[cas-dev] renew flag can be bypassed

March, Andres amarch at soe.sony.com
Thu Mar 1 19:57:32 EST 2007 

Sorry for the run around and the noise but it appears my elegant new
ticket registry (backed by BerkeleyDB -
http://www.ja-sig.org/issues/browse/CAS-474) doesn't see the ticket
updates because the TGT is never re-added to the registry.  It seems the
current implementation does not account for serialization of tickets and
relies on mutable ticket state.  So this is what happens:

 

- login is hit with a TGC

- the TGT is fetched from the registry

- an ST is issued using the TGT

- the TGT increments its usageCount (but this only happens in memory)

- the ST is added to the registry

 

So I think the TGT needs to be re-added to the registry, so that the
next time it's fetched the usageCount is accurate.  I believe that the
ST need to also be re-aded to the registry at the end of a validate if
they are not expired.

 

 

 

- Andres

________________________________

From: cas-dev-bounces at tp.its.yale.edu
[mailto:cas-dev-bounces at tp.its.yale.edu] On Behalf Of March, Andres
Sent: Thursday, March 01, 2007 4:19 PM
To: Mailing list for CAS developers
Subject: Re: [cas-dev] renew flag can be bypassed

 

Thanks for testing. I don't think my validation specification was set
properly.  I will check the reference implementation.  It looks like we
just screwed something up but I don't know why we would have changed it
from the default.

 

Here is what I had:

      <bean id="proxyValidateController"

            class="org.jasig.cas.web.ServiceValidateController">

            <property

                  name="centralAuthenticationService"

                  ref="centralAuthenticationService" />

            <property

                  name="proxyHandler"

                  ref="proxy20Handler" />

      </bean>

      <bean

            id="serviceValidateController"

            class="org.jasig.cas.web.ServiceValidateController">

            <property

                  name="validationSpecificationClass"

 
value="org.jasig.cas.validation.Cas20WithoutProxyingValidationSpecificat
ion" />

            <property

                  name="centralAuthenticationService"

                  ref="centralAuthenticationService" />

            <property

                  name="proxyHandler"

                  ref="proxy20Handler" />

      </bean>

 

 

And what I changed it to:

      <bean id="proxyValidateController"

            class="org.jasig.cas.web.ServiceValidateController">

            <property

                  name="validationSpecificationClass"

 
value="org.jasig.cas.validation.Cas20ProtocolValidationSpecification" />

            <property

                  name="centralAuthenticationService"

                  ref="centralAuthenticationService" />

            <property

                  name="proxyHandler"

                  ref="proxy20Handler" />

      </bean>

      <bean

            id="serviceValidateController"

            class="org.jasig.cas.web.ServiceValidateController">

            <property

                  name="validationSpecificationClass"

 
value="org.jasig.cas.validation.Cas20WithoutProxyingValidationSpecificat
ion" />

            <property

                  name="centralAuthenticationService"

                  ref="centralAuthenticationService" />

            <property

                  name="proxyHandler"

                  ref="proxy20Handler" />

      </bean>

 

 

- Andres

________________________________

From: cas-dev-bounces at tp.its.yale.edu
[mailto:cas-dev-bounces at tp.its.yale.edu] On Behalf Of Andrew William
Petro
Sent: Thursday, March 01, 2007 3:55 PM
To: Mailing list for CAS developers
Subject: Re: [cas-dev] renew flag can be bypassed

 

Andres,

I have tested this just now against https://www.ja-sig.org/cas

Tickets obtained without specifying renew=true to login do not
successfully validate for me using either serviceValidate or
proxyValidate where renew=true on the validation.

Exactly what do you mean when you say 
"I have validated that the url has &renew=true but the server still
validates a ticket issued from a non-renew auth."


?

Andrew



The acegi version (1.0.2) I am using was ignoring renew:

 

if(super.getServiceProperties().isSendRenew())

            logger.warn("The current CAS ProxyTicketValidator does not
support the 'renew' property. The ticket cannot be validated as having
been issued by a 'renew' authentication. It is expected this will be
corrected in a future version of CAS' ProxyTicketValidator.");

        

 

I subclassed the ticket validator and set the renew flag:

 

if (sendRenew) {

            pv.setRenew(sendRenew);

            log.warn(

                "Setting renew flag.  This may not be supported by
proxyValidate.");

        }

 

I have validated that the url has &renew=true but the server still
validates a ticket issued from a non-renew auth.  I still need to debug
the CAS server to see what happens during the validate call.  

- Andres

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas-dev/attachments/20070301/194a0830/attachment-0001.html

More information about the cas-dev mailing list