I would actually say this one is a legitimate bug. Its an extreme edge case but actually a bug.
On Tue, Aug 2, 2011 at 11:08 AM, William G. Thompson, Jr. <[email protected]>wrote: > Possibly another edge case...not sure. > > * Configure casapp service to opt-out of SSO via SM > * Login directly to cas without a service parameter (i.e. /cas/login) > and get a TGT > * Login to casspp without credential challenge. (expected to be > challenged) > > The result is an ability to by-pass the CAS Administrators indication > that the app in question opt-out of SSO and always challenge for > credentials. > > from CentralAuthenticationServiceImpl.grantServiceTicket(): > if (!registeredService.isSsoEnabled() && credentials == null > && ticketGrantingTicket.getCountOfUses() > 0) { > log.warn("ServiceManagement: Service Not Allowed to use > SSO. Service [" + service.getId() + "]"); > throw new UnauthorizedSsoServiceException(); > > Since the TGT was issued by CAS without a ServiceTicket, > getCountOfUsers == 0, so no credential challenge is issued, despite > the config to do otherwise. > > I get that in practice it is likely that the CAS actually did just > challenge for credentials on the TGT issuance, so perhaps this is OK > from a security standpoint. Still it confused the deployer/cas admin > for a bit. > > Thoughts? > > Bill > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
