Re: Security leak in cas-client-java-3.0.0-rc1?

Tue, 19 Sep 2006 21:14:54 -0700

To expand on what Velpi said.  When a user requests access to an application, they are redirected to CAS (and may or may not need to do authentication, depending on if a single sign on session exists).  The CAS server will generate a token, which we call a ST, and redirect the user back to the application, appending the token to the query string.  The application will then take this token and validate it with the CAS server, and then obtain the NetId of the user who wishes to use the application.  At this point, the application would associate the user with this session (we do this by placing the Assertion in the session).  Since the user has been authenticated there would be no reason to keep validating a ticket (plus its impossible since STs are one time use).  This object in session tells the application the user has already been authenticated and there is no reason to redirect them to CAS for authentication.

-Scott

On 9/19/06, Velpi <[EMAIL PROTECTED]> wrote:
> I guess the designer's purpose is taking off the pressure of CAS
> server, but it make security issue.  Above code means the assertion is
> always validate regardless the ST in ticket cache is expired or not
> unless session is timeout. Another issue is the LogoutAction in CAS
> server side should callback to invalidate the session.
>
> My proposal is put the ST in session and validate every time in order
> to keep the security works.

You can only validate an ST once (normally), so you need to store something
*else* (in session) to create a useful security context. The assertion is only
stored (in the session) when the validation has succeeded. Since nobody else is
supposed to be able to mess with the server-side-session this should not cause a
security problem.

[please correct me if I'm wrong]

-- Velpi
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas

_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas

Reply via email to