We've actually fixed this issue in the CAS4 code-base. I'm not sure how easy it would be to backport since its a different code-base though.
On Tue, Oct 20, 2009 at 1:23 PM, pschmidt <pschm...@ingenuity.com> wrote: > Hello there, > > We have successfully been using CAS on an beta application using CAS 3.3.1. > We implemented a custom authenticationHandler to authenticate a user against > our oracle database and a custom CredentialsToPrincipalResolver to read in a > user's roles and put the attributes in the Authentication object. In > addition we use Spring Security which ties in nicely with CAS using the > spring-security-cas beans. > > Everything is fine until you get to RememberMe. I was looking at the code > and the problem I see is that when the TGT is created is stores the > authentication object in the ticket registry and uses that data for > rememberMe until the rememberMe expires. So if anything about the users > changes in our Oracle DB, CAS will not know about it until the next time the > TGT is created. This is quite dangerous as an admin may have removed a user > from a role since the TGT was created and using rememberMe CAS will not know > about it. > > Are there any plans to enhance RememberMe so that it we can tell it to > fetch the user attributes from our authenticationHandler everytime it > creates a service ticket? It would be nice if the custom credential resolver > could be invoked with the principalId where we can re-read the user from the > database just based on the principalId and no need for the password. Then > CAS would need to update the ticket registry with the new Authentication > data. This way any changes to the user in the oracle DB can be refreshed in > CAS. > > Otherwise RememberMe is quite dangerous especially our 2-week period. > > Hopefully this makes sense. If not I can provide some code snippets of what > I'd like to see done in the CentralAuthenticationServiceImpl class, > specificially the grantServiceTicket method. > > Thanks much > > Paul Schmidt > Ingenuity Systems > -- > You are currently subscribed to cas-dev@lists.jasig.org as: > scott.battag...@gmail.com > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev > -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
