Improve security of PGT issuance by checking pgtUrl against service registry
Description
There are two controls over the use of proxy tickets by CAS clients. One is that a Proxy Granting ticket will not be issued to a service unless it is marked as "allowedToProxy" in the services registry. The second is that the CAS clients can validate the proxy callback chain.
There is a small potential security hole in the registry check. The best guarantee on which service CAS is handing PGT to is the cert validation the https callback to hand over the PGT. That is why this https url is used in the proxy chain. However, when checking the registry, the PGT will be given to any https URL as long as the service URL matches a service in the registry which is marked as allowedToProxy. This means that if a malicious service can get a hold of an ST intended for another service which is "allowedToProxy", then the malicious can request a PGT to any callback URL with a valid cert (as determined by the CAS trust store). While cas clients should not accept PT's from that PGT because they should check the proxy chain, clients may be misconfigured or users may prefer to centralize their policy control at the CAS server.
Major
There are two controls over the use of proxy tickets by CAS clients. One is that a Proxy Granting ticket will not be issued to a service unless it is marked as "allowedToProxy" in the services registry. The second is that the CAS clients can validate the proxy callback chain.
There is a small potential security hole in the registry check. The best guarantee on which service CAS is handing PGT to is the cert validation the https callback to hand over the PGT. That is why this https url is used in the proxy chain. However, when checking the registry, the PGT will be given to any https URL as long as the service URL matches a service in the registry which is marked as allowedToProxy. This means that if a malicious service can get a hold of an ST intended for another service which is "allowedToProxy", then the malicious can request a PGT to any callback URL with a valid cert (as determined by the CAS trust store). While cas clients should not accept PT's from that PGT because they should check the proxy chain, clients may be misconfigured or users may prefer to centralize their policy control at the CAS server.
This Jira reflects suggestion SEC_4 from the Appsec working group as documented here: https://wiki.jasig.org/display/CAS/Proposals+to+mitigate+security+risks