> I would think that the correct implementation would walk the proxy chain > and look up the parent registered service (i.e. the proxying service) and > check _its_ allowedToProxy field. Thoughts?
I think you’re right. The ticketGrantingTicket is assumed to be a TGT and the check probably doesn’t work correctly when it’s a PGT. The solution you propose works for me. I’ll run a few more tests to confirm this, but it seems like the potential bug is also present for 3.5.x. From: Marvin Addison [mailto:marvin.addi...@gmail.com] Sent: Monday, April 6, 2015 8:35 AM To: cas-dev@lists.jasig.org Subject: [cas-dev] CAS-1019 Proxy Authz I believe we've run into a bug introduced by CAS-1019 [1]. The following code snippet may be useful to reference in further discussion: //CAS-1019 final List<Authentication> authns = ticketGrantingTicket.getChainedAuthentications(); if(authns.size() > 1) { if (!registeredService.getProxyPolicy().isAllowedToProxy()) { final String message = String. format("ServiceManagement: Proxy attempt by service [%s] (registered service [%s]) is not allowed.", service.getId(), registeredService.toString()); logger.warn(message); throw new UnauthorizedProxyingException(message); } } This check appears to be enforcing proxy authorization on the _proxied_ service, which afaict is wrong. I believe the intent is to prevent the _proxying_ service from distributing proxy tickets when the allowedToProxy flag is disabled in the service manager, but this check as written effectively requires the proxied service to have proxy authorization as well. I would think that the correct implementation would walk the proxy chain and look up the parent registered service (i.e. the proxying service) and check _its_ allowedToProxy field. Thoughts? Here's a log entry from a failed proxy ticket request: 2015-04-03 09:36:13,304 WARN [org.jasig.cas.CentralAuthenticationServiceImpl] - ServiceManagement: Service Attempted to Proxy, but is not allowed. Service: [https://foo.cc.vt.edu:8443/jbpm-console] | Registered Service: [id=6754887993499616,name=VT Catchall,description=<null>,serviceId=^https://([A-Za-z0-9_-]+\.)+vt\.edu(:\d+)?/.*,usernameAttribute=<null>,attributes={A,B,C},<null>] That's a failed proxy ticket request because foo.cc.vt.edu <http://foo.cc.vt.edu> is not allowed to proxy, but it shouldn't need that authorization because it's not proxying. In other words the parent proxying service is set allowedToProxy=true, but the check is being enforced on the child. That is incorrect by my understanding. M [1] https://issues.jasig.org/browse/CAS-1019 -- You are currently subscribed to cas-dev@lists.jasig.org <mailto:cas-dev@lists.jasig.org> as: mmoay...@unicon.net <mailto:mmoay...@unicon.net> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
