This appears to only affect the /cas/samlValidate endpoint. /cas/validate and /cas/serviceValidate both properly refuse to validate the ticket. I do not have an environment setup to properly test proxy validation.
Chad Killingsworth Assistant Director of Web & New Media Missouri State University From: Dickison, Lynn E [mailto:lynndicki...@missouristate.edu] Sent: Monday, August 11, 2014 3:00 PM To: cas-user@lists.jasig.org Subject: RE:[cas-user] Ticket Validation Succeeds Against Services With Different Protocols Here are log entries for this case: >From localhost_access_log... 146.7.130.142 - - [11/Aug/2014:14:48:48 -0500] "GET /cas/login?service=https%3A%2F%2Fckillingsworth2.missouristate.edu%2Ftestcasapp HTTP/1.1" 200 5422 146.7.130.142 - - [11/Aug/2014:14:48:53 -0500] "POST /cas/login?service=https%3A%2F%2Fckillingsworth2.missouristate.edu%2Ftestcasapp HTTP/1.1" 302 - 146.7.130.142 - - [11/Aug/2014:14:48:59 -0500] "POST /cas/samlValidate?TARGET=http%3a%2f%2fckillingsworth2.missouristate.edu%2ftestcasapp HTTP/1.1" 200 2064 >From cas.log: 2014-08-11 14:48:53,829 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-1-ZVJ45whjWQCXrJQVHVmd-abbott] for service [https://ckillingsworth2.missouristate.edu/testcasapp] for user [chk790] 2014-08-11 14:48:53,830 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN ============================================================= WHO: chk790 WHAT: ST-1-ZVJ45whjWQCXrJQVHVmd-abbott for https://ckillingsworth2.missouristate.edu/testcasapp ACTION: SERVICE_TICKET_CREATED APPLICATION: CAS WHEN: Mon Aug 11 14:48:53 CDT 2014 CLIENT IP ADDRESS: 146.7.130.142 SERVER IP ADDRESS: 146.7.13.70 ============================================================= 2014-08-11 14:48:59,579 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN ============================================================= WHO: audit:unknown WHAT: ST-1-ZVJ45whjWQCXrJQVHVmd-abbott ACTION: SERVICE_TICKET_VALIDATED APPLICATION: CAS WHEN: Mon Aug 11 14:48:59 CDT 2014 CLIENT IP ADDRESS: 146.7.130.142 SERVER IP ADDRESS: 146.7.13.70 ============================================================= Lynn Dickison Senior Enterprise Systems Administrator Missouri State University From: Killingsworth, Chad A [mailto:chadkillingswo...@missouristate.edu] Sent: Monday, August 11, 2014 12:09 PM To: cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> Subject: [cas-user] Ticket Validation Succeeds Against Services With Different Protocols This behavior was observed in CAS Server 3.5.2 SCENARIO Given two service configurations in CAS: 1 - https://mysite.mydomain.com/pathtoapp 2 - http://*.mydomain.com/ A ticket is generated for a service via the following URL: https://casserver.mydomain.com/cas/login?service=https%3A%2F%2Fmysite.mydomain.com%2Fpathtoapp The ticket is then validated via SAML with the following URL: https://casserver.mydomain.com/cas/samlValidate?TARGET=http%3A%2F%2Fmysite.mydomain.com%2Fpathtoapp The ticket validation succeeds with the SAML attributes defined by configuration #2. However, because the service URLs differed on protocol, the ticket validation should have been refused. COMPLICATING FACTORS: This issue was caused because the CAS application was behind a hardware load balancer where SSL traffic is terminated on the hardware and all communication to the server is HTTP. It was a programming error in a custom client, but the CAS Server should have rejected the ticket validation. The CAS Servers are also load balanced and replicated. I'm currently working on procuring logs from a reproduction case. I'll post them shortly. Chad Killingsworth Assistant Director of Web & New Media Missouri State University -- You are currently subscribed to cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: lynndicki...@missouristate.edu<mailto:lynndicki...@missouristate.edu> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: chadkillingswo...@missouristate.edu<mailto:chadkillingswo...@missouristate.edu> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user