Hello I have configured clearpass to release credentials using proxy cas.
I have configured the clearpass-configuration.xml to have one host in the "allowedProxyChains" bean for testing which is my own host. The clearpass Cas20ProxyReceivingTicketValidationFilter does the check to make sure the host that requested the Proxy Ticket obtained through https://cas-server.me.edu/cas/proxy?targetService=https://cas-server.me.edu/cas/clearPass&pgt=TGT-1-dfY33r3r3r3r3....etc is the same as this host in "allowedProxyChains" or an "org.jasig.cas.client.validation.InvalidProxyChainTicketValidationException" is thrown. Is is all fine. However if I grab the proxyticket that is returned from https://cas-server.me.edu/cas/proxy?targetService=https://cas-server.me.edu/cas/clearPass&pgt=TGT-1-dfY33r3r3r3r3....etc with the response <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:proxySuccess> <cas:proxyTicket>ST-16-a...etc</cas:proxyTicket> </cas:proxySuccess> </cas:serviceResponse> and use wget or such like from any other server clear pass validates the request and passes credentials to that machine. Should clearpass be also validating the request for the password also comes from the same machine that requested the Proxy Ticket? Or is it an impossible scenario that Proxy Tickets can be hijacked? Cheers -- View this message in context: http://jasig.275507.n4.nabble.com/clearpass-security-question-tp4659834.html Sent from the CAS Users mailing list archive at Nabble.com. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
