Authenticated into Confluence as wrong user
Scott Battaglia
scott.battaglia at gmail.com
Thu Jan 15 22:16:04 EST 2009
So two different CAS clients which would mean if there were any problems it
would be in the CAS server.
Which versions of the server are you guys using?
-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia
On Thu, Jan 15, 2009 at 10:12 PM, Adam Moore <amoore5 at ucmerced.edu> wrote:
> Drupal is PHP so I am using PHPCAS 0.6 I think.
>
>
> Scott Battaglia wrote:
>
> Are you using the JASIG CAS Client for Java 3.1 also?
>
> Can you post your configuration?
>
> -Scott
>
> -Scott Battaglia
> PGP Public Key Id: 0x383733AA
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
>
>
> On Thu, Jan 15, 2009 at 4:23 PM, Adam Moore <amoore5 at ucmerced.edu> wrote:
>
>> I have had the same issues when casifying Drupal. It's impossible to do
>> it at will, but the user they log in as is usually the last user that
>> had logged in. I would love to get a final solution and the security
>> implications are very high.
>>
>> Adam
>>
>> Jim Stoll wrote:
>> > For those CAS-ifying Confluence via the JASIG CAS client for Java 3.1
>> > (as per instructions here:
>> >
>> http://www.ja-sig.org/wiki/display/CASC/Configuring+Confluence+with+JASIG+CAS+Client+for+Java+3.1
>> ),
>> > has anyone ever experienced the situation where users get into
>> > Confluence as the wrong user?
>> >
>> > The basic scenario is:
>> > 1. User makes initial request to https://wiki.our.site/dashboard.action
>> ,
>> > and is taken to our 'public' wiki page (ie, unauthenticated users can
>> > see the initial dashboard page)
>> > 2. User clicks the 'Log In' link from the Confluence dashboard page
>> > 3. User is redirected to the CAS login page
>> > 4. User enters their own username and password and logs in through CAS
>> > 5. User is taken into Confluence as another user entirely (ie, the
>> > Dashboard shows the wrong user name, and the user is in another user's
>> > permission scheme - can see content they shouldn't see, and can't see
>> > content they should see)
>> >
>> > I am currently unable to reproduce the problem at will, but we have had
>> > two users experience this in the past week (that we're aware of, I
>> > suspect there have probably been other occurrences we're not aware of,
>> > though I have yet to find a way to identify this type of situation in
>> > the logs). In the two cases I'm aware of, the 'wrong' user that the
>> > person was authenticated into Confluence as, had never previously been
>> > on the client machine that experienced the problem. (just FYI). We have
>> > other applications that are CAS-ified (mixture of PHP and Java clients),
>> > and we haven't yet seen this behavior on those.
>> >
>> > I'd appreciate any help, insight or advice, as this is a pretty serious
>> > situation for us.
>> >
>> > Thanks!
>> >
>> > Jim
>> >
>> >
>> > _______________________________________________
>> > Yale CAS mailing list
>> > cas at tp.its.yale.edu
>> > http://tp.its.yale.edu/mailman/listinfo/cas
>> >
>> _______________________________________________
>> Yale CAS mailing list
>> cas at tp.its.yale.edu
>> http://tp.its.yale.edu/mailman/listinfo/cas
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20090115/611c5eb2/attachment.html
More information about the cas
mailing list