Legacy Beta release
A more recent production-level release supercedes this release.
Getting the files
Files are attacehd to this Wiki page.
Release notes
CAS 2.0.12beta (December 2003): security fix, minor bug fixes/enhancements
- fixed issue with browsers caching using credentials. Here is a description of that fix that was posted to the CAS mailing list:
We've recently noticed several security issues with CAS's interaction with certain web browsers, specifically Internet Explorer in Windows and Safari in OS X. First I'll explain the Internet Explorer behavior.
After a user logs into CAS, he is redirected to the service. Once he logs out, if he doesn't close his browser, he is able to click back a few times until Internet Explorer offers to repost his form data (i.e. login credentials). Clicking Refresh will resubmit the credentials and the user will be logged in again. This isn't so much an issue on users' personal machines as it is on public kiosks. If the user walks away without closing the browser, the next kiosk user can go back through the browser's history and log in to CAS by reposting that form data.
Safari exhibits a similar behavior, only a lot more insecurely. When the user sees the dialog box that offers to repost the credentials, if he clicks yes, Safari will repost the login credentials to the web application – not to CAS.
We have fixed both of these bugs in our CAS distribution which we will officially release in January. The fixes are as follows:
- The Javascript redirect page (goService.jsp) was modified to use an HTTP Refresh instead. This fixed the Internet Explorer issue.
- Upon detecting that the remote browser is Safari, the automatic refresh is disabled on initial login. Safari users will see a page that states they have been logged in successfully and they are asked click a link to access the requested service. This appears to be the only way to keep Safari from incorrectly posting the credentials to the web application. Even after this fix, though, Safari still exhibited the same behavior Internet Explorer did from the start – it still offered to repost the login credentials.
- To fix this new Safari bug, a transaction ID was added to each login. The login page now includes a one-time-use transaction ID as one of its post parameters. If the transaction ID has already been used, it cannot be used for another login.
Drew Mazurek
ITS Technology & Planning
- changed the println("...")'s in LegacyValidate to print("...\n")'s. This fixes a compatibility issue with certain CAS clients such as mod_cas that relied on lines to end in a single '\n' rather than '\r\n'.
- added xmlns descriptor to the XML response in Proxy.java.
- added a "doc" ant build target that builds Javadoc for CAS.
- added a getSerialNumber() method to the service ticket cache that allows for monitoring.