I actually stumbled across similar behavior last week. In my case the CAS Server issued a ticket for service:
https://mydomain.com/path
And the successfully validated the ticket against service:
http://mydomain.com/path
Even though both services had different configurations.
Shouldn't this be a bug with the CAS Server? The server should refuse to validate a ticket if the the validation service URL is not exactly equal to the requesting service.
This was observed against CAS Server version 3.5.2.
Chad Killingsworth
Assistant Director of Web and New Media
Missouri State University
--
You are currently subscribed to cas-...@lists.jasig.org as: scott.b...@gmail.com
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
On 2014/08/11, 12:46 PM, "Marvin Addison" <marvin....@gmail.com> wrote:So far I'm doing fact-finding before I announce to folks here, but if they
>> Does this affect ALL versions of the Java client prior to 3.3.2?
>
>I did code review of the latest 3.2 and 3.1 versions and they were
>both vulnerable. I built one-off patches for my institution, but we
>will consider providing official patches for those lines if there is
>interest.
were available that would ease the patching, I'm sure. Don't know how
much trouble that is. :)
For my couple of apps, I will probably take the opportunity to get current.
:) As always, the work of those of you officially involved with CAS is
>
>> Also, is there a way to get the 3.3.2 jar without having to do a Maven
>> build? Latest on the downloads site is 3.2.x.
>
>I noticed there's no download bundle as well. I imagine Scott simply
>hasn't gotten to it yet, but I'm sure simply mentioning it here will
>make it magically appear :)
>
>M
much appreciated.
Thanks,
Tim
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
> Does this affect ALL versions of the Java client prior to 3.3.2?I did code review of the latest 3.2 and 3.1 versions and they were
both vulnerable. I built one-off patches for my institution, but we
will consider providing official patches for those lines if there is
interest.
I noticed there's no download bundle as well. I imagine Scott simply
> Also, is there a way to get the 3.3.2 jar without having to do a Maven
> build? Latest on the downloads site is 3.2.x.
hasn't gotten to it yet, but I'm sure simply mentioning it here will
make it magically appear :)
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
On 2014/08/11, 12:46 PM, "Marvin Addison" <marvin....@gmail.com> wrote:So far I'm doing fact-finding before I announce to folks here, but if they
>> Does this affect ALL versions of the Java client prior to 3.3.2?
>
>I did code review of the latest 3.2 and 3.1 versions and they were
>both vulnerable. I built one-off patches for my institution, but we
>will consider providing official patches for those lines if there is
>interest.
were available that would ease the patching, I'm sure. Don't know how
much trouble that is. :)
For my couple of apps, I will probably take the opportunity to get current.
:) As always, the work of those of you officially involved with CAS is
>
>> Also, is there a way to get the 3.3.2 jar without having to do a Maven
>> build? Latest on the downloads site is 3.2.x.
>
>I noticed there's no download bundle as well. I imagine Scott simply
>hasn't gotten to it yet, but I'm sure simply mentioning it here will
>make it magically appear :)
>
>M
much appreciated.
Thanks,
Tim
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
> Yes, it would ease patching. I'm finding getting a uPortal 4.0 releaseOk. Here's the catch. Some of the integration modules,
> squared away jumping from a Java CAS Client 3.2 version to 3.3.2 to be
> substantially unpleasant.
cas-client-integration-atlassian comes to mind, have dependencies in
third-party repositories that are defunct. That makes a complete
project build sufficiently difficult if not impossible that the return
on investment is not justifiable. I would imagine that most folks need
cas-client-core exclusively, and I would recommend we focus our
efforts on patches for that module alone. Additionally, that's the
only module affected by patching.
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
This makes sense to me, Andrew. Anybody on 3.2.x should be able to upgrade with a drop-in Jar and if we can manage that with a 3.2.1.1 release that all the better.
You are currently subscribed to cas-...@lists.jasig.org as: mmoa...@unicon.net
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
-- You are currently subscribed to cas-...@lists.jasig.org as: jasig-cas-user...@googlegroups.com
--
You are currently subscribed to cas-...@lists.jasig.org as: scott.b...@gmail.com
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
You are currently subscribed to cas-...@lists.jasig.org as: lel...@gmail.com
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user