If you've configured app.example.com to authenticate to cas.example.com, its impossible for it to utilize the fake CAS server (because it would explicitly configured to use cas.example.com). (my guess would be your cas.example.com session was still active).
That said, your cookieDomain for your TicketGrantingTIcket should be as restrictive as possible. It should use cas.example.com and not example.com. Exposing the cookie to more domains than necessary exposes your TGT to applications that should not have access to it. Setting a max cookie age of -1 means that its only valid for the duration of the browser session (i.e. until you completely exit the browser...though if you exit/restart quick enough it may still be in there). -Scott On Jan 27, 2008 12:59 AM, Barrow H Kwan <[EMAIL PROTECTED]> wrote: > > After I added "cookieDomain" in cas-servlet.xml under bean > "warnCookieGenerator" and "ticketGrantingTicketCookieGenerator" ( eg with > value="example.com" ). I can use a fake CAS server to authenticate ( eg > use the sample username=password ) and access any other CAS server under the > example.com domain. > > Basically, if I have a production CAS server, cas.example.com and an app, > app.example.com. I connect to app.example.com, it redirect me to > cas.example.com, then I login ( backend is LDAP ) and it let me access > app.example.com. Now I setup another CAS server called > fake-cas.example.com ( with the cookieDomain set ) that use > username=password for authentication. I open my browser and go to > fake-cas.example.com and login with username=password. then go to > app.example.com, it let me in without login through cas.example.com. > > is this a security hole or it is because of my setting? also in the > instruction "http://www.ja-sig.org/wiki/display/CASUM/Clustering+CAS"; , > the cookieMaxAge is -1, does it mean the cookie will not expire at all ? > > > > ================= > Barrow Kwan > ThoughtWorks, Inc. > > New from ThoughtWorks: Mingle, an Agile project management application. > Mingle. Project Intelligence. Powerfully Simple. > More at http://studios.thoughtworks.com > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > -- -Scott Battaglia LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
