[cas-dev] renew flag can be bypassed
March, Andres
amarch at soe.sony.com
Thu Mar 1 12:35:44 EST 2007
We have started to use the renew flag for the first time. I have found
that just by changing the login url (to remove renew=true) that the
forwarding app redirects to, you can bypass renewal of credentials.
Shouldn't CAS demand renewal on subsequent logins if renew was sent once
and no re-authentication has occurred? Further, shouldn't the CAS
client require some indication that the credentials were renewed when
the ticket was issued and it was not simply reusing an existing auth?
I was thinking of placing a filter on CAS that deletes the CAS TGC when
renew is passed. This solves my first issue but not the second.
Andres March
Platform - Application Engineering
Sony Online Entertainment
desk: 858.577.3373
cell: 619.519.1519
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas-dev/attachments/20070301/05637f15/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 103 bytes
Desc: image004.gif
Url : http://tp.its.yale.edu/pipermail/cas-dev/attachments/20070301/05637f15/attachment.gif
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 73 bytes
Desc: image005.gif
Url : http://tp.its.yale.edu/pipermail/cas-dev/attachments/20070301/05637f15/attachment-0001.gif
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 73 bytes
Desc: image006.gif
Url : http://tp.its.yale.edu/pipermail/cas-dev/attachments/20070301/05637f15/attachment-0002.gif
More information about the cas-dev
mailing list