Authenticated into Confluence as wrong user
Adam Moore
amoore5 at ucmerced.edu
Thu Jan 15 22:26:36 EST 2009
Version 2.2
Scott Battaglia wrote:
> So two different CAS clients which would mean if there were any
> problems it would be in the CAS server.
>
> Which versions of the server are you guys using?
>
>
> -Scott Battaglia
> PGP Public Key Id: 0x383733AA
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
>
>
> On Thu, Jan 15, 2009 at 10:12 PM, Adam Moore <amoore5 at ucmerced.edu
> <mailto:amoore5 at ucmerced.edu>> wrote:
>
> Drupal is PHP so I am using PHPCAS 0.6 I think.
>
>
> Scott Battaglia wrote:
>> Are you using the JASIG CAS Client for Java 3.1 also?
>>
>> Can you post your configuration?
>>
>> -Scott
>>
>> -Scott Battaglia
>> PGP Public Key Id: 0x383733AA
>> LinkedIn: http://www.linkedin.com/in/scottbattaglia
>>
>>
>> On Thu, Jan 15, 2009 at 4:23 PM, Adam Moore <amoore5 at ucmerced.edu
>> <mailto:amoore5 at ucmerced.edu>> wrote:
>>
>> I have had the same issues when casifying Drupal. It's
>> impossible to do
>> it at will, but the user they log in as is usually the last
>> user that
>> had logged in. I would love to get a final solution and the
>> security
>> implications are very high.
>>
>> Adam
>>
>> Jim Stoll wrote:
>> > For those CAS-ifying Confluence via the JASIG CAS client
>> for Java 3.1
>> > (as per instructions here:
>> >
>> http://www.ja-sig.org/wiki/display/CASC/Configuring+Confluence+with+JASIG+CAS+Client+for+Java+3.1),
>> > has anyone ever experienced the situation where users get into
>> > Confluence as the wrong user?
>> >
>> > The basic scenario is:
>> > 1. User makes initial request to
>> https://wiki.our.site/dashboard.action,
>> > and is taken to our 'public' wiki page (ie, unauthenticated
>> users can
>> > see the initial dashboard page)
>> > 2. User clicks the 'Log In' link from the Confluence
>> dashboard page
>> > 3. User is redirected to the CAS login page
>> > 4. User enters their own username and password and logs in
>> through CAS
>> > 5. User is taken into Confluence as another user entirely
>> (ie, the
>> > Dashboard shows the wrong user name, and the user is in
>> another user's
>> > permission scheme - can see content they shouldn't see, and
>> can't see
>> > content they should see)
>> >
>> > I am currently unable to reproduce the problem at will, but
>> we have had
>> > two users experience this in the past week (that we're
>> aware of, I
>> > suspect there have probably been other occurrences we're
>> not aware of,
>> > though I have yet to find a way to identify this type of
>> situation in
>> > the logs). In the two cases I'm aware of, the 'wrong' user
>> that the
>> > person was authenticated into Confluence as, had never
>> previously been
>> > on the client machine that experienced the problem. (just
>> FYI). We have
>> > other applications that are CAS-ified (mixture of PHP and
>> Java clients),
>> > and we haven't yet seen this behavior on those.
>> >
>> > I'd appreciate any help, insight or advice, as this is a
>> pretty serious
>> > situation for us.
>> >
>> > Thanks!
>> >
>> > Jim
>> >
>> >
>> > _______________________________________________
>> > Yale CAS mailing list
>> > cas at tp.its.yale.edu <mailto:cas at tp.its.yale.edu>
>> > http://tp.its.yale.edu/mailman/listinfo/cas
>> >
>> _______________________________________________
>> Yale CAS mailing list
>> cas at tp.its.yale.edu <mailto:cas at tp.its.yale.edu>
>> http://tp.its.yale.edu/mailman/listinfo/cas
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20090115/9bdd97be/attachment.html
More information about the cas
mailing list