Re: [cas-user] mod_auth_cas doesn't set AUTH_TYPE in script enviromnent?

2021-04-21 Thread David Hawes 
On Fri, 16 Apr 2021 at 16:48, Mark H. Wood  wrote:
>
> I'm tinkering with some test CGI scripts to prepare for a real
> project, and I noticed that a script protected by CAS doesn't get a
> value for AUTH_TYPE in its environment, whereas a similar location
> protected by one of the AuthType Basic does.  Am I doing something
> wrong?

No, mod_auth_cas simply does not set ap_auth_type. Does this cause you
any issue?

The attached patch against git master will set it if you'd like it to be set.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wAxe1tFY7gjkTsn6o5ATfW0%3D3eKMabpW77wZ%2BJjFEu98w%40mail.gmail.com.
diff --git a/src/mod_auth_cas.c b/src/mod_auth_cas.c
index 1791110..910cbe1 100644
--- a/src/mod_auth_cas.c
+++ b/src/mod_auth_cas.c
@@ -2196,6 +2196,7 @@ int cas_authenticate(request_rec *r)
 	if(c->CASPreserveTicket && (ticket != NULL) && (cookieString != NULL) && ap_is_initial_req(r) && isValidCASCookie(r, c, cookieString, , ) && (remoteUser != NULL)) {
 		cas_set_attributes(r, attrs);
 		r->user = remoteUser;
+		r->ap_auth_type = (char * ) "CAS";
 		set_http_headers(r, c, d, attrs);
 		if (c->CASDebug)
 			ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Passing sub-auth response through with ticket parameter intact");
@@ -2243,6 +2244,7 @@ int cas_authenticate(request_rec *r)
 setCASCookie(r, d->CASGatewayCookie, "TRUE", ssl, CAS_SESSION_EXPIRE_COOKIE_NOW, c->CASGatewayCookieDomain, c->CASCookieSameSite);
 			}
 			r->user = remoteUser;
+			r->ap_auth_type = (char * ) "CAS";
 			if(d->CASAuthNHeader != NULL)
 apr_table_set(r->headers_in, d->CASAuthNHeader, remoteUser);
 
@@ -2312,6 +2314,7 @@ int cas_authenticate(request_rec *r)
 
 		if(remoteUser) {
 			r->user = remoteUser;
+			r->ap_auth_type = (char * ) "CAS";
 			set_http_headers(r, c, d, attrs);
 			return OK;
 		} else {

Re: [cas-user] CSRF protection for login page

2021-04-21 Thread Carl Waldbieser 
Technically, that is not CSRF, but I understand the concern you have--
phisher captures the username/password on their own form, and then sends
the credentials on to the legitimate site so the user is none the wiser.

A nonce in this case wouldn't buy you too much if the user doesn't notice
they are at the wrong site.  Consider the attacker could just POST to her
own site then redirect to the real site, leaving the user thinking she just
entered a typo in the username or password.  Or the phisher could be
proxying the site, maybe using something like an sslstrip attack.  In all
those cases, if the user hasn't noticed she wound up on
https://evil-site-that-looks-like-your.net/ she may be fooled into giving
up her credentials.

A nonce is useful as CSRF protection in cases where you are already
authenticated to a site, so a bad actor can't trick you into doing
something that would normally require authentication.

Historically, I believe CAS used to have a "login ticket" which was a
nonce.  It dropped it somewhere between 3.x and 5.x, I believe.

Thanks,
Carl Waldbieser
ITS
Lafayette College


On Wed, Apr 21, 2021 at 5:24 AM Paul Roemer  wrote:

