Thanks for your explanation. Some time ago I posted a similar question, but missed somehow the reply of David Ohsie (but found it now via Google), where he also mentioned this scenario
http://www.mail-archive.com/[email protected]/msg14315.html I understand this security risk, but I have to admit that I rather accept this risk, than not being able to do my own login screen. I have played now a bit with modifying (disabling the login ticket validation) cas-server-3.5.2/cas-server-core/src/main/java/org/jasig/cas/web/flow/AuthenticationViaFormAction.java and this seems to work, except that the redirect does not happen after successful authentication, hence my content management system never gets the service ticket to validate. Will try to understand better why this is the case. Thanks Michael Am 09.11.13 12:04, schrieb Jérôme LELEU: > Hi, > > Quoting Scott from a discussion on a pull request : > /The reason that LoginTickets/Tokens exist (which essentially forces a > session) was to combat an issue with browsers reposting credentials > when users hit the back button. This issue was around in 2005. Not > sure if its a major issue right now. > / > > Best, > Jérôme > > > > 2013/11/8 KaTeLmE <[email protected] <mailto:[email protected]>> > > Sorry i forgot the wiki link lol > > https://wiki.jasig.org/display/CAS/Using+CAS+without+the+Login+Screen > > > 2013/11/8 KaTeLmE <[email protected] <mailto:[email protected]>> > > Seems like this to increase the security and avoid CSRF > attacks. It forces to any application to submit the > credentials by POST method in CAS server app. > > See my comment in CAS wiki > > If you need avoid that behaviour, for example to submit via > ajax...., you should create a non-interactive authentication > action > (org.jasig.cas.web.flow.AbstractNonInteractiveCredentialsAction) > like SPNEGO, X509 Certificates or remote trusted client are > doing, and modify the login-webflow to handle you behaviour. > > I hope that this helps you!! > > > 2013/11/8 Michael Wechner <[email protected] > <mailto:[email protected]>> > > Hi > > I am still working on generating the login screen by the > content management system instead CAS, > whereas I have read > > > https://wiki.jasig.org/display/CAS/Using+CAS+without+the+Login+Screen > > I understand that one wants to prevent that credentials > are being sent to the content management system, > but having the action pointing to the CAS Server directly > > <form > action="https://127.0.0.1:7070/cas-server-webapp-3.5.2/login"; > method="POST"> > > does not seem to me like violating in security issues. > > But of course this does not work because of the required > Login Ticket. > > I have been reading > > http://www.jasig.org/cas/protocol > > but I still don't really understand what's the purpose of > the Login Ticket. > Does somebody have some more hints on this? > > I am currently considering to disable the login ticket > validation inside > > > cas-server-3.5.2/cas-server-core/src/main/java/org/jasig/cas/web/flow/AuthenticationViaFormAction.java > > but I guess this is not really considered best practice :-) > > Thanks > > Michael > > -- > You are currently subscribed to [email protected] > <mailto:[email protected]> as: [email protected] > <mailto:[email protected]> > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > -- > You are currently subscribed [email protected] > <mailto:[email protected]> as:[email protected] > <mailto:[email protected]> > To unsubscribe, change settings or access archives, > seehttp://www.ja-sig.org/wiki/display/JSG/cas-user > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
