Good day,
It would be nice if CAS returned 400 bad request or something like that
when submitting a username/password without an execution token. I was
running the locust bench-marking tool, and it was returning 200 OK even
though an authentication never happened due to a missing execution token.
The following would show that the HTTP request was successful when it
really was not.
curl -v -d "@./tmp.passwd" https://cas.example.com/cas/login
Also, it would be nice if one could make an API call to grab the token.
It's my understanding that this should not be a security issue because
XSS is handled by the same origin policy, so a request from a foreign
site still would not be able to obtain the token.
Thanks.
--
Trenton D. Adams
Senior Systems Analyst/Web Software Developer
Applications Unit - ITS
Athabasca University
(780) 675-6195
It is only when you are surrounded by a supportive team, that you can achieve
your best. Instead of tearing people down, try building them up!
--
This communication is intended for the use of the recipient to whom it is
addressed, and may contain confidential, personal, and or privileged
information. Please contact us immediately if you are not the intended
recipient of this communication, and do not copy, distribute, or take action
relying on it. Any communications received in error, or subsequent reply,
should be deleted or destroyed.
---
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/79797657-5e7c-9b90-9cd6-20bdb221e6be%40athabascau.ca.
