I think you're right. It should throw an error if the principals don't
match and force you to log in again. Not sure how the configuration got put
into confluence wrong.
-Scott
On Jan 21, 2008 12:52 PM, Sewell K H (LCSS) <[EMAIL PROTECTED]> wrote:
> Can't rely on me, sorry, I don't really know what I'm doing yet.
> I found that if a user has already authenticated with CAS (say, via
> mod_auth_cas), and then revisits the CAS server via an OpenID relying party,
> the CAS server will verify any URL.
>
> I guessed that this is because the Principals are different (so "error" in
> the openIdSingleSignOnAction), and so "ticketGrantingTicketExistsCheck",
> which will exist as a user has already authenticated (?). I'm not familiar
> with webflow though, so I don't know if the problem is further on down,
> e.g., "renewRequestCheck".
>
> Anyway, eventually the user should probably re-authenticate
> ("viewLoginForm") if the Principals are different. Also, all the other
> "error"s in login-webflow.xml are "viewLoginForm".
>
> Cheers,
> Kevin
>
>
> On 21 Jan 2008, at 16:30, Scott Battaglia wrote:
>
> You're definitely right about the incorrect
> CredentialsToPrincipalResolver. I've updated our wiki about that. I can't
> recall the other thing off the top of my head and I'm not set up to test it
> right now. I'm guessing you have?
>
> -Scott
>
> On Jan 21, 2008 10:52 AM, Sewell K H (LCSS) <[EMAIL PROTECTED]> wrote:
>
> > Hi,
> >
> > I've read and followed http://www.ja-sig.org/wiki/display/CASUM/OpenID.
> >
> > I'm a bit of a noob, so could you confirm that this:
> >
> > <action-state id="openIdSingleSignOnAction">
> > <action bean="openIdSingleSignOnAction" />
> > <transition on="success" to="sendTicketGrantingTicket" />
> > <transition on="error" to="ticketGrantingTicketExistsCheck" />
> > <transition on="warn" to="warn" />
> > </action-state>
> >
> > is supposed to be, or is more properly:
> >
> > <action-state id="openIdSingleSignOnAction">
> > <action bean="openIdSingleSignOnAction" />
> > <transition on="success" to="sendTicketGrantingTicket" />
> > <transition on="error" to="viewLoginForm" />
> > <transition on="warn" to="warn" />
> > </action-state>
> >
> > and this:
> >
> > <bean
> > class
> > =
> > "org
> > .jasig
> > .cas
> > .support
> > .openid
> > .authentication.principal.OpenIdCredentialsAuthenticationHandler" />
> >
> > is supposed to be:
> >
> > <bean
> > class
> > =
> > "org
> > .jasig
> > .cas
> > .support
> > .openid
> > .authentication.principal.OpenIdCredentialsToPrincipalResolver" />
> >
> > Thanks,
> > Kevin
> >
> > _______________________________________________
> > Yale CAS mailing list
> > [email protected]
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
>
>
>
> --
> -Scott Battaglia
>
> LinkedIn:
> http://www.linkedin.com/in/scottbattaglia_______________________________________________
> Yale CAS mailing list
> [email protected]
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
> _______________________________________________
> Yale CAS mailing list
> [email protected]
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
--
-Scott Battaglia
LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
