...
- We will assume some kind of authentication proxy sits in front of all applications, which is client to an upstream provider (SAML/Shibboleth or OpenID Connect usually). Usually, an authentication proxy is oauth2_proxy, vouch, or one of the SAML/shibboleth equivalents, either for nginx or apache.
- We will assume that the authentication proxy can set an appropriate header which corresponds to the crowd
- For this example, we will assume that the header is passed along under the REMOTE_USER header by that proxy
- The LoginFilter looks at the last time a session was checked against CAS (cas.lasthandshake.time). I believe it's set as a cookie but also in the session and we only trust the session. We need to ALWAYS update that last checked time for the session to be the time of the request, so that it never attempts a redirect to CAS (We can do this because the proxy is enforcing authentication)
- To spoof the session without recompiling everything - we need to use a Tomcat Valve. Pseudocode below
- Logout would probably be handled at the layer above. Generally speaking, you don't usually logout of the SSO types of applications though.
...