I have CAS 3.4.2.1 installed at my site. I have configured CAS to support X509
certificates and I can authenticate successfully.
During testing with IE8 I came across a case where I would authenticate with
CAS using a client certificate (User A) in one tab. When I opened a second tab
I would be prompted to select a client certificate (again), and when I selected
a different user (User B), CAS would not re-authenticate when it saw the new
certificate. Instead the 2nd tab used the same authentication as the first tab
(User A). Even though I presented a new client certificate.
I think this was done because the CAS login-webflow checks the presence of the
TicketGrantingTicket cookie. I did some research into IE8 and discovered they
have reworked how session sharing is handled between tabs. When I opened the
new tab manually, IE8 shared the cookies (CASTGT) with both tabs, but it didn't
share the SSL state. The new tab had to reestablish SSL (including client
certificate) with the CAS server.
So to CAS, since it saw the TicketGrantingTicket cookie, it bypassed
authentication, even though the cookie was being presented by a different
client certificate.
In essence for all tabs in IE8 (except those started with the 'New Session'
option) the first certificate the user authenticates with is their identity for
the entire browsing session, until they close the browser.
Is this the correct behavior for CAS? Should it validate the TGT principal is
the same principal as the client cert that is in the request stream?
My login-webflow is the default one that was in the 3.4.2 (or 3.3.5) release:
<on-start>
<evaluate expression="initialFlowSetupAction" />
</on-start>
<decision-state id="ticketGrantingTicketExistsCheck">
<if test="flowScope.ticketGrantingTicketId neq null"
then="hasServiceCheck" else="gatewayRequestCheck" />
</decision-state>
...
Attached are the log files for when I authenticated as User 1 and User 2.
Thanks,
Stephen
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user2011-11-01 09:28:27,234 DEBUG org.jasig.cas.client.session.SingleSignOutFilter
- No Artifact Provided; no action taking place.
2011-11-01 09:28:27,641 INFO org.jasig.cas.web.flow.InitialFlowSetupAction -
Setting path for cookies to: /cas
2011-11-01 09:28:27,673 DEBUG org.jasig.cas.web.flow.InitialFlowSetupAction -
Placing service in FlowScope:
https://xxx/cas/services/j_acegi_cas_security_check
2011-11-01 09:28:30,003 INFO
org.jasig.cas.adaptors.x509.authentication.handler.SeatX509AuthenticationHandler
- got credentials for joe.admin@...
2011-11-01 09:28:30,503 INFO
org.jasig.cas.authentication.AuthenticationManagerImpl - AuthenticationHandler:
org.jasig.cas.adaptors.x509.authentication.handler.SeatX509AuthenticationHandler
successfully authenticated the user which provided the following credentials:
DN:CN=Joe Admin,... userPrincipalName:joe.admin@...
Audit trail record BEGIN
=============================================================
WHO: DN:CN=Joe Admin,... userPrincipalName:joe.admin@...
WHAT: supplied credentials: DN:CN=Joe Admin,... userPrincipalName:joe.admin@...
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Tue Nov 01 09:28:30 HST 2011
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: unknown
=============================================================
2011-11-01 09:28:31,037 INFO org.perf4j.TimingLogger - start[1320175710003]
time[1034] tag[CREATE_TICKET_GRANTING_TICKET]
Audit trail record BEGIN
=============================================================
WHO: DN:CN=Joe Admin,... userPrincipalName:joe.admin@...
WHAT: TGT-1-0wJUieoGHM0px7xipg5VxmcjzOCBK3iGcFGGrMZWbHOtMnctxr-...
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Tue Nov 01 09:28:31 HST 2011
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: unknown
=============================================================
2011-11-01 09:28:31,365 INFO org.jasig.cas.CentralAuthenticationServiceImpl -
Granted service ticket [ST-1-kQtAYMSoXCMSppNrivOq-cpf1.nmci.navy.mil] for
service [https://xxx/cas/services/j_acegi_cas_security_check] for user
[joe.admin@...]
2011-11-01 09:28:31,365 INFO org.perf4j.TimingLogger - start[1320175711318]
time[47] tag[GRANT_SERVICE_TICKET]
Audit trail record BEGIN
=============================================================
WHO: joe.admin@...
WHAT: ST-1-kQtAYMSoXCMSppNrivOq-... for
https://xxx/cas/services/j_acegi_cas_security_check
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Tue Nov 01 09:28:31 HST 2011
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: unknown
=============================================================
2011-11-01 09:28:31,443 DEBUG org.jasig.cas.client.session.SingleSignOutFilter
- Storing session identifier for 4FC6DD80914A9087A1E84FC605EE337E
2011-11-01 09:28:31,615 INFO org.perf4j.TimingLogger - start[1320175711584]
time[31] tag[VALIDATE_SERVICE_TICKET]
Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: ST-1-kQtAYMSoXCMSppNrivOq-...
ACTION: SERVICE_TICKET_VALIDATED
APPLICATION: CAS
WHEN: Tue Nov 01 09:28:31 HST 2011
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: unknown
=============================================================
2011-11-01 09:28:32,225 DEBUG org.jasig.cas.client.session.SingleSignOutFilter
- No Artifact Provided; no action taking place.
2011-11-01 09:30:14,259 DEBUG org.jasig.cas.client.session.SingleSignOutFilter
- No Artifact Provided; no action taking place.
2011-11-01 09:30:14,274 DEBUG org.jasig.cas.web.flow.InitialFlowSetupAction -
Placing service in FlowScope: https://xxx/testclient/protected/
2011-11-01 09:30:14,292 INFO org.jasig.cas.CentralAuthenticationServiceImpl -
Granted service ticket [ST-2-Fy7k3dlpWQYR39WW1I72-...] for service
[https://xxx/testclient/protected/] for user [joe.admin@...]
2011-11-01 09:30:14,292 INFO org.perf4j.TimingLogger - start[1320175814274]
time[18] tag[GRANT_SERVICE_TICKET]
Audit trail record BEGIN
=============================================================
WHO: joe.admin@...
WHAT: ST-2-Fy7k3dlpWQYR39WW1I72-... for https://xxx/testclient/protected/
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Tue Nov 01 09:30:14 HST 2011
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: unknown
=============================================================
2011-11-01 09:30:14,354 DEBUG org.jasig.cas.client.session.SingleSignOutFilter
- Storing session identifier for B8A23F56987D230C258381FAC12671BD
2011-11-01 09:30:14,417 INFO org.perf4j.TimingLogger - start[1320175814401]
time[16] tag[VALIDATE_SERVICE_TICKET]
Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: ST-2-Fy7k3dlpWQYR39WW1I72-...
ACTION: SERVICE_TICKET_VALIDATED
APPLICATION: CAS
WHEN: Tue Nov 01 09:30:14 HST 2011
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: unknown
=============================================================
2011-11-01 09:30:14,511 DEBUG org.jasig.cas.client.session.SingleSignOutFilter
- No Artifact Provided; no action taking place.
