We are implementing CAS and have come across some interesting scenarios when using CAS Services and AJAX. These scenarios appear when a timeout occurs within the CAS Service and the requested resource is returned after SSO but there is no longer any javascript to process the response.
Here is the flow of the scenario.
* A user logs in successfully to a CAS Service and the web browser is left open on a CAS Service until the session on the CAS Service times out
* The user then clicks a link that triggers an Ajax request to be made
* At this point the response would contain a HTTP 302 redirect back to the CAS Server with the service parameter pointing to the requested resource. In this case the resource is a response that needs to be processed by Javascript as the response is not complete on its own (the javascript normally processes it somehow). When receiving this redirect I wonder what should be done with the 302. I feel it is reasonable that the javascript will redirect the browser or an iframe to the 302 if it is a different domain (to avoid cross site scripting issues); this is true even outside of CAS protocol. Is this a reasonable assumption? What if the CAS Server was present on the same domain? Can the javascript handle things more transparently at this point?
* The CAS Server eventually returns a ticket to the service URL that was originally requested. The browser then returns the Ajax response which is not a complete response on its own (the javascript that calls it needs to handle it but is no longer present).
My question is has anyone dealt with similar issues? Are there recommended practices for dealing with this?
Thanks in advance,
Rob
_______________________________________________
cas-dev mailing list
cas-dev@...
http://tp.its.yale.edu/mailman/listinfo/cas-dev
