On Tue, Aug 2, 2011 at 12:05 PM, Andrew Petro <[email protected]> wrote:
> **
> <snip />
>
> Another thought is that ability to login to CAS without logging in to a
> particular service is a misfeature at this point in CAS's evolution. In
> practice, too few users and institutions are prepared to understand, brand,
> and support what is at best a fringe use case of logging in to CAS for the
> sake of establishing an SSO session without logging in to any CAS-reliant
> service. I don't want to log in to CAS. I want to log in to the portal, or
> LMS, or something, and maybe that incidentally creates an SSO session. As
> such, I suggest that CAS evolve to not bother to prompt for credentials and
> instead present a polite but useless message when users visit CAS directly
> without specifying a service - retire the
> issuing-TGT-for-the-sake-of-establishing-SSO-session-only feature.
>
+1
though you need to cover the case when you're already logged into CAS and
you get to that page.
>
> Andrew
>
>
>
> On 08/02/2011 11:08 AM, William G. Thompson, Jr. wrote:
>
> Possibly another edge case...not sure.
>
> * Configure casapp service to opt-out of SSO via SM
> * Login directly to cas without a service parameter (i.e. /cas/login)
> and get a TGT
> * Login to casspp without credential challenge. (expected to be challenged)
>
> The result is an ability to by-pass the CAS Administrators indication
> that the app in question opt-out of SSO and always challenge for
> credentials.
>
> from CentralAuthenticationServiceImpl.grantServiceTicket():
> if (!registeredService.isSsoEnabled() && credentials == null
> && ticketGrantingTicket.getCountOfUses() > 0) {
> log.warn("ServiceManagement: Service Not Allowed to use
> SSO. Service [" + service.getId() + "]");
> throw new UnauthorizedSsoServiceException();
>
> Since the TGT was issued by CAS without a ServiceTicket,
> getCountOfUsers == 0, so no credential challenge is issued, despite
> the config to do otherwise.
>
> I get that in practice it is likely that the CAS actually did just
> challenge for credentials on the TGT issuance, so perhaps this is OK
> from a security standpoint. Still it confused the deployer/cas admin
> for a bit.
>
> Thoughts?
>
> Bill
>
>
>
> --
> You are currently subscribed to [email protected] as:
> [email protected]
>
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-dev
>
>
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-dev