I went over the CAS server documentation over and over and am quite aware of data flow between client, server and app.
However, I am particularly interested in what happens in the following scenario:
CAS serverPHPSESSIDSo, as you might see, security is my main issue here. How and when does the session/access token get verified/refreshed?
This question is about CAS and BeSimpleSsoAuthBundle but I believe it applies to other similar-purpose protocols.
This is what I have tried:
CAS on separate boxCAS - successTomcat server that runs CASIf I have missed something I'll be more than happy to update my question :)
Disclaimer: I'm the Chairman of CAS and founder of CAS in the cloud (https://www.casinthecloud.com).
It's the general design of CAS: you have clients and a server, which provides some advantages, but one of the main concerns is the fact that after being authenticated in your application, you may not communicate with the CAS server again.
In real life, except if you use remember-me, it's not generally a problem. After a few hours (at worst), the SSO / web sessions end and the removed user can no longer log in.
本文收集自互联网,转载请注明来源。
如有侵权,请联系[email protected] 删除。
我来说两句