Dear Jleleu, Thank you so much for your help. Please read my answer in line.
Thank and best regards On Thu, Oct 25, 2012 at 1:13 AM, jleleu <lel...@gmail.com> wrote: > Hi, > > If you do the check on serviceType in an authentication handler, it will > be done just the first time the user enters credentials. and the next time > the user tries to access another application, no check will be performed. > I imagine that's why your mechanism doesn't work. > > You have two steps in CAS server : > - authentication : it happens just once during the SSO session > - access to applications (generates service tickets) : it happens each > time the user accesses an application. > *>> Yes, this is my problem.* > > So to do some control and distinguish access between applications, you > have to store / compute some information at login and check if it's ok > every time a user tries to access an application, this happens through the > generation of a service ticket in the GenerateServiceTicketAction, so > that's why I was talking about a customized class for that. > *>> Actually I'm also new to the CAS server, so have many problems I do not understand deep. I hope will get help from you.* > But I see a biggest problem here : your SQL query is based directly on the > request st parameter appended to the /cas/login url. I don't see any check > on the service itself. > You set a security level on the client side by a url parameter, the st=4. > It means that you will call the CAS server for authentication with a > /cas/login?st4&service=myfirstservice url. > Nothing prevents me from calling the CAS server by changing manually the > url to /cas/login?st=2&service=myfirstservice url and setting another value > for the st parameter. > It looks like a security breach to me. Hope I miss something. > *>> serviceType = 4 or 2 only sample, i will encode it* > Best regards, > Jérôme > > -- > You are currently subscribed to cas-dev@lists.jasig.org as: > hungnguyenman...@gmail.com > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev > -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
