The default clearpass-configuration.xml includes the normal (non-Proxy) CAS authentication fitler for protecting /clearPass. Only the Cas20ProxyReceivingTicketValidationFilter needs to be there. In the current state anyone using the default clearpass-configuration.xml file can trivially access the user's password (assuming access to their browser window) by accessing:
thus circumventing the allowed Proxy chains protection mechanism.
I'm preparing a pull request to show how to remove the non-Proxy AuthenticationFilter leaving only the Cas20ProxyReceivingTicketValidationFilter, but it's a trivial fix.