Service Ticket Validation

[Gokhan Mansuroglu]

Hi,

I have an additional requirement for Cas protocol. I will simplify the protocol just to explain my case;

1. Client tries to access https://app.example.com
2. Browser redirected to https://cas.example.com/cas/login?service=https://app.example.com
3. User authenticates with username and password and redirected to https://app.examle.com?ticket=ST-xxx
4. The app send a validation request and gets the authentication information.

Lets say you want to be able to use the service ticket multiple times. Then whoever has the link https://app.examle.com?ticket=ST-xxx can successfully log in the application which results in very risky situation.

What is your solution to this problem ?

Thank you very much.

[Ray Bon]

Gokhan,

Are you ask how to reuse a ST or are you asking how to prevent someone reusing a ST?

I will answer the second. ST lifetime is short (10 seconds by default, I think). Once a ST has been submitted to CAS for validation (step 4 below) or ticket lifetime has passed, CAS will mark the ST as expired and it can no longer be used.

Ray

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/d127cbd1-49cb-4f4c-bb81-72899fd1af16%40apereo.org.

-- 
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE C023 | rb...@uvic.ca

[Gokhan Mansuroglu]

I am asking how to prevent someone reusing a ST from a different client IP.

5 Ocak 2017 Perşembe 19:50:03 UTC+3 tarihinde Ray Bon yazdı:

[Andrew Morgan]

As defined by the CAS protocol, Service Tickets can only be validated
once. They cannot be reused.

Andy

On Thu, 5 Jan 2017, Gokhan Mansuroglu wrote:

> I am asking how to prevent someone reusing a ST from a different client IP.
>
> 5 Ocak 2017 Perşembe 19:50:03 UTC+3 tarihinde Ray Bon yazdı:
>>
>> Gokhan,
>>
>> Are you ask how to reuse a ST or are you asking how to prevent someone
>> reusing a ST?
>>
>> I will answer the second. ST lifetime is short (10 seconds by default, I
>> think). Once a ST has been submitted to CAS for validation (step 4 below)
>> or ticket lifetime has passed, CAS will mark the ST as expired and it can
>> no longer be used.
>>
>> Ray
>>
>> On 2017-01-05 04:14, Gokhan Mansuroglu wrote:
>>
>> Hi,
>>
>> I have an additional requirement for Cas protocol. I will simplify the
>> protocol just to explain my case;
>>

>> 1. Client tries to access *https://app.example.com
>> <http://app.example.com>*
>> 2. Browser redirected to *https://cas.example.com/cas/login?service=https://app.example.com
>> <https://cas.example.com/cas/login?service=https://app.example.com>*
>> 3. User authenticates with username and password and redirected to *https://app.examle.com
>> <https://app.examle.com>?ticket=ST-xxx*

>> 4. The app send a validation request and gets the authentication
>> information.
>>
>> Lets say you want to be able to use the service ticket multiple times.

>> Then whoever has the link *https://app.examle.com?ticket=ST-xxx
>> <https://app.examle.com?ticket=ST-xxx>* can successfully log in the

>> application which results in very risky situation.
>>
>> What is your solution to this problem ?
>>
>> Thank you very much.
>>
>> --
>> - CAS gitter chatroom: https://gitter.im/apereo/cas
>> - CAS mailing list guidelines:
>> https://apereo.github.io/cas/Mailing-Lists.html
>> - CAS documentation website: https://apereo.github.io/cas
>> - CAS project website: https://github.com/apereo/cas
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an

>> email to cas-user+u...@apereo.org <javascript:>.

>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/d127cbd1-49cb-4f4c-bb81-72899fd1af16%40apereo.org

>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/d127cbd1-49cb-4f4c-bb81-72899fd1af16%40apereo.org?utm_medium=email&utm_source=footer>
>> .

>>
>>
>> --
>> Ray Bon
>> Programmer Analyst
>> Development Services, University Systems

>> 2507218831 | CLE C023 | rb...@uvic.ca <javascript:>

>>
>>
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

> To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c838e85f-b08b-4bcb-a384-5972cb3aaf47%40apereo.org.
>

[Gokhan Mansuroglu]

Hi Morgan,

Setting cas.ticket.st.numberOfUses property a value bigger than 1 makes it possible to reuse the service ticket. If it is defined in the protocol that it can be used only once, then why is this property ?

Thank you.

5 Ocak 2017 Perşembe 20:21:17 UTC+3 tarihinde morgan yazdı:

[Andrew Morgan]

That is a useful setting during testing or debugging, but it should not be
changed on your production CAS server.

Andy

On Mon, 9 Jan 2017, Gokhan Mansuroglu wrote:

> Hi Morgan,
>
> Setting *cas.ticket.st.numberOfUses* property a value bigger than 1 makes

>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/c838e85f-b08b-4bcb-a384-5972cb3aaf47%40apereo.org.

>>
>>>
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

> To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/23958629-5ab9-4ee9-a085-3cdb6a01eb02%40apereo.org.
>

[Gokhan Mansuroglu]

Thank you very much for your explanation.

But this time I need to ask another question related to the protocol. Let's say I have two applications A and B. First I logon to A and get a TGT and ST. And let"s say there are links on A that opens B in a new window. In this case which scenario is accurate ?

1. Application B redirects the request to CAS to get a new ST.
2. Link is opened with a proxy granting ticket.
3. ?

Thanks.

11 Ocak 2017 Çarşamba 02:37:30 UTC+3 tarihinde morgan yazdı:

[Andrew Morgan]

On Wed, 11 Jan 2017, Gokhan Mansuroglu wrote:

> Thank you very much for your explanation.
>
> But this time I need to ask another question related to the protocol. Let's
> say I have two applications A and B. First I logon to A and get a TGT and
> ST. And let"s say there are links on A that opens B in a new window. In
> this case which scenario is accurate ?
>
> 1. Application B redirects the request to CAS to get a new ST.
> 2. Link is opened with a proxy granting ticket.
> 3. ?

#1 is the what happens when both applications are CAS-enabled and the
user's web browser is used. Proxy granting tickets can be used to have
application A access application B directly on the user's behalf (perhaps
a backend connection to fetch some data to present in application A's
website.

Thanks,
Andy