Skip to content
This repository has been archived by the owner on Nov 3, 2017. It is now read-only.

Active SSO Sessions Report

Jump to bottom
Dmitriy Kopylenko edited this page Oct 22, 2015 · 10 revisions

Since version 1.0.3 of cas-addons, there is an Active SSO Sessions Report available on /sso-sessions HTTP endpoint which returns a JSON representation of a snapshot (at the time of call) of all non-expired server-side TicketGrantingTickets and their associated metadata. It looks like this:

{
  "activeSsoSessions" : [ {
    "tgt_id" : "TGT-1-1YzeuQyTQj5cOjNrLtSetQ3gJpDtdVCbtbQ7rooC45Br0BdicX-cas.example.org",
    "number_of_uses" : 1,
    "authenticated_principal" : "test",
    "authentication_date" : "2012-11-08T18:47:13.925+0000"
  }, {
    "tgt_id" : "TGT-2-X5HC7jheh7TuG4SodWoaAcQ9kVulSVgQ564UchIaht5ssqPKwN-cas.example.org",
    "number_of_uses" : 4,
    "authenticated_principal" : "test2",
    "authentication_date" : "2012-11-08T18:47:30.623+0000"
  }, {
    "tgt_id" : "TGT-3-6cWXqtI0yv0juxDlkHHjjd0nyQsyZbqwtJB5uaTaMtljTwY3Vt-cas.example.org",
    "number_of_uses" : 1,
    "authenticated_principal" : "test5",
    "authentication_date" : "2012-11-08T18:48:04.317+0000"
  } ]
}

NOTE: version 1.0.4 removes tgt_id from the report. So if you do not want to expose tgt ids, use version 1.0.4

WARNING: Expose TGT IDs only with care. Anyone in possession of a TGT ID can participate in the corresponding end user's CAS single sign-on session.

Example of 1.0.4 and later report:

{
  "activeSsoSessions" : [ {
    "number_of_uses" : 1,
    "authenticated_principal" : "test",
    "authentication_date" : "2012-11-08T18:47:13.925+0000"
  }, {
    "number_of_uses" : 4,
    "authenticated_principal" : "test2",
    "authentication_date" : "2012-11-08T18:47:30.623+0000"
  }, {
    "number_of_uses" : 1,
    "authenticated_principal" : "test5",
    "authentication_date" : "2012-11-08T18:48:04.317+0000"
  } ]
}

In case of any difficulties producing this report (for example EhCacheTicketRegistry does not currently support a bulk retrieval of all tickets, etc.), a notAvailable representation with a relevant message will be returned. For example:

{
  "notAvailable" : "The underlying implementation of <TicketRegistry> does not support a bulk retrieval of tickets"
}

Configuration

  • Bring web.xml from CAS core into an overlay and add the following:
<servlet>
   <servlet-name>Jersey REST resource to expose active sso sessions</servlet-name>
   <servlet-class>com.sun.jersey.spi.spring.container.servlet.SpringServlet</servlet-class>
</servlet>
<servlet-mapping>
   <servlet-name>Jersey REST resource to expose active sso sessions</servlet-name>
   <url-pattern>/sso-sessions</url-pattern>
</servlet-mapping>
  • Add activeSsoSessionsReportContext.xml to WEB-INF/spring-configuration with the following contents:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:context="http://www.springframework.org/schema/context"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd">

    <context:component-scan base-package="net.unicon.cas.addons.info"/>
    <context:component-scan base-package="net.unicon.cas.addons.ticket"/>
    <context:annotation-config/>

</beans>

In order to secure this endpoint, the easiest way is to use IP subnet restriction (similar to the default CAS' /status endpoint):

  • Add the following to web.xml:
<filter-mapping>
   <filter-name>springSecurityFilterChain</filter-name>
   <url-pattern>/sso-sessions/*</url-pattern>
</filter-mapping>
  • Bring WEB-INF/spring-configuration/securityContext.xml from CAS core into an overlay and add the following:
<sec:http pattern="/sso-sessions/**" entry-point-ref="notAuthorizedEntryPoint" use-expressions="true" auto-config="true">
   <sec:intercept-url pattern="/sso-sessions" access="hasIpAddress('${cas.securityContext.status.allowedSubnet}')"/>
</sec:http>

Note: the order of these Spring Security entries matters! And in order for this to work, insert the above config entry right below the following entry in springSecurityContext.xml:

<sec:http pattern="/status/**" entry-point-ref="notAuthorizedEntryPoint" use-expressions="true" auto-config="true">
    <sec:intercept-url pattern="/status" access="hasIpAddress('${cas.securityContext.status.allowedSubnet}')" />
  </sec:http>
Clone this wiki locally