After I added "cookieDomain" in cas-servlet.xml under bean "warnCookieGenerator" and "ticketGrantingTicketCookieGenerator" ( eg with value="example.com" ). I can use a fake CAS server to authenticate ( eg use the sample username=password ) and access any other CAS server under the example.com domain.
Basically, if I have a production CAS server, cas.example.com and an app, app.example.com. I connect to app.example.com, it redirect me to cas.example.com, then I login ( backend is LDAP ) and it let me access app.example.com. Now I setup another CAS server called fake-cas.example.com ( with the cookieDomain set ) that use username=password for authentication. I open my browser and go to fake-cas.example.com and login with username=password. then go to app.example.com, it let me in without login through cas.example.com. is this a security hole or it is because of my setting? also in the instruction "http://www.ja-sig.org/wiki/display/CASUM/Clustering+CAS"; , the cookieMaxAge is -1, does it mean the cookie will not expire at all ? ================= Barrow Kwan ThoughtWorks, Inc. New from ThoughtWorks: Mingle, an Agile project management application. Mingle. Project Intelligence. Powerfully Simple. More at http://studios.thoughtworks.com
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
