Authenticated into Confluence as wrong user

Adam Moore amoore5 at ucmerced.edu
Thu Jan 15 23:09:54 EST 2009 

Checking again it's esup-cas-server-2.0.5-1


Scott Battaglia wrote:
> 2.2? So you're still using the Yale version?
>
> -Scott
>
> -Scott Battaglia
> PGP Public Key Id: 0x383733AA
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
>
>
> On Thu, Jan 15, 2009 at 10:26 PM, Adam Moore <amoore5 at ucmerced.edu 
> <mailto:amoore5 at ucmerced.edu>> wrote:
>
>     Version 2.2
>
>
>     Scott Battaglia wrote:
>>     So two different CAS clients which would mean if there were any
>>     problems it would be in the CAS server.
>>
>>     Which versions of the server are you guys using?
>>
>>
>>     -Scott Battaglia
>>     PGP Public Key Id: 0x383733AA
>>     LinkedIn: http://www.linkedin.com/in/scottbattaglia
>>
>>
>>     On Thu, Jan 15, 2009 at 10:12 PM, Adam Moore
>>     <amoore5 at ucmerced.edu <mailto:amoore5 at ucmerced.edu>> wrote:
>>
>>         Drupal is PHP so I am using PHPCAS 0.6 I think.
>>
>>
>>         Scott Battaglia wrote:
>>>         Are you using the JASIG CAS Client for Java 3.1 also?
>>>
>>>         Can you post your configuration?
>>>
>>>         -Scott
>>>
>>>         -Scott Battaglia
>>>         PGP Public Key Id: 0x383733AA
>>>         LinkedIn: http://www.linkedin.com/in/scottbattaglia
>>>
>>>
>>>         On Thu, Jan 15, 2009 at 4:23 PM, Adam Moore
>>>         <amoore5 at ucmerced.edu <mailto:amoore5 at ucmerced.edu>> wrote:
>>>
>>>             I have had the same issues when casifying Drupal. It's
>>>             impossible to do
>>>             it at will, but the user they log in as is usually the
>>>             last user that
>>>             had logged in.  I would love to get a final solution and
>>>             the security
>>>             implications are very high.
>>>
>>>             Adam
>>>
>>>             Jim Stoll wrote:
>>>             > For those CAS-ifying Confluence via the JASIG CAS
>>>             client for Java 3.1
>>>             > (as per instructions here:
>>>             >
>>>             http://www.ja-sig.org/wiki/display/CASC/Configuring+Confluence+with+JASIG+CAS+Client+for+Java+3.1),
>>>             > has anyone ever experienced the situation where users
>>>             get into
>>>             > Confluence as the wrong user?
>>>             >
>>>             > The basic scenario is:
>>>             > 1. User makes initial request to
>>>             https://wiki.our.site/dashboard.action,
>>>             > and is taken to our 'public' wiki page (ie,
>>>             unauthenticated users can
>>>             > see the initial dashboard page)
>>>             > 2. User clicks the 'Log In' link from the Confluence
>>>             dashboard page
>>>             > 3. User is redirected to the CAS login page
>>>             > 4. User enters their own username and password and
>>>             logs in through CAS
>>>             > 5. User is taken into Confluence as another user
>>>             entirely (ie, the
>>>             > Dashboard shows the wrong user name, and the user is
>>>             in another user's
>>>             > permission scheme - can see content they shouldn't
>>>             see, and can't see
>>>             > content they should see)
>>>             >
>>>             > I am currently unable to reproduce the problem at
>>>             will, but we have had
>>>             > two users experience this in the past week (that we're
>>>             aware of, I
>>>             > suspect there have probably been other occurrences
>>>             we're not aware of,
>>>             > though I have yet to find a way to identify this type
>>>             of situation in
>>>             > the logs). In the two cases I'm aware of, the 'wrong'
>>>             user that the
>>>             > person was authenticated into Confluence as, had never
>>>             previously been
>>>             > on the client machine that experienced the problem.
>>>             (just FYI). We have
>>>             > other applications that are CAS-ified (mixture of PHP
>>>             and Java clients),
>>>             > and we haven't yet seen this behavior on those.
>>>             >
>>>             > I'd appreciate any help, insight or advice, as this is
>>>             a pretty serious
>>>             > situation for us.
>>>             >
>>>             > Thanks!
>>>             >
>>>             > Jim
>>>             >
>>>             >
>>>             > _______________________________________________
>>>             > Yale CAS mailing list
>>>             > cas at tp.its.yale.edu <mailto:cas at tp.its.yale.edu>
>>>             > http://tp.its.yale.edu/mailman/listinfo/cas
>>>             >
>>>             _______________________________________________
>>>             Yale CAS mailing list
>>>             cas at tp.its.yale.edu <mailto:cas at tp.its.yale.edu>
>>>             http://tp.its.yale.edu/mailman/listinfo/cas
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20090115/0417bb33/attachment-0001.html

More information about the cas mailing list