I have tested it again and you are right. The reason why I saw this behavior is because I did the following
1. login to fake-cas.example.com ( http://fake-cas.example.com/cas ) 2. go to cas.example.com and it didn't ask me to login and said I successfully login. 3. then I go to app.example.com and it redirect me to cas.example.com BUT asked me to login. I did 1 & 2 yesterday which make me feel like there is a hole. Now, I have another question. If I have setup app1.example.com to authenticate cas1.example.com and app2.example.com to authenticate cas2.example.com. If I configured cas1 and cas2 in a cluster, is it possible for me to login once ( either cas1 or cas2 ) and access both app1 and app2 ? ================= Barrow Kwan ThoughtWorks, Inc. New from ThoughtWorks: Mingle, an Agile project management application. Mingle. Project Intelligence. Powerfully Simple. More at http://studios.thoughtworks.com "Scott Battaglia" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 01/27/08 11:42 AM Please respond to Yale CAS mailing list <[email protected]> To "Yale CAS mailing list" <[email protected]> cc Subject Re: Security concern with CAS cluster If you've configured app.example.com to authenticate to cas.example.com, its impossible for it to utilize the fake CAS server (because it would explicitly configured to use cas.example.com). (my guess would be your cas.example.com session was still active). That said, your cookieDomain for your TicketGrantingTIcket should be as restrictive as possible. It should use cas.example.com and not example.com. Exposing the cookie to more domains than necessary exposes your TGT to applications that should not have access to it. Setting a max cookie age of -1 means that its only valid for the duration of the browser session (i.e. until you completely exit the browser...though if you exit/restart quick enough it may still be in there). -Scott On Jan 27, 2008 12:59 AM, Barrow H Kwan <[EMAIL PROTECTED]> wrote: After I added "cookieDomain" in cas-servlet.xml under bean "warnCookieGenerator" and "ticketGrantingTicketCookieGenerator" ( eg with value="example.com" ). I can use a fake CAS server to authenticate ( eg use the sample username=password ) and access any other CAS server under the example.com domain. Basically, if I have a production CAS server, cas.example.com and an app, app.example.com. I connect to app.example.com, it redirect me to cas.example.com, then I login ( backend is LDAP ) and it let me access app.example.com. Now I setup another CAS server called fake-cas.example.com ( with the cookieDomain set ) that use username=password for authentication. I open my browser and go to fake-cas.example.com and login with username=password. then go to app.example.com, it let me in without login through cas.example.com. is this a security hole or it is because of my setting? also in the instruction "http://www.ja-sig.org/wiki/display/CASUM/Clustering+CAS"; , the cookieMaxAge is -1, does it mean the cookie will not expire at all ? ================= Barrow Kwan ThoughtWorks, Inc. New from ThoughtWorks: Mingle, an Agile project management application. Mingle. Project Intelligence. Powerfully Simple. More at http://studios.thoughtworks.com _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas -- -Scott Battaglia LinkedIn: http://www.linkedin.com/in/scottbattaglia _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
