Re: [cas-user] Re: CAS 4.1.x TGC cookie not set to HTTPOnly with Servlet 3 API

2017-03-31 Thread Alejandro Rodriguez 

Hello,

 I totally agree with you. I see it a problem, more so when applications 
are often developed with frameworks that have these basic bugs.
 I would suggest that CAS developers use information from the client's 
environment (eg source ip, browser type, etc.) that will associate TGT
 in some way, so that if an attacker does NOT have the same client environment, 
Cookie in your possession will not work. Although I also think
 that the attackers may try to replicate that environment to enter. A greeting.

Ale.

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e2c585e0-f0bc-4d9a-98e1-a7fde675a13d%40apereo.org.

Re: [cas-user] Re: CAS 4.1.x TGC cookie not set to HTTPOnly with Servlet 3 API

2017-03-31 Thread Yan Zhou 
Hello,

By default, TGC cookie does _not_ have HttpOnly.  If the app. (using CAS
for authentication) has XSS vulnerability, someone could inject JS and read
TGC cookie and submit to CAS server, even though it is encrypted and
signed, CAS server will not know this TGC cookie is from an attacker.  Is
that not an issue?

Granted, it maybe little an attacker could do, I guess he could request a
service ticket for his app., now that he has TGC cookie?

Thx!
Yan

On Fri, Mar 31, 2017 at 2:25 AM, Alejandro Rodriguez 
wrote:

>
> Misagh, Thank you very much for the clarification, I will try to issue a 
> problem as you advise me
> although I never did. Again, thank you very much.
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/
> Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/7513216f-2088-4c4e-b973-
> e385d37d99b7%40apereo.org
> 
> .
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFSoZemWs%3DEXP5YWr6_fVqBTVPPcy1CR1fzAcRPdzN6r1kVwsg%40mail.gmail.com.

Re: [cas-user] Re: CAS 4.1.x TGC cookie not set to HTTPOnly with Servlet 3 API

2017-03-30 Thread Alejandro Rodriguez 


Misagh, Thank you very much for the clarification, I will try to issue a 
problem as you advise me
although I never did. Again, thank you very much.

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7513216f-2088-4c4e-b973-e385d37d99b7%40apereo.org.

Re: [cas-user] Re: CAS 4.1.x TGC cookie not set to HTTPOnly with Servlet 3 API

2017-03-30 Thread Misagh Moayyed 
 
 
> My environment is CAS ovelay 5.0.3.1 with Tomcat 8.0 and java 1.8 and I do 
> not understand how it is possible that the TGC cookie can not be officially 
> configured as httponly. I have tested the embedded environment with the same 
> result. I am doing something wrong? 

No you’re not doing anything wrong. The httponly support went into CAS around 
the release of CAS 4, and at the time given backward compatibility concerns the 
flag was configured down at the XML level optionally, and CAS reflectively 
tried to decide if the container/spec has support for httpOnly and only set the 
flag if the condition held. Of course, this was documented somewhere

In 5, the setting (and the default value of ‘true’) for the flag were skipped 
for no good reason. You’re welcome to file an issue for this.

>  
> From my humble opinion I understand it as a great security problem for a 
> Single Sign ON. Someone could tell me if I'm right?

You’re certainly right; however note that the SSO cookie is both signed and 
encrypted whose value is in many ways tied to your deployment. Any tampering 
with the cookie would/should be rejected and attackers need to know the 
password pair to even begin the tampering. Unless you have turned those 
settings off, there is no security “problem"; just a small improvement to 
harden the configuration, for which you’re welcome to submit a request. 



-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.58dcf2ce.2886ccd1.77cc%40unicon.net.

[cas-user] Re: CAS 4.1.x TGC cookie not set to HTTPOnly with Servlet 3 API

2017-03-30 Thread Alejandro Rodriguez 


Hi, I have the same question. My environment is CAS ovelay 5.0.3.1 with Tomcat 
8.0 and java 1.8 and I do not understand how it is possible that the TGC cookie 
can not be officially configured as httponly. I have tested the embedded 
environment with the same result. I am doing something wrong?
>From my humble opinion I understand it as a great security problem for a 
>Single Sign ON. Someone could tell me if I'm right? Thank you so much.