>
> Hey guys,
>
> we noticed that you can easily create your own login form with copied
> execution ID on any domain you might want to use for phishing attacks. As
> for the victim everything looks good (login is successful), detecting the
> attack is hard.
>
>
> Example form for the CAS demo server:
> https://casserver.herokuapp.com/cas/login; method="POST">
> 
> 
>  value="4966e50b-191f-45e1-bab2-22e6304447c7_ZXlKaGJHY2lPaUpJVXpVeE1pSXNJblI1Y0NJNklrcFhWQ0o5Lk5NV1I3dHVicU1USWZqLW1kb1pnak8tWlctN21XRGVMTk1XMl9fMUczNktRemg4MHNRcEoycHFsa01uYkhGbkdUYmZPWkRmUDZfLXk0UTlLMXFVQjFOb05sbmRod3dPZF9ZS0ctc29BalItMzhlRXdNTXpmdFFTZTE5aEJwQXZVeHBnZGN5LVVtajhPRXFFbVlqRWtwUmpST2QzbC1sN3A4ZXkwU1dVWjBHZHFRMXpYSGRjc19Mc21UODZ0TFY3ZDdCd2dUTWxYZUFzUEotTFRzTGFud05rRjlzenRjVjFrd3dYemgxOU1aQ2lHSEMwWkJTVExGYWxxcGtQNTRQbFNJQ2g4azBmNXdjRGJYYmN3TEdFWmJwUFViS3dDZHFkdGg2NndKQ2pWZUM3R0loVzNfQWVjUWZnLXItU3o4S080MjlKMlN5TU40NlNtT0J5WXh1MnJ2RmZINDJFSm9iM0dOSzQzT0xiZWU1dHUzRzhna3NXRmRibkxWbk1LMXJfSEFnMWNXSC1sUGY2cU53c1liSXR6YlJ2WFlaVm1HUHdjN01XdEdqS09ObFpSNDNjS3hHbkp6UUFaUEZuWmo1LUUyNjlpX1ZuemloT0ZlVEx1SG1GcmRCbTFLb2kxTG9qbDF1ZGpfZkg1dHA2azFiLUQ2QzZibTZ3bTRxY1lZWU03SHlpNGJNYVMtNUVUcHpKbzdmX0E5bW9ZWmoyR0RSMVdxaXA4X2Z3RUpEZUd0eklVdVFJaVpVRUJqRW51RGZ2bFgzWkhva1g0WXU1eTNFUEd2LVpHNWhOSjc1STFFQjVtbE53ckpDdWJwQ2I0QWtMS0w5NXc3UGk5eHVrcFRpb01NOVVvRnhXMGZtMXAybTdEbFRPTko3Q080M09HcHo0RmRBNnBKRVJQeVd3SFZkOXA5UEhEaUo1b29ybGk0WUY0S1FmYUFQREJyMHZsSjlac0dhNlJSSHkzQnhIa05EMmg5bUlDUDZNZEpmLUhtTDMyWnM2Z2MyODlkZWYxdVlYMnlpMUFONlg3dTQ4R2k3cVd1aElZWnBVNDVTZENpQVp0ejIwWWk5NzFwUFlkamlnUG9UUmRrdDVzM0RHWDQ0ZnJZbnRFTjQxMjlDcDBscUJ0S2E1eGg5bHd5UGNsZW5rcVJYX3JTREk4VE9EUnRTWHRZYmhwMGxlZUVremtMVXVEdmVnVk0yMkNaOWdnUHJHR1ZCZGV3c0lBc0JoWGtoRzhzVUNtTk1HSjNNbHNfdzFRaUpSX3RHN2hMcUEwNVMzVlRrcUJGNEFnVUF2NktXN1hUMGtBNGxDcS1iNzZCR3JielZIMmhPODlTYng2ZUhQZjRDcFJ3VGZOS2dfVzFRdmU3NkVnZm55M3JXYjN6NWRJeXd0LVRvanhWalhPX1VDcnRybkN1MnhQbkpBVHpucnoxRUpIR3h6Ni1ONzB4aF82Z1FkVV9LNkl2VUd6Zm94WV9XSUZSd2VwVXZJLUNkb0FkY1l1VHItaW0zbnYtZFFFeC5DQkVnem5ieWpjVDlTeUl5alBUNkNmZWk2NWVydU1jU1lhQlZJS1daYTlkLXh5dkExdDdJWE5fdGNKSVQxVURWd3lJbUFPNEZTMlhDTWc1Z1VPa1pBUQ==">
> 
> 
> 
> 
>
> Besides the CSRF issue, I also wonder why the same Spring Webflow
> execution ID can be used several times. Shouldn't the execution ID be
> deleted after reaching an end state of the flow?
>
> Cheers,
>   Paul
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/822b9c4b-dfdd-4943-b40c-a99c890513e5n%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALt4NbP7T_jRTkP6G3WX9OO6Vx0-FchBJNdMB05YsOJ93QoUzg%40mail.gmail.com.

[cas-user] CAS 6.3 WS-FED Dependency Issue

2021-04-21 Thread Juan Quintanilla 
Hi Everyone,

We are testing out CAS 6.3 and while adding the different dependencies we are 
noticing that after starting up CAS it doesn't seem to generate the keystores 
or service files for ws-fed.  We added the dependency cas-server-support-ws-idp 
to our gradle build and we see the different library files and after adding the 
fields to our cas.properties file we can also reach /ws/sts endpoint.

​For some reason the /ws/idp/metadata ​endpoint is not found nor are the 
keystores being generated.  We have configured other protocols and have had no 
problem but for some reason we can't get the ws-idp to work. We also have the 
SAML2 dependency configured, not sure if this would conflict.  Has anyone 
encountered a similar issue?

Thanks!

___
Juan Quintanilla

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/BN6PR05MB347445073949AB33680546B286479%40BN6PR05MB3474.namprd05.prod.outlook.com.

[cas-user] SPNEGO breaks CAS 6.4.0-RC2

2021-04-21 Thread Louis Chanouha 
Hello,
I'm trying the 6.4.0 version and i noticed a problem since 6.4.0-RC2 (no 
problem with RC1)

When i add 
compile 
"org.apereo.cas:cas-server-support-spnego-webflow:${casServerVersion}"
or 
implementation 
"org.apereo.cas:cas-server-support-spnego-webflow:${casServerVersion}"
on build.gradle, CAS server starts but does nothing (exting at early stage 
without errors)

Problem can be reproduced on clean projet (see below).

