On Tue, Nov 30, 2010 at 8:20 AM, Rene <[email protected]> wrote: > Hello, > > I am stumped with how to access the supplied netID that was used to secure an > application with CAS. I can > access this information inside a protected servlet with : > request.getRemoteUser() in java. I have read that the NetID is put in the > session. if you are using mod_cas. Aparently, the user id is stored in the > REMOTE_USER in this case. My problem is that I am using Tomcat. My > application is one html page with a lot of jQuery interaction. I am also > using GWT in another protected application. > > Once the user logs in, I would like to set a variable "somewhere" and be able > to refer to it in my jQuery code. Sorry this is probably very simple but I > cannot find an explanation that I can work from. > > I think I'm missing a key piece given that I have limited experience in Web > Development. I can see from FireFox that my secured application SITE has > three cookies : > > path : /TmpAlerts -> JSESSIONID > path : /cas -> CASTGC > path : /cas -> JSESSIONID > > Can anyone provide a pointer to what I am missing ? > > I did manage to get something going which may or may not be a security > concern. This is what I have to check here... Is this an acceptable > approach..? > > I have created a servlet filter, which calls the request.getRemoteUser() > method and sets a USER_ID cookie. My secured applications can then look at > the cookie and get the user_id of the person who logged in.
Without additional details, this sounds like it could have disastrous security consequences. A malicious user can completely control the value of the cookie and substitute another user id within it. Please make sure that you are validating the provided user id against some session store, or signing the value and validating it (including an expiration time at which the identity needs to be re-affirmed to prevent permanent re-use of that cookie) before using it to make any authentication/authorization decisions. > > Is this a correct approach or is there something inside CAS that is already > canned that I should be using? > > thanks and sorry for the noob question.. > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
