I can remove it from the spec, but it’s definitely something for a CAS 3.x -> 4.x migration guide because it affects older clients…
Am 12.03.2014 um 17:44 schrieb Jérôme LELEU <[email protected]>: > It's a good security reason because otherwise, I could trigger a logout with > a hacked post logout url... The "service" parameter is indeed verified > against the ticker registry. > > Do we need an update of the CAS 3.0 protocol? > > Best, > Jérôme > > > > > 2014-03-12 13:11 GMT+01:00 Scott Battaglia <[email protected]>: > I believe we removed the url parameter by design (I'd have to search my email > archives to find the exact reason but I believe it was due to the fact that > it wasn't run through the Services Management tool so it basically became > open) > > > On Wed, Mar 12, 2014 at 6:47 AM, Jérôme LELEU <[email protected]> wrote: > Hi, > > I take a look at the source code of the CAS server 4.0: I see the "service" > parameter used > (https://github.com/Jasig/cas/blob/master/cas-server-webapp-support/src/main/java/org/jasig/cas/web/flow/LogoutAction.java#L75), > though I don't see anywhere the use of the "url" parameter: the > screen.logout.redirect property > (https://github.com/Jasig/cas/blob/master/cas-server-webapp/src/main/resources/messages.properties#L53) > is not used in the logout view, nor anywhere else I search: am I missing > something? > Thanks. > Best regards, > Jérôme > > > > 2014-03-11 22:06 GMT+01:00 Robert Oschwald <[email protected]>: > it was an extension added in cas 3.x servers and will be covered in the new > spec. > > Sent while mobile. > > > Am 11.03.2014 um 21:59 schrieb "McClenon, Brady" > > <[email protected]>: > > > > It seems to work pre-CAS protocol 3.0.... > > > > > > http://jasig.275507.n4.nabble.com/Redirect-after-logout-td254421.html > > > > > > > > -----Original Message----- > > From: Robert Oschwald [mailto:[email protected]] > > Sent: Tuesday, March 11, 2014 4:26 PM > > To: [email protected] > > Subject: Re: [cas-user] CAS protocol for logout > > > > thats a CAS protocol 3.0 feature which is described here (spec is not final > > released yet) > > > > https://github.com/Jasig/cas/blob/master/cas-server-protocol/3.0/cas_protocol_3_0.md > > > > Sent while mobile. > > > >> Am 11.03.2014 um 20:55 schrieb Tom Poage <[email protected]>: > >> > >> Hello, > >> > >> The CAS protocol for logout says it takes an optional parameter 'url' > >> as a +/- logout landing page. > >> > >> I just noticed on one of our sites the use of > >> > >> .../logout?service=... > >> > >> I was about to notify the site owners that this violated protocol > >> (implying it wouldn't do what they thought it did), when I tried it > >> myself, was logged out, and then redirected to the URL listed in the > >> 'service' parameter. > >> > >> Undocumented feature? Is the protocol page out of date? Something else? > >> > >> Cf. http://www.jasig.org/cas/protocol > >> > >> Thanks. > >> Tom. > >> > >> -- > >> You are currently subscribed to [email protected] as: > >> [email protected] To unsubscribe, change settings or > >> access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > -- > > You are currently subscribed to [email protected] as: > > [email protected] To unsubscribe, change settings or access > > archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > > > -- > > You are currently subscribed to [email protected] as: > > [email protected] > > To unsubscribe, change settings or access archives, see > > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > -- > You are currently subscribed to [email protected] as: [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > -- > You are currently subscribed to [email protected] as: > [email protected] > > > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev > > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
