subject:"\[cas\-dev\] Easy to Misconfigure Forced Authentication in Java CAS Client"

Re: [cas-dev] Easy to Misconfigure Forced Authentication in Java CAS Client

2013-02-27 Thread Marvin Addison

> Seems reasonable to me. Do you want to do the JIRA and the pull request? Sure. Jira below and pull request with fix to follow. https://issues.jasig.org/browse/CASC-204 M -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings

Re: [cas-dev] Easy to Misconfigure Forced Authentication in Java CAS Client

2013-02-27 Thread Marvin Addison

> I feel like this relates to the idea of configuring the Java CAS Client via > a .properties file, and going further, making the .properties file the > *only* way to configure it, retiring the complexity of init params declared > at various layers of the web.xml? Agreed and I'm totally in favor o

Re: [cas-dev] Easy to Misconfigure Forced Authentication in Java CAS Client

2013-02-27 Thread Scott Battaglia

Seems reasonable to me. Do you want to do the JIRA and the pull request? On Wed, Feb 27, 2013 at 9:55 AM, Marvin Addison wrote: > >> * Prevent misconfiguration by requiring renew to be specified as a > >> context parameter exclusively, where it would apply to all filters > >> that need it. > >

Re: [cas-dev] Easy to Misconfigure Forced Authentication in Java CAS Client

2013-02-27 Thread Andrew Petro

I feel like this relates to the idea of configuring the Java CAS Client via a .properties file, and going further, making the .properties file the *only* way to configure it, retiring the complexity of init params declared at various layers of the web.xml? Then it would presumably be a single prop

Re: [cas-dev] Easy to Misconfigure Forced Authentication in Java CAS Client

2013-02-27 Thread Marvin Addison

>> * Prevent misconfiguration by requiring renew to be specified as a >> context parameter exclusively, where it would apply to all filters >> that need it. > > > In this instance, what would happen if someone did configure it at the > filter level? Throw an exception? Seems reasonable. I believe

Re: [cas-dev] Easy to Misconfigure Forced Authentication in Java CAS Client

2013-02-27 Thread Scott Battaglia

-Scott Battaglia PGP Public Key Id: 0x383733AA LinkedIn: http://www.linkedin.com/in/scottbattaglia On Wed, Feb 27, 2013 at 9:46 AM, Marvin Addison wrote: > A colleague reported an issue where an application intended for forced > authentication actually allowed the user to bypass reauthentication

[cas-dev] Easy to Misconfigure Forced Authentication in Java CAS Client

2013-02-27 Thread Marvin Addison

A colleague reported an issue where an application intended for forced authentication actually allowed the user to bypass reauthentication by stripping off the renew parameter in the URL and refreshing. I suspected an application misconfiguration, and indeed the validation filter did not have renew

Re: [cas-dev] Easy to Misconfigure Forced Authentication in Java CAS Client

Re: [cas-dev] Easy to Misconfigure Forced Authentication in Java CAS Client

Re: [cas-dev] Easy to Misconfigure Forced Authentication in Java CAS Client

Re: [cas-dev] Easy to Misconfigure Forced Authentication in Java CAS Client

Re: [cas-dev] Easy to Misconfigure Forced Authentication in Java CAS Client

Re: [cas-dev] Easy to Misconfigure Forced Authentication in Java CAS Client

[cas-dev] Easy to Misconfigure Forced Authentication in Java CAS Client

7 matches

Site Navigation

Mail list logo

Footer information