[cas-dev] renew flag can be bypassed
March, Andres
amarch at soe.sony.com
Thu Mar 1 19:18:52 EST 2007
Thanks for testing. I don't think my validation specification was set
properly. I will check the reference implementation. It looks like we
just screwed something up but I don't know why we would have changed it
from the default.
Here is what I had:
<bean id="proxyValidateController"
class="org.jasig.cas.web.ServiceValidateController">
<property
name="centralAuthenticationService"
ref="centralAuthenticationService" />
<property
name="proxyHandler"
ref="proxy20Handler" />
</bean>
<bean
id="serviceValidateController"
class="org.jasig.cas.web.ServiceValidateController">
<property
name="validationSpecificationClass"
value="org.jasig.cas.validation.Cas20WithoutProxyingValidationSpecificat
ion" />
<property
name="centralAuthenticationService"
ref="centralAuthenticationService" />
<property
name="proxyHandler"
ref="proxy20Handler" />
</bean>
And what I changed it to:
<bean id="proxyValidateController"
class="org.jasig.cas.web.ServiceValidateController">
<property
name="validationSpecificationClass"
value="org.jasig.cas.validation.Cas20ProtocolValidationSpecification" />
<property
name="centralAuthenticationService"
ref="centralAuthenticationService" />
<property
name="proxyHandler"
ref="proxy20Handler" />
</bean>
<bean
id="serviceValidateController"
class="org.jasig.cas.web.ServiceValidateController">
<property
name="validationSpecificationClass"
value="org.jasig.cas.validation.Cas20WithoutProxyingValidationSpecificat
ion" />
<property
name="centralAuthenticationService"
ref="centralAuthenticationService" />
<property
name="proxyHandler"
ref="proxy20Handler" />
</bean>
- Andres
________________________________
From: cas-dev-bounces at tp.its.yale.edu
[mailto:cas-dev-bounces at tp.its.yale.edu] On Behalf Of Andrew William
Petro
Sent: Thursday, March 01, 2007 3:55 PM
To: Mailing list for CAS developers
Subject: Re: [cas-dev] renew flag can be bypassed
Andres,
I have tested this just now against https://www.ja-sig.org/cas
Tickets obtained without specifying renew=true to login do not
successfully validate for me using either serviceValidate or
proxyValidate where renew=true on the validation.
Exactly what do you mean when you say
"I have validated that the url has &renew=true but the server still
validates a ticket issued from a non-renew auth."
?
Andrew
The acegi version (1.0.2) I am using was ignoring renew:
if(super.getServiceProperties().isSendRenew())
logger.warn("The current CAS ProxyTicketValidator does not
support the 'renew' property. The ticket cannot be validated as having
been issued by a 'renew' authentication. It is expected this will be
corrected in a future version of CAS' ProxyTicketValidator.");
I subclassed the ticket validator and set the renew flag:
if (sendRenew) {
pv.setRenew(sendRenew);
log.warn(
"Setting renew flag. This may not be supported by
proxyValidate.");
}
I have validated that the url has &renew=true but the server still
validates a ticket issued from a non-renew auth. I still need to debug
the CAS server to see what happens during the validate call.
- Andres
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas-dev/attachments/20070301/062ad4ae/attachment-0001.html
More information about the cas-dev
mailing list