This is correct. TGT expiration is only valid in the context of doing something (i.e. attempting to access a service). The generic success page is essentially a landing page in case people somehow manage to come to CAS without a service parameter.
I've asked previously for some use cases to make that landing page more valuable (and thus worth it to actually contact the TGT storage and check the validity) and I haven't gotten anything. Cheers, Scott On Fri, Dec 10, 2010 at 5:35 PM, Rich Renomeron - TCG < [email protected]> wrote: > I was looking at login-webflow.xml today (investigating an unrelated > problem), and noticed that it might be possible for a browser to get to > the "generic login success" page with an invalid TGT. > > The ticketGrantingTicketExistsCheck state (line 11 in login-webflow.xml > for version 3.4.3) does not seem to check the validity of the TGT, only > its existence. If there is no service parameter, you essentially end up > right at the "generic login success" view. Of course, this doesn't > expose anything of value, as if you try this with a service parameter, > the bogus TGT is exposed and you're forced to log in. > > Is my logic sound here, or am I missing something? > > Thanks, > Rich > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
