Hi Nancy, Thanks for your clarifications. Really appreciated. The provided links are very useful.
Regards, Durga Prasad On Wed, Feb 11, 2015 at 6:32 AM, Nancy Snoke <[email protected]> wrote: > As far as CSRF on the cas server login page the login ticket called lt in > the jsp is a randomly generated synchronizer token submitted with the login > form that prevents CSRF. This is a OWASP recommended solution for dealing > with CSRF, see > https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet > . > > The Service Ticket, as Carl said, is a one time use ticket that is very > short lived. Since it's one time use it's not vulnerable to a replay. > > A man in the middle theoretically could steal the ST. The risk can be > reduced by using an appropriate service ticket expiration time, and only > allowing encrypted communications between cas server and application, etc. > > CAS has put a great deal of thought into possible security risks and > mitigations. You might be interested in some of the details on the wiki. > > https://wiki.jasig.org/display/CAS/CAS+Threat+Modeling > > https://wiki.jasig.org/display/CAS/Proposals+to+mitigate+security+risks > > > Nancy > > > ________________________________________ > From: Waldbieser, Carl [[email protected]] > Sent: Monday, February 09, 2015 8:33 AM > To: [email protected] > Subject: Re: [cas-user] How does CAS perform Sessioln Management? > > Prasad, > > 1. CAS uses a Ticket Granting cookie (TGC) to track the TGT issued during > authentication. > 2. CAS does not specifically protect from these attacks. However, if you > are using TLS as the transport layer for your services, that protects > againast MITM and replay attacks. Cross Site Request Forgery protection is > something each service provider must provide for itself where applicable. > 3. A TGT is a long-lived ticket that allows you to request service tickets > for specific services from CAS without having to re-present primary > credentials. A service ticket (ST) is a short-lived, one time use ticket > that a service provider validates with CAS in order to authenticate the > user. It is kind of like: > > user: CAS, please give me a one-time ST good for service "foo". > CAS : You don't have a TGT, so please provide me with credentials. > user: Here is my username and password. > CAS : Looks good. Here is a TGT that is good for 8 hours. > You can use that next time instead of having to type in your > credentials. > Also, here is the ST you asked for. It is only good for 10 > seconds. > user: Service "foo", here is a service ticket that identifies me. > foo : CAS, I received this ST-- could you validate it please? > CAS : This ST is good. It is for user "jdoe". > foo : User "jdoe", welcome to the "foo" service! > > Thanks, > Carl Waldbieser > ITS System Programmer > Lafayette College > > ----- Original Message ----- > From: "Durga Prasad" <[email protected]> > To: [email protected] > Sent: Sunday, February 8, 2015 10:35:43 AM > Subject: [cas-user] How does CAS perform Sessioln Management? > > Hi Folks, > > I have few doubts on CAS. > > 1. How does CAS maintain session between multiple aplications? > > 2. How CAS is secure from Man in the middle attack & Replay, CSRF attacks? > > 3. What is the differene between TGT & service ticket? > > Kindly clarify my doubts. > > Thanks in adavnce. > > Regards > Prasad > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
