Possibly another edge case...not sure.

* Configure casapp service to opt-out of SSO via SM
* Login directly to cas without a service parameter  (i.e. /cas/login)
 and get a TGT
* Login to casspp without credential challenge.  (expected to be challenged)

The result is an ability to by-pass the CAS Administrators indication
that the app in question opt-out of SSO and always challenge for
credentials.

from CentralAuthenticationServiceImpl.grantServiceTicket():
        if (!registeredService.isSsoEnabled() && credentials == null
            && ticketGrantingTicket.getCountOfUses() > 0) {
            log.warn("ServiceManagement: Service Not Allowed to use
SSO.  Service [" + service.getId() + "]");
            throw new UnauthorizedSsoServiceException();

Since the TGT was issued by CAS without a ServiceTicket,
getCountOfUsers == 0, so no credential challenge is issued, despite
the config to do otherwise.

I get that in practice it is likely that the CAS actually did just
challenge for credentials on the TGT issuance, so perhaps this is OK
from a security standpoint.  Still it confused the deployer/cas admin
for a bit.

Thoughts?

Bill

-- 
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-dev

Reply via email to