Possibly another edge case...not sure.
* Configure casapp service to opt-out of SSO via SM
* Login directly to cas without a service parameter (i.e. /cas/login)
and get a TGT
* Login to casspp without credential challenge. (expected to be challenged)
The result is an ability to by-pass the CAS Administrators indication
that the app in question opt-out of SSO and always challenge for
credentials.
from CentralAuthenticationServiceImpl.grantServiceTicket():
if (!registeredService.isSsoEnabled() && credentials == null
&& ticketGrantingTicket.getCountOfUses() > 0) {
log.warn("ServiceManagement: Service Not Allowed to use
SSO. Service [" + service.getId() + "]");
throw new UnauthorizedSsoServiceException();
Since the TGT was issued by CAS without a ServiceTicket,
getCountOfUsers == 0, so no credential challenge is issued, despite
the config to do otherwise.
I get that in practice it is likely that the CAS actually did just
challenge for credentials on the TGT issuance, so perhaps this is OK
from a security standpoint. Still it confused the deployer/cas admin
for a bit.
Thoughts?
Bill
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-dev