Are you using the JASIG CAS Client for Java 3.1 also? Can you post your configuration?
-Scott -Scott Battaglia PGP Public Key Id: 0x383733AA LinkedIn: http://www.linkedin.com/in/scottbattaglia On Thu, Jan 15, 2009 at 4:23 PM, Adam Moore <[email protected]> wrote: > I have had the same issues when casifying Drupal. It's impossible to do > it at will, but the user they log in as is usually the last user that > had logged in. I would love to get a final solution and the security > implications are very high. > > Adam > > Jim Stoll wrote: > > For those CAS-ifying Confluence via the JASIG CAS client for Java 3.1 > > (as per instructions here: > > > http://www.ja-sig.org/wiki/display/CASC/Configuring+Confluence+with+JASIG+CAS+Client+for+Java+3.1 > ), > > has anyone ever experienced the situation where users get into > > Confluence as the wrong user? > > > > The basic scenario is: > > 1. User makes initial request to https://wiki.our.site/dashboard.action, > > and is taken to our 'public' wiki page (ie, unauthenticated users can > > see the initial dashboard page) > > 2. User clicks the 'Log In' link from the Confluence dashboard page > > 3. User is redirected to the CAS login page > > 4. User enters their own username and password and logs in through CAS > > 5. User is taken into Confluence as another user entirely (ie, the > > Dashboard shows the wrong user name, and the user is in another user's > > permission scheme - can see content they shouldn't see, and can't see > > content they should see) > > > > I am currently unable to reproduce the problem at will, but we have had > > two users experience this in the past week (that we're aware of, I > > suspect there have probably been other occurrences we're not aware of, > > though I have yet to find a way to identify this type of situation in > > the logs). In the two cases I'm aware of, the 'wrong' user that the > > person was authenticated into Confluence as, had never previously been > > on the client machine that experienced the problem. (just FYI). We have > > other applications that are CAS-ified (mixture of PHP and Java clients), > > and we haven't yet seen this behavior on those. > > > > I'd appreciate any help, insight or advice, as this is a pretty serious > > situation for us. > > > > Thanks! > > > > Jim > > > > > > _______________________________________________ > > Yale CAS mailing list > > [email protected] > > http://tp.its.yale.edu/mailman/listinfo/cas > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas >
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
