I'm inline...
On 2010-11-30, at 10:35 AM, Phil Ames wrote: > On Tue, Nov 30, 2010 at 8:20 AM, Rene <[email protected]> wrote: >> Hello, >> >> I am stumped with how to access the supplied netID that was used to secure >> an application with CAS. I can >> access this information inside a protected servlet with : >> request.getRemoteUser() in java. I have read that the NetID is put in the >> session. if you are using mod_cas. Aparently, the user id is stored in the >> REMOTE_USER in this case. My problem is that I am using Tomcat. My >> application is one html page with a lot of jQuery interaction. I am also >> using GWT in another protected application. >> >> Once the user logs in, I would like to set a variable "somewhere" and be >> able to refer to it in my jQuery code. Sorry this is probably very simple >> but I cannot find an explanation that I can work from. >> >> I think I'm missing a key piece given that I have limited experience in Web >> Development. I can see from FireFox that my secured application SITE has >> three cookies : >> >> path : /TmpAlerts -> JSESSIONID >> path : /cas -> CASTGC >> path : /cas -> JSESSIONID >> >> Can anyone provide a pointer to what I am missing ? >> >> I did manage to get something going which may or may not be a security >> concern. This is what I have to check here... Is this an acceptable >> approach..? >> >> I have created a servlet filter, which calls the request.getRemoteUser() >> method and sets a USER_ID cookie. My secured applications can then look at >> the cookie and get the user_id of the person who logged in. > > Without additional details, this sounds like it could have disastrous > security consequences. A malicious user can completely control the > value of the cookie and substitute another user id within it. Please > make sure that you are validating the provided user id against some > session store, or signing the value and validating it (including an > expiration time at which the identity needs to be re-affirmed to > prevent permanent re-use of that cookie) before using it to make any > authentication/authorization decisions. > The only thing I use the user_id cookie for is to tag notes entered in a database with it. I am still using the default CAS authentication filters etc.. The extra filter I added was to give me a way of retrieving the Net id that was used to login. It is not used in the authentication mechanism. >> >> Is this a correct approach or is there something inside CAS that is already >> canned that I should be using? >> >> thanks and sorry for the noob question.. >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
