OK. Captured as https://issues.jasig.org/browse/CAS-1020
On Tue, Aug 2, 2011 at 12:16 PM, Scott Battaglia <[email protected]> wrote: > > > On Tue, Aug 2, 2011 at 12:05 PM, Andrew Petro <[email protected]> wrote: >> >> <snip /> >> Another thought is that ability to login to CAS without logging in to a >> particular service is a misfeature at this point in CAS's evolution. In >> practice, too few users and institutions are prepared to understand, brand, >> and support what is at best a fringe use case of logging in to CAS for the >> sake of establishing an SSO session without logging in to any CAS-reliant >> service. I don't want to log in to CAS. I want to log in to the portal, or >> LMS, or something, and maybe that incidentally creates an SSO session. As >> such, I suggest that CAS evolve to not bother to prompt for credentials and >> instead present a polite but useless message when users visit CAS directly >> without specifying a service - retire the >> issuing-TGT-for-the-sake-of-establishing-SSO-session-only feature. > > +1 > though you need to cover the case when you're already logged into CAS and > you get to that page. > > >> >> Andrew >> >> >> On 08/02/2011 11:08 AM, William G. Thompson, Jr. wrote: >> >> Possibly another edge case...not sure. >> >> * Configure casapp service to opt-out of SSO via SM >> * Login directly to cas without a service parameter (i.e. /cas/login) >> and get a TGT >> * Login to casspp without credential challenge. (expected to be >> challenged) >> >> The result is an ability to by-pass the CAS Administrators indication >> that the app in question opt-out of SSO and always challenge for >> credentials. >> >> from CentralAuthenticationServiceImpl.grantServiceTicket(): >> if (!registeredService.isSsoEnabled() && credentials == null >> && ticketGrantingTicket.getCountOfUses() > 0) { >> log.warn("ServiceManagement: Service Not Allowed to use >> SSO. Service [" + service.getId() + "]"); >> throw new UnauthorizedSsoServiceException(); >> >> Since the TGT was issued by CAS without a ServiceTicket, >> getCountOfUsers == 0, so no credential challenge is issued, despite >> the config to do otherwise. >> >> I get that in practice it is likely that the CAS actually did just >> challenge for credentials on the TGT issuance, so perhaps this is OK >> from a security standpoint. Still it confused the deployer/cas admin >> for a bit. >> >> Thoughts? >> >> Bill >> >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> >> >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-dev > > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
