Hi, To automatically fill the hidden username input field, you use the CASTGC cookie which is the foundation of the CAS security. So if someone had stollen this cookie (unlikely), he could get the username of the user when trying to access your service with credentials renewal. And he would just have to guess the password (less secure). That said, with a stollen CASTGC, the attacker can certainly access many applications.
I'm not sure to understand what you have in mind with "alter the parameters in someway before they left the browser to match their own credentials". I think that if someone malicious had access to your computer (unlocked), he could just install a spyware to grab all your login/passwords, couldn't he ? Best regards, Jérôme 2013/9/5 <[email protected]> > I see your point Jérôme and I had sort of set off down this route but > realised that there was a specific case I needed to protect against. > As the high security area contains sensitive data about the logged in user > I didnt want there to be any possibility another user could sit down at an > unlocked workstation that had been left logged on, click the link to the > sensitive area, submit the screen containing the password and hidden > username and alter the parameters in someway before they left the browser > to match their own credentials. > This does seem unlikely but is a potential gap that may allow them to see > another users sensitive data by re-authentication with their own > credentials. With this in mind I though it may be better if just the > password was submitted and the username joined it from the ticketRegistry > when it reached the server before being authenticated. > > Thanks for the heads up on the API Dmitriy I will be sure to give this a > look too. > > > On Thursday, September 5, 2013 5:14:31 PM UTC+1, Jérôme LELEU wrote: >> >> Hi, >> >> I think that the easiest way here is to have an *<input type="hidden"*field >> in your form for the username with the retrieved valued. So that your >> username is submitted as well as the password. >> Best regards, >> Jérôme >> >> >> >> 2013/9/5 <[email protected]> >> >>> I have had some luck creating a custom web flow action and getting hold >>> of the principal using: >>> >>> TicketGrantingTicket t = (TicketGrantingTicket) ticketRegistry.getTicket( >>> **WebUtils.**getTicketGrantingTicketId(**context)); >>> Authentication authentication = t.getAuthentication(); >>> Principal principal = authentication.getPrincipal(); >>> >>> Hopefully this is a reasonable thing to do. >>> I was thinking, if I create a custom login page for re-authentication >>> containing input for just the password, then added my custom action after >>> the bindandvalidate state, how could I get my newly retrieved username into >>> the credentials ready for the submit action state ? >>> >>> >>> On Thursday, September 5, 2013 9:52:15 AM UTC+1, [email protected]: >>>> >>>> Hi Jérôme, >>>> >>>> Thank you for your assistance (and apologies for the delay in my reply). >>>> I have managed to add an action into the webflow >>>> after renewRequestCheck and before viewLoginForm (note I'm using cas 3.3.1 >>>> if it matters). >>>> I currently have injected into my new action, >>>> CentralAuthenticationService and TicketRegistry and have access to the >>>> tgtid using WebUtils.**getTicketGranti**ngTicketId, but I cant see >>>> where to get the username from. >>>> Any pointers ? >>>> >>>> Thank you. >>>> >>>> On Tuesday, August 27, 2013 7:56:12 AM UTC+1, Jérôme LELEU wrote: >>>>> >>>>> Hi, >>>>> >>>>> The CAS server behaves according to what is defined in its webflow : >>>>> https://github.com/Jasig/**cas**/blob/3.5.x/cas-server-**core/** >>>>> src/main/java/org/jasig/**cas/**web/flow/**InitialFlowSetupActio** >>>>> n.java<https://github.com/Jasig/cas/blob/3.5.x/cas-server-core/src/main/java/org/jasig/cas/web/flow/InitialFlowSetupAction.java> >>>>> . >>>>> >>>>> In this case, we'd like to have a login page not displaying the >>>>> "username" filed is the user is already authenticated (just the password >>>>> field). >>>>> >>>>> You need two changes : >>>>> - in the webflow, before displaying the login page, add a new >>>>> expression (around line 128) to evaluate if the user is already >>>>> authenticated and his username (be aware that the TGT id is in the webflow >>>>> : https://github.com/Jasig/**cas**/blob/3.5.x/cas-server-**core/** >>>>> src/main/java/org/jasig/**cas/**web/flow/**InitialFlowSetupActio** >>>>> n.java<https://github.com/Jasig/cas/blob/3.5.x/cas-server-core/src/main/java/org/jasig/cas/web/flow/InitialFlowSetupAction.java>, >>>>> so you would need to query the tickets registry with that) >>>>> - in the login page, add the appropriate logic : >>>>> https://github.com/Jasig/**cas**/blob/3.5.x/cas-server-**webapp/** >>>>> src/main/webapp/WEB-**INF/view/**jsp/default/ui/**casLoginView.