Authenticated into Confluence as wrong user

Adam Moore amoore5 at ucmerced.edu
Thu Jan 15 22:12:45 EST 2009 

Drupal is PHP so I am using PHPCAS 0.6 I think.

Scott Battaglia wrote:
> Are you using the JASIG CAS Client for Java 3.1 also?
>
> Can you post your configuration?
>
> -Scott
>
> -Scott Battaglia
> PGP Public Key Id: 0x383733AA
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
>
>
> On Thu, Jan 15, 2009 at 4:23 PM, Adam Moore <amoore5 at ucmerced.edu 
> <mailto:amoore5 at ucmerced.edu>> wrote:
>
>     I have had the same issues when casifying Drupal. It's impossible
>     to do
>     it at will, but the user they log in as is usually the last user that
>     had logged in.  I would love to get a final solution and the security
>     implications are very high.
>
>     Adam
>
>     Jim Stoll wrote:
>     > For those CAS-ifying Confluence via the JASIG CAS client for
>     Java 3.1
>     > (as per instructions here:
>     >
>     http://www.ja-sig.org/wiki/display/CASC/Configuring+Confluence+with+JASIG+CAS+Client+for+Java+3.1),
>     > has anyone ever experienced the situation where users get into
>     > Confluence as the wrong user?
>     >
>     > The basic scenario is:
>     > 1. User makes initial request to
>     https://wiki.our.site/dashboard.action,
>     > and is taken to our 'public' wiki page (ie, unauthenticated
>     users can
>     > see the initial dashboard page)
>     > 2. User clicks the 'Log In' link from the Confluence dashboard page
>     > 3. User is redirected to the CAS login page
>     > 4. User enters their own username and password and logs in
>     through CAS
>     > 5. User is taken into Confluence as another user entirely (ie, the
>     > Dashboard shows the wrong user name, and the user is in another
>     user's
>     > permission scheme - can see content they shouldn't see, and
>     can't see
>     > content they should see)
>     >
>     > I am currently unable to reproduce the problem at will, but we
>     have had
>     > two users experience this in the past week (that we're aware of, I
>     > suspect there have probably been other occurrences we're not
>     aware of,
>     > though I have yet to find a way to identify this type of
>     situation in
>     > the logs). In the two cases I'm aware of, the 'wrong' user that the
>     > person was authenticated into Confluence as, had never
>     previously been
>     > on the client machine that experienced the problem. (just FYI).
>     We have
>     > other applications that are CAS-ified (mixture of PHP and Java
>     clients),
>     > and we haven't yet seen this behavior on those.
>     >
>     > I'd appreciate any help, insight or advice, as this is a pretty
>     serious
>     > situation for us.
>     >
>     > Thanks!
>     >
>     > Jim
>     >
>     >
>     > _______________________________________________
>     > Yale CAS mailing list
>     > cas at tp.its.yale.edu <mailto:cas at tp.its.yale.edu>
>     > http://tp.its.yale.edu/mailman/listinfo/cas
>     >
>     _______________________________________________
>     Yale CAS mailing list
>     cas at tp.its.yale.edu <mailto:cas at tp.its.yale.edu>
>     http://tp.its.yale.edu/mailman/listinfo/cas
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20090115/8abef973/attachment.html

More information about the cas mailing list