[cas-dev] renew flag can be bypassed

Scott Battaglia scott.battaglia at gmail.com
Thu Mar 1 15:12:15 EST 2007 

If you the client application requests renew=true in the URL and the user
removes it the authentication itself will continue.  However, when the
client goes to validate a ticket it should  be specifying renew=true to the
validator which would cause the validation of the ticket to fail.

-Scott

On 3/1/07, March, Andres <amarch at soe.sony.com> wrote:
>
>  We have started to use the renew flag for the first time.  I have found
> that just by changing the login url (to remove renew=true) that the
> forwarding app redirects to, you can bypass renewal of credentials.
> Shouldn't CAS demand renewal on subsequent logins if renew was sent once and
> no re-authentication has occurred?  Further, shouldn't the CAS client
> require some indication that the credentials were renewed when the ticket
> was issued and it was not simply reusing an existing auth?
>
>
>
> I was thinking of placing a filter on CAS that deletes the CAS TGC when
> renew is passed.  This solves my first issue but not the second.
>
>
>
>
>
> Andres March
>
> Platform - Application Engineering
>
> Sony Online Entertainment
>
> desk: 858.577.3373
>
> cell:   619.519.1519
>
>
>
>
>
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas-dev/attachments/20070301/b5e2a19b/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image006.gif
Type: image/gif
Size: 73 bytes
Desc: not available
Url : http://tp.its.yale.edu/pipermail/cas-dev/attachments/20070301/b5e2a19b/attachment.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.gif
Type: image/gif
Size: 103 bytes
Desc: not available
Url : http://tp.its.yale.edu/pipermail/cas-dev/attachments/20070301/b5e2a19b/attachment-0001.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.gif
Type: image/gif
Size: 73 bytes
Desc: not available
Url : http://tp.its.yale.edu/pipermail/cas-dev/attachments/20070301/b5e2a19b/attachment-0002.gif

More information about the cas-dev mailing list