Hi,
I am currently working on developing a custom login handler for
Shibboleth IdP. The goal is to allow applications protected by a
CASified IdP to use forced authentication (which is currently not
possible with the RemoteUserLoginHandler).
According to CAS v2 protocol, a simple use of the parameter renew would
do the trick. (http://www.jasig.org/cas/client-integration/renew vs
forceAuthn, page 49 in
http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf).
However, mapping to the AuthenticationFilter and ValidationFilter
(Cas20ProxyReceivingTicketValidationFilter) with the parameter "renew"
set to "true" is not enough to enforce re-authentication. The user is
not prompted for his credentials.
Code-wise, this is due to the existence of an Assertion (client side) as
an attribute of the session of the request transmitted to CAS client
filters. More precisely, the AuthenticationFilter bypasses the
redirection to CAS server if this assertion exists :
public final void doFilter(final ServletRequest servletRequest,
final ServletResponse servletResponse, final FilterChain filterChain)
throws IOException, ServletException {
...
final HttpServletRequest request = (HttpServletRequest)
servletRequest;
final HttpSession session = request.getSession(false);
final Assertion assertion = session != null ? (Assertion)
session.getAttribute(CONST_CAS_ASSERTION) : null;
if (assertion != null) {
filterChain.doFilter(request, response);
return;
}
...
final String urlToRedirectTo =
CommonUtils.constructRedirectUrl(this.casServerLoginUrl,
getServiceParameterName(), modifiedServiceUrl, this.renew, this.gateway);
response.sendRedirect(urlToRedirectTo);
}
I have decided to remove this attribute from the session transmitted to
the filters when forcedAuthentication is required (and this works well).
Why do I have to do so ? Do I miss something, like configuration
subtleties ?
And what do you think about my solution ? Does this cause security
issues / break the protocol / ... ? I have studied the code and I don't
think it does, but I would like to hear your opinion.
Thank you for your time,
Yanis.
PS : I had posted this on the forum a few days ago but I hadn't
completed my registration (subscription doesn't work well) and I don't
think it was sent to the mailing list. It it was, sorry for the double mail.
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
