[cas-dev] renew flag can be bypassed
March, Andres
amarch at soe.sony.com
Thu Mar 1 18:44:45 EST 2007
The acegi version (1.0.2) I am using was ignoring renew:
if(super.getServiceProperties().isSendRenew())
logger.warn("The current CAS ProxyTicketValidator does not
support the 'renew' property. The ticket cannot be validated as having
been issued by a 'renew' authentication. It is expected this will be
corrected in a future version of CAS' ProxyTicketValidator.");
I subclassed the ticket validator and set the renew flag:
if (sendRenew) {
pv.setRenew(sendRenew);
log.warn(
"Setting renew flag. This may not be supported by
proxyValidate.");
}
I have validated that the url has &renew=true but the server still
validates a ticket issued from a non-renew auth. I still need to debug
the CAS server to see what happens during the validate call.
- Andres
________________________________
From: cas-dev-bounces at tp.its.yale.edu
[mailto:cas-dev-bounces at tp.its.yale.edu] On Behalf Of Scott Battaglia
Sent: Thursday, March 01, 2007 2:59 PM
To: Mailing list for CAS developers
Subject: Re: [cas-dev] renew flag can be bypassed
The CAS Server 3, and Yale & JA-SIG clients should support it. I'll
have to check on Acegi. A quick look makes it seem like it should work.
I'll have to go into the source code later.
-Scott
On 3/1/07, March, Andres <amarch at soe.sony.com> wrote:
I missed that in the protocol spec. But I just tested this and it
didn't work. Also, there are comments in the Acegi client that this
doesn't work yet. I'm investigating and will try to provide more
detail. I was just curious if this feature wasn't functional until a
particular version. Do you know if it requires a specific version of
the cas server, client, or acegi?
- Andres
________________________________
From: cas-dev-bounces at tp.its.yale.edu [mailto:
cas-dev-bounces at tp.its.yale.edu <mailto:cas-dev-bounces at tp.its.yale.edu>
] On Behalf Of Scott Battaglia
Sent: Thursday, March 01, 2007 12:12 PM
To: Mailing list for CAS developers
Subject: Re: [cas-dev] renew flag can be bypassed
If you the client application requests renew=true in the URL and the
user removes it the authentication itself will continue. However, when
the client goes to validate a ticket it should be specifying renew=true
to the validator which would cause the validation of the ticket to fail.
-Scott
On 3/1/07, March, Andres <amarch at soe.sony.com> wrote:
We have started to use the renew flag for the first time. I have found
that just by changing the login url (to remove renew=true) that the
forwarding app redirects to, you can bypass renewal of credentials.
Shouldn't CAS demand renewal on subsequent logins if renew was sent once
and no re-authentication has occurred? Further, shouldn't the CAS
client require some indication that the credentials were renewed when
the ticket was issued and it was not simply reusing an existing auth?
I was thinking of placing a filter on CAS that deletes the CAS TGC when
renew is passed. This solves my first issue but not the second.
Andres March
Platform - Application Engineering
Sony Online Entertainment
desk: 858.577.3373
cell: 619.519.1519
_______________________________________________
cas-dev mailing list
cas-dev at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas-dev
_______________________________________________
cas-dev mailing list
cas-dev at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas-dev/attachments/20070301/1bdb0f33/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 103 bytes
Desc: image001.gif
Url : http://tp.its.yale.edu/pipermail/cas-dev/attachments/20070301/1bdb0f33/attachment-0003.gif
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 73 bytes
Desc: image002.gif
Url : http://tp.its.yale.edu/pipermail/cas-dev/attachments/20070301/1bdb0f33/attachment-0004.gif
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 73 bytes
Desc: image003.gif
Url : http://tp.its.yale.edu/pipermail/cas-dev/attachments/20070301/1bdb0f33/attachment-0005.gif
More information about the cas-dev
mailing list