[cas-dev] CAS-1019 Proxy Authz

Mon, 06 Apr 2015 08:35:31 -0700 

I believe we've run into a bug introduced by CAS-1019 [1]. The following
code snippet may be useful to reference in further discussion:

//CAS-1019
final List<Authentication> authns =
ticketGrantingTicket.getChainedAuthentications();
if(authns.size() > 1) {
    if (!registeredService.getProxyPolicy().isAllowedToProxy()) {
        final String message = String.
                format("ServiceManagement: Proxy attempt by service
[%s] (registered service [%s]) is not allowed.",
                service.getId(), registeredService.toString());
        logger.warn(message);
        throw new UnauthorizedProxyingException(message);
    }
}

This check appears to be enforcing proxy authorization on the _proxied_
service, which afaict is wrong. I believe the intent is to prevent the
_proxying_ service from distributing proxy tickets when the allowedToProxy
flag is disabled in the service manager, but this check as written
effectively requires the proxied service to have proxy authorization as
well. I would think that the correct implementation would walk the proxy
chain and look up the parent registered service (i.e. the proxying service)
and check _its_ allowedToProxy field. Thoughts?

Here's a log entry from a failed proxy ticket request:

2015-04-03 09:36:13,304 WARN
[org.jasig.cas.CentralAuthenticationServiceImpl] - ServiceManagement:
Service Attempted to Proxy, but is not allowed. Service: [
https://foo.cc.vt.edu:8443/jbpm-console] | Registered Service:
[id=6754887993499616,name=VT Catchall,description=<null>,serviceId=^https://
([A-Za-z0-9_-]+\.)+vt\.edu(:\d+)?/.*,usernameAttribute=<null>,attributes={A,B,C},<null>]

That's a failed proxy ticket request because foo.cc.vt.edu is not allowed
to proxy, but it shouldn't need that authorization because it's not
proxying. In other words the parent proxying service is set
allowedToProxy=true, but the check is being enforced on the child. That is
incorrect by my understanding.

M

[1] https://issues.jasig.org/browse/CAS-1019

-- 
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-dev

Reply via email to