I think that there is a problem when a proxy ticket is created. I implemented the ContextualServiceAuthenticationPolicyFactory interface in order to create a service ticket only whether the user is allowed to access the specific service. There is a problem in the method CentralAuthenticationServiceImpl.getAuthenticationSatisfiedByPolicy(). Only ticket.getAuthentication() and ticket.getSupplementalAuthentications() are evaluated. I think that only ticket.getChainedAuthentications() have to be evaluated (which include the previous two). Suppose this scenario: There are two service: SA and SB. The user UA is allowed to the service SA but he is not allowed to the service SB. The user UA try to access the service SB, through a proxy ticket of the service SA. Before the creation of the proxy ticket, at the method ContextualServiceAuthenticationPolicyFactory.isServiceAllowed() is passed an authentication with a principalId of this kind: "https://myhost:8443/SA/proxyCallback"; and I cannot evaluate if the user behind this authentication is allowed to access the service SB. If I allow the principal "https://myhost:8443/SA/proxyCallback"; (which may be also right, theoretically), when the proxy ticket is afterwards validated, the validation fails because it as the principal UA (which is not allowed to access the service SB). Moreover In case of failed validation a 500 status code is returned instead of 403.
-- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
