS login page ( single sign out, Expected Result )

The problem is that when a user login webApp A and webApp B in different machine and ConcurrentSessionFilter is not able to detected.

I am not sure should I config the CAS server or config on web application

here is my setting at web application:

<security:http entry-point-ref="casProcessingFilterEntryPoint">
<security:intercept-url pattern="/service/**" filters="none"/>
<security:intercept-url pattern="/**" access="ROLE_USER" />

<security:logout logout-success-url="https://www.cas.com/cas/logout"
invalidate-session="false" />
</security:http>

<!-- Properties Setting for CAS -->
<bean id="serviceProperties" class="org.springframework.security.ui.cas.Service Properties"
p:service="https://domainA/webapp/j_spring_cas_security_check"
p:sendRenew="false" />

<!-- Every Spring Security Needs it -->
<security:authentication-manager alias="authenticationManager" />

<bean id="casSingleSignOutFilter" class="org.jasig.cas.client.session.SingleSignOutF ilter">
<security:custom-filter before="CAS_PROCESSING_FILTER" />
</bean>

<bean id="casProcessingFilter" class="org.springframework.security.ui.cas.CasProc essingFilter">
<security:custom-filter after="CAS_PROCESSING_FILTER" />
<property name="authenticationManager" ref="authenticationManager" />
<property name="authenticationFailureUrl" value="/casfailed.jsp" />
<property name="defaultTargetUrl" value="/" />
</bean>

Please Help!
Donald

[Rob Winch]

I think you are going to want to control this at the root of the problem (i.e. the CAS Server). I will warn you it's been a while since I have been in the code for the CAS Server (so please cut my suggestion some slack if it doesn't work). With that said, your mileage may vary so you may want to post to the JASIG mailing list (they may have a better suggestion).

Write a new TicketRegistry implementation that when calling addTicket, will check to see if if it is an instance of TicketGrantingTicket. If so, it checks to see if there are any other TicketGrantingTickets for that user. If there are call the expire on the other TicketGrantingTicket(s). Continue normal flow (i.e. add the TGT). If you have single logout implemented, calling expire on the TGT should trigger logout of the CAS server and single logout on the other applications for the old session.

HTH,

[donaldtse118]

I think you are going to want to control this at the root of the problem (i.e. the CAS Server). I will warn you it's been a while since I have been in the code for the CAS Server (so please cut my suggestion some slack if it doesn't work). With that said, your mileage may vary so you may want to post to the JASIG mailing list (they may have a better suggestion).

Write a new TicketRegistry implementation that when calling addTicket, will check to see if if it is an instance of TicketGrantingTicket. If so, it checks to see if there are any other TicketGrantingTickets for that user. If there are call the expire on the other TicketGrantingTicket(s). Continue normal flow (i.e. add the TGT). If you have single logout implemented, calling expire on the TGT should trigger logout of the CAS server and single logout on the other applications for the old session.

HTH,

Thanks for your suggestion! rwinch!
Actually I posted to both spring and jagis as I am a bit confuse which part should I configure it. I will try your idea if there is no more easier way to configure it, as I think it really take time to learn deep about CAS server.

[vijay kumar chauhan]

Hello friend,

after looking through your forum i assumed that you have integrated your spring security application with CAS.

I am doing the same but getting issue which i have postedhttp://forum.springsource.org/showth...541#post330541

May be i have missing out something in config.

thanks