Uploaded image for project: 'CAS Server'
  1. CAS-1411

Protocol updates on security strength of validation requests

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 4.0 RC2
    • Fix Version/s: 4.0, 4.0 RC4
    • Component/s: Documentation
    • Labels:
      None

      Description

      From Marvin:

      I recall the following statement didn't provide enough implementation details:

      CAS uses an HTTP GET request to pass the HTTP request parameters "pgtId" and "pgtIou" to the pgtUrl. These entities are discussed in Sections 3.3 and 3.4, respectively.

      When working on the Shib-CAS plugin, I had to review CAS server source to fill in some blanks. I don't recall exactly what was unclear, but I believe it related to the exact mechanics of constructing the callback URL and what to do with the server-side identifiers on success.

      Furthermore, the recommendation of extending user attributes is preferred to match the default impl:
      <cas:attributes><cas:attributeName>VALUE</cas:attributeName></cas:attributes>

        Attachments

          Activity

            People

            • Assignee:
              mmoayyed Misagh Moayyed
              Reporter:
              mmoayyed Misagh Moayyed
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: