> I think your analysis might be right. We are screwed as long as web flow > requires the sequence. We may need to rewrite more of Spring Web Flow.
I reopened https://issues.jasig.org/browse/CAS-958 and attached a patch that avoids symmetric encryption and meets the additional requirement Jon mentioned: "Login tickets MUST only be valid for one authentication attempt." Here's how the LT looks for a flow I tested: Initial: LT-0f3c4bc7-33c0-4c7c-bcf8-1e0c08e7fc6dZe1s1 Authenticate with bad password. Next: LT-6f9c5de5-9e9d-4c7f-8821-03cdc8a24797Ze1s2 Attempt authentication with valid password and tamper with UUID portion of key: java.lang.IllegalStateException: UUID component of flow execution key not recogn ized. Go back to /login. Next: LT-799817d3-cf95-4929-8898-3fab35ae2a63Ze4s1 Authenticate with valid password and authentication succeeds. Please review the patch and provide feedback on the issue. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