**jsp<https://github.com/Jasig/cas/blob/3.5.x/cas-server-webapp/src/main/webapp/WEB-INF/view/jsp/default/ui/casLoginView.jsp> >>>>> . >>>>> >>>>> Best regards, >>>>> Jérôme >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> 2013/8/22 <[email protected]> >>>>> >>>>>> Renew does sound like it should renew an existing identity. >>>>>> Im afraid im a bit of a newbie when it comes to customising cas. Do >>>>>> you have any pointers for where to start ? Any wiki articles ? Or do I >>>>>> need >>>>>> to start trawling source code ? Regardless, thank you very much for your >>>>>> help. >>>>>> >>>>>> >>>>>> On Thursday, August 22, 2013 9:32:03 AM UTC+1, Jérôme LELEU wrote: >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> There were several discussions about the renew parameter, especially >>>>>>> when we wrote the LOA specifications. >>>>>>> I'm in favor of blocking new identity when using the renew parameter >>>>>>> : it should only be possible to check the password. >>>>>>> But we didn't reach any clear agreement on this, so I guess it will >>>>>>> stay a customization for now. >>>>>>> Best regards, >>>>>>> Jérôme >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> 2013/8/22 <[email protected]> >>>>>>> >>>>>>>> That sounds like exactly what I want, I was hoping there was a >>>>>>>> native mechanism to support that and initially wondered if renew was >>>>>>>> it but >>>>>>>> I guess not. >>>>>>>> >>>>>>>> On Thursday, August 22, 2013 7:26:15 AM UTC+1, Jérôme LELEU wrote: >>>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> What would be the expected behaviour when the user is already >>>>>>>>> authenticated and requested to login again ? >>>>>>>>> Do you want the login page to have the username already fixed by >>>>>>>>> the previous authentication and only the password can be edited ? >>>>>>>>> Because >>>>>>>>> I'm pretty sure that this can be easily achieved with a customization. >>>>>>>>> Best regards, >>>>>>>>> Jérôme >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> 2013/8/21 <[email protected]> >>>>>>>>> >>>>>>>>>> Thank you very much for the responses. I suspect I didn't explain >>>>>>>>>> myself very well. The idea is that the user logs onto the web >>>>>>>>>> application >>>>>>>>>> with a username and password through cas. They are then free to use >>>>>>>>>> the >>>>>>>>>> system. If they attempt to click the "edit my profile" link they are >>>>>>>>>> then >>>>>>>>>> asked to provide their password again before they can see that >>>>>>>>>> screen - to >>>>>>>>>> mitigate against a user leaving their browser logged in, walking >>>>>>>>>> away and >>>>>>>>>> someone sitting down and changing their details. Similar to the way >>>>>>>>>> Amazon >>>>>>>>>> deals with editing a profile. >>>>>>>>>> >>>>>>>>>> I have tried to redirect to login with renew=true when the >>>>>>>>>> profile page is requested and indeed authentication is requested but >>>>>>>>>> at >>>>>>>>>> that point any valid account seems to work as it is requesting fresh >>>>>>>>>> credentials. I am really only after them entering the password for >>>>>>>>>> the >>>>>>>>>> logged in account at that point. >>>>>>>>>> >>>>>>>>>> Any ideas ? >>>>>>>>>> >>>>>>>>>> Thanks for any help. >>>>>>>>>> -- >>>>>>>>>> You are currently subscribed to [email protected] as: >>>>>>>>>> [email protected] >>>>>>>>>> To unsubscribe, change settings or access archives, see >>>>>>>>>> http://www.ja-sig.org/wiki/**dis******play/JSG/cas-user<http://www.ja-sig.org/wiki/display/JSG/cas-user> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> You are currently subscribed to [email protected] as: >>>>>>>>> jasig-cas-user...@**googlegroups******.com >>>>>>>>> To unsubscribe, change settings or access archives, see >>>>>>>>> http://www.ja-sig.org/wiki/**dis******play/JSG/cas-user >>>>>>>>> <http://www.ja-sig.org/wiki/display/JSG/cas-user> >>>>>>>>> >>>>>>>>> -- >>>>>>>> You are currently subscribed to [email protected] as: >>>>>>>> [email protected] >>>>>>>> To unsubscribe, change settings or access archives, see >>>>>>>> http://www.ja-sig.org/wiki/**dis****play/JSG/cas-user >>>>>>>> <http://www.ja-sig.org/wiki/display/JSG/cas-user> >>>>>>>> >>>>>>>> >>>>>>> -- >>>>>>> You are currently subscribed to [email protected] as: >>>>>>> jasig-cas-user...@**googlegroups****.com >>>>>>> To unsubscribe, change settings or access archives, see >>>>>>> http://www.ja-sig.org/wiki/**dis****play/JSG/cas-user >>>>>>> <http://www.ja-sig.org/wiki/display/JSG/cas-user> >>>>>>> >>>>>>> -- >>>>>> You are currently subscribed to [email protected] as: >>>>>> [email protected] >>>>>> To unsubscribe, change settings or access archives, see >>>>>> http://www.ja-sig.org/wiki/**dis**play/JSG/cas-user >>>>>> <http://www.ja-sig.org/wiki/display/JSG/cas-user> >>>>>> >>>>>> >>>>> -- >>>>> You are currently subscribed to [email protected] as: >>>>> jasig-cas-user...@**googlegroups**.com >>>>> To unsubscribe, change settings or access archives, see >>>>> http://www.ja-sig.org/wiki/**dis**play/JSG/cas-user >>>>> <http://www.ja-sig.org/wiki/display/JSG/cas-user> >>>>> >>>>> -- >>>> You are currently subscribed to [email protected] as: >>>> cas-user-ga...@**google**groups.com >>>> >>>> To unsubscribe, change settings or access archives, see >>>> http://www.ja-sig.org/wiki/**dis**play/JSG/cas-user >>>> <http://www.ja-sig.org/wiki/display/JSG/cas-user> >>>> >>>> -- >>> You are currently subscribed to [email protected] as: [email protected] >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/**display/JSG/cas-user >>> <http://www.ja-sig.org/wiki/display/JSG/cas-user> >>> >>> >> -- >> You are currently subscribed to [email protected] as: >> jasig-cas-user...@**googlegroups.com >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/**display/JSG/cas-user >> <http://www.ja-sig.org/wiki/display/JSG/cas-user> >> >> -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
