I would actually say this one is a legitimate bug.  Its an extreme edge case
but actually a bug.


On Tue, Aug 2, 2011 at 11:08 AM, William G. Thompson, Jr.
<[email protected]>wrote:

> Possibly another edge case...not sure.
>
> * Configure casapp service to opt-out of SSO via SM
> * Login directly to cas without a service parameter  (i.e. /cas/login)
>  and get a TGT
> * Login to casspp without credential challenge.  (expected to be
> challenged)
>
> The result is an ability to by-pass the CAS Administrators indication
> that the app in question opt-out of SSO and always challenge for
> credentials.
>
> from CentralAuthenticationServiceImpl.grantServiceTicket():
>        if (!registeredService.isSsoEnabled() && credentials == null
>            && ticketGrantingTicket.getCountOfUses() > 0) {
>            log.warn("ServiceManagement: Service Not Allowed to use
> SSO.  Service [" + service.getId() + "]");
>            throw new UnauthorizedSsoServiceException();
>
> Since the TGT was issued by CAS without a ServiceTicket,
> getCountOfUsers == 0, so no credential challenge is issued, despite
> the config to do otherwise.
>
> I get that in practice it is likely that the CAS actually did just
> challenge for credentials on the TGT issuance, so perhaps this is OK
> from a security standpoint.  Still it confused the deployer/cas admin
> for a bit.
>
> Thoughts?
>
> Bill
>
> --
> You are currently subscribed to [email protected] as:
> [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-dev
>

-- 
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-dev

Reply via email to