Does anyone successfully tested SPNEGO on 6.4.0 >= RC2 ?

Louis

*# git clone https://github.com/apereo/cas-overlay-template.git*
*# cd cas-overlay-template/*
*# git diff*
diff --git a/build.gradle b/build.gradle
index 89791ab..b4a2e01 100644
--- a/build.gradle
+++ b/build.gradle
@@ -82,6 +82,7 @@ dependencies {
}
// CAS dependencies/modules may be listed here statically...
implementation "org.apereo.cas:cas-server-webapp-init:${casServerVersion}"
+ implementation 
"org.apereo.cas:cas-server-support-spnego-webflow:${casServerVersion}"
}

tasks.findByName("jibDockerBuild")
*# ./docker-build.sh*
*# ./docker-run.sh*
9bb043d0ce95aaea0fdbdcfb9b500d14d4ec09672bf23c7d2734870f4bf18466


_  _  _ ___  _ 
/ \ | _ \| | _ \| / _ \ / ___| / \ / ___|
/ _ \ | |_) | _| | |_) | _|| | | | | | / _ \ \___ \
/ ___ \| __/| |___| _ <| |__| |_| | | |___ / ___ \ ___) |
/_/ \_\_| |_|_| \_\_\___/ \/_/ \_\/


CAS Version: 6.4.0-SNAPSHOT
CAS Branch: master
CAS Commit Id: 6e29bc0001e3c304375efc5f8cbb04918d8f8691
CAS Build Date/Time: 2021-04-20T06:52:58Z
Spring Boot Version: 2.4.5
Spring Version: 5.3.6
Java Home: /opt/java/openjdk
Java Vendor: AdoptOpenJDK
Java Version: 11.0.10
JVM Free Memory: 229 MB
JVM Maximum Memory: 2 GB
JVM Total Memory: 303 MB
OS Architecture: amd64
OS Name: Linux
OS Version: 4.15.0-136-generic
OS Date/Time: 2021-04-21T12:23:16.417336
OS Temp Directory: /tmp

Apache Tomcat Version: Apache Tomcat/9.0.45



2021-04-21 12:23:16,470 INFO 
[org.apereo.cas.configuration.DefaultCasConfigurationPropertiesSourceLocator] 
- 
2021-04-21 12:23:16,687 INFO [org.apereo.cas.web.CasWebApplication] - 
*# docker ps -a*
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
9bb043d0ce95 apereo/cas:v6.4.0-SNAPSHOT "java -server -nover…" About a 
minute ago Exited (1) About a minute ago cas

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c7d175fd-d1cb-44a5-987f-8a039e561c1fn%40apereo.org.

[cas-user] Is it problem with excludedAuthenticationHandlers in 6.3.x or sth else ?

2021-04-21 Thread artur miś 
Dears,

 I have two website where users can auth via cas. So  there are 2 
registered services.
Two handlers are in LDAP.

1.

{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^(http|https|imaps)://a.1/.*",
"name" : "a1",
"id" : 1,
"evaluationOrder" : 0,
"theme" : "nextor",
"authenticationPolicy" : {
 "@class" : 
"org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy",
 "requiredAuthenticationHandlers" : ["java.util.TreeSet", ["aut1"]],
 "excludedAuthenticationHandlers" : ["java.util.TreeSet", ["aut2"]]
}
}


2.


{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^(http|https|imaps)://a.2/.*",
"name" : "a2",
"id" : 2,
"evaluationOrder" : 0,
"theme" : "nextor",
"authenticationPolicy" : {
 "@class" : 
"org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy",
 "requiredAuthenticationHandlers" : ["java.util.TreeSet", 
["aut1","auth2"]],
}
}


User had been authenticated on website2 with credentials from auth2  after 
this user tried auth on webstie 1 with success.
I dont know why he is  able autenticacte via cas on web site 1 ? I have  
excluded auth2.
Additionally if user try loging webservis 1 as first, he can't auth via  
credential taken from auth2 so this seems to be ok.
A want to avoid situation the user are authenticated in serwis 1 after he 
has been authenticated on website 2.
On the other hand i belive that is posible using sso mechanism for auth1 
which is in both services.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7d13046c-5318-47f6-b6f3-d5f4f3781376n%40apereo.org.

[cas-user] CSRF protection for login page

2021-04-21 Thread Paul Roemer 

Hey guys,

we noticed that you can easily create your own login form with copied 
execution ID on any domain you might want to use for phishing attacks. As 
for the victim everything looks good (login is successful), detecting the 
attack is hard.


Example form for the CAS demo server:
https://casserver.herokuapp.com/cas/login; method="POST">








Besides the CSRF issue, I also wonder why the same Spring Webflow execution 
ID can be used several times. Shouldn't the execution ID be deleted after 
reaching an end state of the flow?

Cheers,
  Paul

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/822b9c4b-dfdd-4943-b40c-a99c890513e5n%40apereo.org.