[cas-dev] renew flag can be bypassed

Scott Battaglia scott.battaglia at gmail.com
Thu Mar 1 18:56:37 EST 2007 

The server side uses a validation specification to check the renew on
validate.  If you are redirecting to CAS with renew=true and validating with
renew=true then I would make sure you have a correct ValidationSpecification
configured (most likely, you do) and that your JSP page, on form submission,
is passing the renew=true and not dropping it.

-Scott

On 3/1/07, March, Andres <amarch at soe.sony.com> wrote:
>
>  The acegi version (1.0.2) I am using was ignoring renew:
>
>
>
> *if*(*super*.getServiceProperties().isSendRenew())
>
>             *logger*.warn("The current CAS ProxyTicketValidator does not
> support the 'renew' property. The ticket cannot be validated as having been
> issued by a 'renew' authentication. It is expected this will be corrected in
> a future version of CAS' ProxyTicketValidator.");
>
>
>
>
>
> I subclassed the ticket validator and set the renew flag:
>
>
>
> *if* (sendRenew) {
>
>             pv.setRenew(sendRenew);
>
>             *log*.warn(
>
>                 "Setting renew flag.  This may not be supported by
> proxyValidate.");
>
>         }
>
>
>
> I have validated that the url has &renew=true but the server still
> validates a ticket issued from a non-renew auth.  I still need to debug the
> CAS server to see what happens during the validate call.
>
> - Andres
>   ------------------------------
>
> *From:* cas-dev-bounces at tp.its.yale.edu [mailto:
> cas-dev-bounces at tp.its.yale.edu] *On Behalf Of *Scott Battaglia
> *Sent:* Thursday, March 01, 2007 2:59 PM
> *To:* Mailing list for CAS developers
> *Subject:* Re: [cas-dev] renew flag can be bypassed
>
>
>
> The CAS Server 3, and Yale & JA-SIG clients should support it.  I'll have
> to check on Acegi. A quick look makes it seem like it should work. I'll have
> to go into the source code later.
>
> -Scott
>
> On 3/1/07, *March, Andres* <amarch at soe.sony.com> wrote:
>
> I missed that in the protocol spec.  But I just tested this and it didn't
> work.  Also, there are comments in the Acegi client that this doesn't work
> yet.  I'm investigating and will try to provide more detail.  I was just
> curious if this feature wasn't functional until a particular version.  Do
> you know if it requires a specific version of the cas server, client, or
> acegi?
>
>
>
> - Andres
>   ------------------------------
>
> *From:* cas-dev-bounces at tp.its.yale.edu [mailto:cas-dev-bounces at tp.its.yale.edu]
> *On Behalf Of *Scott Battaglia
> *Sent:* Thursday, March 01, 2007 12:12 PM
> *To:* Mailing list for CAS developers
> *Subject:* Re: [cas-dev] renew flag can be bypassed
>
>
>
> If you the client application requests renew=true in the URL and the user
> removes it the authentication itself will continue.  However, when the
> client goes to validate a ticket it should  be specifying renew=true to the
> validator which would cause the validation of the ticket to fail.
>
> -Scott
>
> On 3/1/07, *March, Andres* <amarch at soe.sony.com> wrote:
>
> We have started to use the renew flag for the first time.  I have found
> that just by changing the login url (to remove renew=true) that the
> forwarding app redirects to, you can bypass renewal of credentials.
> Shouldn't CAS demand renewal on subsequent logins if renew was sent once and
> no re-authentication has occurred?  Further, shouldn't the CAS client
> require some indication that the credentials were renewed when the ticket
> was issued and it was not simply reusing an existing auth?
>
>
>
> I was thinking of placing a filter on CAS that deletes the CAS TGC when
> renew is passed.  This solves my first issue but not the second.
>
>
>
>
>
> Andres March
>
> Platform - Application Engineering
>
> Sony Online Entertainment
>
> desk: 858.577.3373
>
> cell:   619.519.1519
>
>
>
>
>
>
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>
>
>
>
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>
>
>
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas-dev/attachments/20070301/577ff620/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.gif
Type: image/gif
Size: 73 bytes
Desc: not available
Url : http://tp.its.yale.edu/pipermail/cas-dev/attachments/20070301/577ff620/attachment.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 103 bytes
Desc: not available
Url : http://tp.its.yale.edu/pipermail/cas-dev/attachments/20070301/577ff620/attachment-0001.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.gif
Type: image/gif
Size: 73 bytes
Desc: not available
Url : http://tp.its.yale.edu/pipermail/cas-dev/attachments/20070301/577ff620/attachment-0002.gif

More information about the cas-dev mailing list