-Scott Battaglia PGP Public Key Id: 0x383733AA LinkedIn: http://www.linkedin.com/in/scottbattaglia
On Wed, Feb 27, 2013 at 9:46 AM, Marvin Addison <marvin.addi...@gmail.com>wrote: > A colleague reported an issue where an application intended for forced > authentication actually allowed the user to bypass reauthentication by > stripping off the renew parameter in the URL and refreshing. I > suspected an application misconfiguration, and indeed the validation > filter did not have renew=true configured as required for correct > behavior. > > While it was a trivial fix, the risk merits some consideration. It's > easy for a CAS integrator to expect renew is working correctly since > the application redirects to CAS as expected; however, the intended > behavior is easily bypassed. That's the worst kind of security > problem: false sense of security. > > Here are some options in order of descending preference: > > * Prevent misconfiguration by requiring renew to be specified as a > context parameter exclusively, where it would apply to all filters > that need it. > In this instance, what would happen if someone did configure it at the filter level? Throw an exception? Cheers, Scott > * Throw an exception on startup. > * Log a prominent WARN message. > * Add a prominent note to the wiki. > > M > > -- > You are currently subscribed to cas-dev@lists.jasig.org as: > scott.battag...@gmail.com > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev > -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
