Central Authentication Server architecture and authentication flow
Question
Recently while I was working with CAS server,got a conceptual problem... As I understood as soon as a ticket validation succeeds, that ticket get erased... But why ? And where exactly the user role is checked at ?
Thanx
2 answers
solution1
0 2012-03-09 17:15:30
CAS service tickets are one-time use to eliminate the risk of a replay attack. If you use the recommended setup, your client should only talk to CAS server over HTTPS, so when a service ticket is obtained from CAS server, it remains confidential. However a ticket could then potentially be presented by the client to the desired service on an unencrypted channel (ie HTTP). Therefore, it's no longer safe to assume it is secret after its first use. Furthermore, one use is all that's necessary to authenticate the client, so allowing additional uses after that doesn't make much sense. It's just asking for trouble.
When it comes to user roles, that's up to your application. CAS's purpose is to tell you who you are dealing with (authentication), and it does that well. What a particular user is allowed to do in your application (authorization) is a different problem and not the one CAS is intended to solve.
solution2
0 ACCPTED 2012-03-16 12:58:50
By default the ServiceTicket(ST) can be used only once and for a short time only(Its bound to a MultiTimeUseOrTimeoutExpirationPolicy ). This is like Mike said ins his answer to ensure that it is not misused. This pre-settings can be changed if you really need to as I wrote already on another post by changing the ticketExpirationPolicy.xml file
However the TicketGrantingTicket(TGT) remains active and is by default only bound to a TimeoutExpirationPolicy and not limited by the amount of request. From the TGT the CAS can create as many STs as you need.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.