Hi list,
I am reading the source code of CAS and java-client source code. And
one question comes to me. Possible some security issues.
We know that some policies can be applied to ST and TGT and
TicketCleaner is about to move the expired ticket out from time to
time in order to keep the ticket validate. However, in
cas-client-java-3.0.0-rc1 the "useSession" break this rule.
Say we set "useSession" as true. If the input credentials is OK,
CasValidationFilter will put *assertion* into session.
if (isUseSession()) {
request.getSession().setAttribute(CONST_ASSERTION,
assertion);
}
and in CasAuthenticationFilter, here goes.
final Assertion assertion = session != null ? (Assertion) session
.getAttribute(CONST_ASSERTION) : null;
if (CommonUtils.isBlank(ticket) && assertion == null && !wasGatewayed) {
....
}
.....
filterChain.doFilter(request, response);
I guess the designer's purpose is taking off the pressure of CAS
server, but it make security issue. Above code means the assertion is
always validate regardless the ST in ticket cache is expired or not
unless session is timeout. Another issue is the LogoutAction in CAS
server side should callback to invalidate the session.
My proposal is put the ST in session and validate every time in order
to keep the security works.
Thanks
/Jack
--
Keep Discovering ... ...
Copenhagen Spirit =
高度的智力活动、大胆的涉险精神、深奥的研究内容与快活的乐天主义的混合物.
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
