On Mon, Sep 5, 2011 at 11:02 PM, Rhett Sutphin <[email protected]> wrote: > Hi, > > On Sep 2, 2011, at 1:59 PM, J. David Beutel wrote: > >> On 2011-09-02 05:37 , Rhett Sutphin wrote: >>> * User clicks on a login link, which brings up the lightbox with CAS in an >>> iframe within. (If the user has JS disabled, this link goes to the usual >>> full-page CAS login.) >>> * The user logs into the iframed CAS login page. >> >> With an iframe, does the browser display the SSL-authenticated CAS host >> name? I suppose most users don't bother to look at that, but it would be a >> shame to take away their ability to see who they're giving their password to. > > A browser doesn't display the source URL for an iframe anywhere in the > default chrome. The iframe appears as though it is part of the (SSL > protected) application that the user is authenticating to. To the extent that > the user is analyzing who will receive his credentials, it appears to a > non-technical user that the application is receiving them. Since the reality > is that a service on which the application has chosen to rely is receiving > the credentials, I don't think this is misleading. (It's very similar to the > case where the application takes the credentials directly and then passes > them on to an LDAP server in the background.)
One's perspective on this probably depends greatly on the scope and intent around the particular CAS deployment. Some deployments place great emphasis on the fact that the applications no longer have direct access to user's credentials. From an overall security perspective, there is likely value in guiding users to not give up their credentials too easily to every pop-up window they encounter. Best, Bill > > Rhett > >> >> Cheers, >> 11011011 >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-dev > > > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