El jueves, 9 de marzo de 2017, 16:49:07 (UTC+1), Yan Zhou escribió:
>
>
> I added httpOnly flag in the XML, that worked for me.Does this 
> solution sound right?
>
>  class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator"
>   c:casCookieValueManager-ref="cookieValueManager"
>   p:cookieHttpOnly="true"  
>
>
>
> On Thursday, March 9, 2017 at 10:21:48 AM UTC-5, Yan Zhou wrote:
>>
>> Hi there, 
>>
>> I have a CAS 4.1.X overlay, servlet API version 3 in POM.xml, and CAS 
>> running on tomcat7. 
>>
>> I observed that TGC cookie is set to Secure, but NOT httpOnly.  Tomcat7 
>> default to HttpOnly for session cookie but it does not know about CAS TGC 
>> cookie, so the CAS web app's session cookie has HttpOnly set, but TGC 
>> cookie does not.
>>
>> The source code in CookieRetrievingCookieGenerator.java shows, CAS would 
>> set to HttpOnly if  "RememberMe" is on.
>>
>> Am I missing something, should not TGC cookie always have HttpOnly on all 
>> the times? This URL explains how to customize CAS to do that. But I am 
>> wondering why this would require customization. 
>>
>> http://daodecode.com/2013/03/25/castgc-cookie-and-httponly-flag/
>>
>> Thx!
>> Yan
>>
>> public void addCookie(final HttpServletRequest request, final 
>> HttpServletResponse response, final String cookieValue) {
>> final String theCookieValue = 
>> this.casCookieValueManager.buildCookieValue(cookieValue, request);
>>
>> if 
>> (!StringUtils.hasText(request.getParameter(RememberMeCredential.REQUEST_PARAMETER_REMEMBER_ME)))
>>  
>> {
>> super.addCookie(response, theCookieValue);
>> } else {
>> final Cookie cookie = createCookie(theCookieValue);
>> cookie.setMaxAge(this.rememberMeMaxAge);
>> if (isCookieSecure()) {
>> cookie.setSecure(true);
>> }
>> if (isCookieHttpOnly()) {
>> final Method setHttpOnlyMethod = 
>> ReflectionUtils.findMethod(Cookie.class, "setHttpOnly", boolean.class);
>> if(setHttpOnlyMethod != null) {
>> cookie.setHttpOnly(true);
>> } else {
>> logger.debug("Cookie cannot be marked as HttpOnly; 
>> container is not using servlet 3.0.");
>> }
>> }
>> response.addCookie(cookie);
>> }
>> }
>>
>>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/400a01aa-b557-420c-94e1-449646a1a5a5%40apereo.org.

[cas-user] Re: CAS 4.1.x TGC cookie not set to HTTPOnly with Servlet 3 API

2017-03-09 Thread Yan Zhou 

I added httpOnly flag in the XML, that worked for me.Does this solution 
sound right?


> Hi there, 
>
> I have a CAS 4.1.X overlay, servlet API version 3 in POM.xml, and CAS 
> running on tomcat7. 
>
> I observed that TGC cookie is set to Secure, but NOT httpOnly.  Tomcat7 
> default to HttpOnly for session cookie but it does not know about CAS TGC 
> cookie, so the CAS web app's session cookie has HttpOnly set, but TGC 
> cookie does not.
>
> The source code in CookieRetrievingCookieGenerator.java shows, CAS would 
> set to HttpOnly if  "RememberMe" is on.
>
> Am I missing something, should not TGC cookie always have HttpOnly on all 
> the times? This URL explains how to customize CAS to do that. But I am 
> wondering why this would require customization. 
>
> http://daodecode.com/2013/03/25/castgc-cookie-and-httponly-flag/
>
> Thx!
> Yan
>
> public void addCookie(final HttpServletRequest request, final 
> HttpServletResponse response, final String cookieValue) {
> final String theCookieValue = 
> this.casCookieValueManager.buildCookieValue(cookieValue, request);
>
> if 
> (!StringUtils.hasText(request.getParameter(RememberMeCredential.REQUEST_PARAMETER_REMEMBER_ME)))
>  
> {
> super.addCookie(response, theCookieValue);
> } else {
> final Cookie cookie = createCookie(theCookieValue);
> cookie.setMaxAge(this.rememberMeMaxAge);
> if (isCookieSecure()) {
> cookie.setSecure(true);
> }
> if (isCookieHttpOnly()) {
> final Method setHttpOnlyMethod = 
> ReflectionUtils.findMethod(Cookie.class, "setHttpOnly", boolean.class);
> if(setHttpOnlyMethod != null) {
> cookie.setHttpOnly(true);
> } else {
> logger.debug("Cookie cannot be marked as HttpOnly; 
> container is not using servlet 3.0.");
> }
> }
> response.addCookie(cookie);
> }
> }
>
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4ffe7293-67ca-4bf6-be35-345614a1d005%40apereo.org.