Hi,
I found out that inside the service management interface it's possible to determine which services are participating in the single sign-on process, which helps restricting services. Thanks, Gustavo ________________________________ From: Gustavo Hartmann Sent: 26 February 2009 10:41 To: [email protected] Subject: [cas-user] CAS authenticating any service once one successfull authentication happens Hi there, I'm new to CAS so my question may sound silly. I got CAS 3.3.1 package deployed on Tomcat 6.0.18, Java 1.6.0_06 and Ubuntu JEOS 8.04.1 VM. Everything seems to work fine, I can ask CAS to log in on behalf a service using the provided SimpleTestUsernamePasswordAuthenticationHandler authentication handler and CAS returns me a ticket. I can even simulate the whole workflow described on CAS walkthrough wiki without a problem. I then CAS-ified a PHP application we have using the PHPCAS client. It works fine but there's something odd going on: it let's me get the user details even when I sign-in with a completely different service URL. I'll exemplify: CAS server URL: https://cas-sso.dev:8443/cas/ <https://cas-sso.dev:8443/cas/> PHP Service URL: https://tsg-portal.dev/cas <https://tsg-portal.dev/cas> Random service: https://random.dev/service.php <https://random.dev/service.php> I go to the browser and ask for a ticket to Random service: https://cas-sso.dev:8443/cas/login?service=https://random.dev/service.ph p I then log in using a username and password and CAS forwards me to random service with a ticket appended to the URL, so far so good. I now open another tab and type https://tsg-portal.dev/. My application has a filter which intercepts the call and checks using PHPCAS whether I got a valid ticket already. It then tells me that I have an ST or PT and that there is no need to authenticate. Here's the PHPCAS debug dump: D1BA .START ****************** [CAS.php:414] D1BA .=> phpCAS::client('2.0', 'cas-sso.dev', 8443, 'cas/') [actions.class.php:134] D1BA .| => CASClient::CASClient('2.0', false, 'cas-sso.dev', 8443, 'cas/', true) [CAS.php:315] D1BA .| | Session ID: ST446sg0mQxTeTxBtgrK4Tmcasssodev D1BA .| | => CASClient::getURL() [client.php:517] D1BA .| | <= 'https://tsg-portal.dev/cas' D1BA .| | ST or PT 'ST-4-46sg0mQxTeTxBtgrK4Tm-cas-sso.dev' found [client.php:594] D1BA .| <= '' D1BA .<= '' D1BA .=> phpCAS::setNoCasServerValidation() [actions.class.php:137] D1BA .<= '' D1BA .=> phpCAS::forceAuthentication() [actions.class.php:140] D1BA .| => CASClient::forceAuthentication() [CAS.php:911] D1BA .| | => CASClient::isAuthenticated() [client.php:686] D1BA .| | | => CASClient::wasPreviouslyAuthenticated() [client.php:791] D1BA .| | | | no user found [client.php:895] D1BA .| | | <= false D1BA .| | | PT `ST-4-46sg0mQxTeTxBtgrK4Tm-cas-sso.dev' is present [client.php:812] D1BA .| | | => CASClient::validatePT('', NULL, NULL) [client.php:813] D1BA .| | | | => CASClient::getURL() [client.php:396] D1BA .| | | | <= 'https://tsg-portal.dev/cas' D1BA .| | | | => CASClient::readURL('https://cas-sso.dev:8443/cas/proxyValidate?service=h ttps%3A%2F%2Ftsg-portal.dev%2Fcas&ticket=ST-4-46sg0mQxTeTxBtgrK4Tm-cas-s so.$ D1BA .| | | | <= true D1BA .| | | <= true D1BA .| | | PT `ST-4-46sg0mQxTeTxBtgrK4Tm-cas-sso.dev' was validated [client.php:814] D1BA .| | <= true D1BA .| | no need to authenticate [client.php:688] D1BA .| <= true D1BA .| no need to authenticate (user `admin' is already authenticated) [CAS.php:925] D1BA .<= '' I find this strange, not sure I should be able to get details from a user authenticated under a completely different service URL. Am I missing something? Thanks in advance, Gustavo This message has been scanned for viruses by Viatel MailControl -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
