Adding "Public Workstation" vs. "Private Workstation" Timeouts

Owned by Tim McLaughlin
Last updated: May 06, 2011Version comment

We wanted to give users the option of having a longer timeout by specifying that the workstation is "Public" or "Private".  This is similar to a function that many Web sites have, where a "public" workstation will have a (sometimes dramatically) shorter timeout than a private one.  This involved giving the user the checkbox at login, and passing that decision through to the various parts of CAS to effect the timeout.

Also possible, but not shown here, is that the workstationType attribute can also be communicated to client applications so that their individual session timeouts can be adjusted, too.

To make it work, I did the following:
* Modified the JSP in our custom UI theme to contain a checkbox for "workstationType".
* Extended UsernamePasswordCredentials to contain the value. (see attached example code)
* Modified casServlet.xml to tell the authenticationViaFormAction about the new credentials by setting two new properties on the "authenticationViaFormAction" bean like so:

Spring Webflow 1:

<bean id="authenticationViaFormAction"
      class="org.jasig.cas.web.flow.AuthenticationViaFormAction"
      p:centralAuthenticationService-ref="centralAuthenticationService"
      p:warnCookieGenerator-ref="warnCookieGenerator"
      p:formObjectName="credentials"
      p:formObjectClass="mypackage.MyNewCredentialsClass" />

Spring Webflow 2:

<bean id="authenticationViaFormAction"
      class="org.jasig.cas.web.flow.AuthenticationViaFormAction"
      p:centralAuthenticationService-ref="centralAuthenticationService"
      p:warnCookieGenerator-ref="warnCookieGenerator" />

* Added an AuthenticationMetaDataPopulator to put that value on the authentication attribute map for later use in the ExpirationPolicy. (see attached example code)
* Modified deployerConfigContext to configure the new MetaData.  Add a new property to the "authenticationManager" bean like so:

<bean id="authenticationManager"
      class="org.jasig.cas.authentication.AuthenticationManagerImpl">
...other properties...
    <property name="authenticationMetaDataPopulators">
        <list>
            <bean class="mypackage.MyNewMetaDataPopulator" />
        </list>
    </property>
</bean>

* Added an ExpirationPolicy to make use of that value to decide between two timeout values. (see attached example code)
* Modified ticketExpirationPolicies.xml to configure the new ExpirationPolicy like so.  Make sure the bean id is "grantingTicketExpirationPolicy":

<bean id="grantingTicketExpirationPolicy"
      class="mypackage.MyNewExpirationPolicy">
    <!-- This argument is the time a ticket can exist before its considered expired. -->
    <!-- Argument 0 is for "Private" machines (the default) -->
    <!-- 7200000 ms == 2 hours -->
    <constructor-arg
        index="0"
        value="7200000" />

    <!-- Argument 1 is for "Public" machines -->
    <!-- 1800000 ms == 30 min -->
    <constructor-arg
        index="1"
        value="1800000" />
</bean>

* Only for Webflow 2: Modified login-webflow.xml to use our new UsernamePasswordWorkstationTypeCredentials class and bind the workstationType property from the form:

    <view-state id="viewLoginForm" view="casLoginView" model="credentials">
        <var name="credentials" class="mypackage.UsernamePasswordWorkstationTypeCredentials" />
        <binder>
            <binding property="username" />
            <binding property="password" />
            <binding property="workstationType" />
        </binder>
        ...
    </view-state>

Not a huge deal of work, but sure is complicated to find the info!  Many thanks to Scott Battaglia and Andrew Feller for the assistance finding it.