最近在看CAS协议,看到PGTIOU发现好像很多余,既然单点信任cas,那么为什么不在验证ST的时候直接返回PGT?而是先返回PGUIOU,然后通过https pgturl回调得到PGTIOU,PGT?
网上查了很多文章,发现抄袭的问题极为严重,都是一句话“设计为安全考虑,我将在下一章节介绍!”想请问高手,这样的设计到底是为了什么?适用场景是什么?如果不用,会有怎么样的安全隐患?
有人说是怕直接返回PGT被监听,或是伪造ST去验证得到PGT后可以做许多事情,但是如果如果真的拿到了ST,pgturl也是可以伪造的,一样能得到PGT。再说,当请求PT的时候代理服务器也是要发送PGT的。
后来还是在国外论坛上的一段话解释了这个问题:
"The pgtIou provides a way to associate the Proxy Granting Ticket with a
ticket validation response without including the Proxy Granting Ticket
directly in the response. The PGT is sent (via an HTTPS request from CAS
server to proxy callback URL) alongside a pgtiou. That same pgtiou is
returned in the ticket validation response."
"I think maybe because it's very unsafe to include the Proxy Granting Ticket
directly in the response."
Correct. How unsafe it is depends on whether the service is using https://
But the short version is that in theory the Adversary could obtain a service
ticket (for instance, by knowing the end user's password). The https://
callback guarantees that a Proxy Granting Ticket is associated with an
https:// URL at which the proxy granting ticket recipient is capable of
listening. It leverages the server SSL certificate to authenticate the
service to CAS for the purpose of receiving a Proxy Granting Ticket.
Only YaleInfo can obtain a proxy granting ticket in the name of YaleInfo. I
cannot obtain a proxy granting ticket in the name of YaleInfo *even though I
know my own username and password and can capture a service ticket intended
for YaleInfo*.
> But I think CAS Client can get the PGT directly from the "proxy callback\
URL".
Maybe. Certainly the instance of the CAS client library installed in
YaleInfo can obtain the PGTs that YaleInfo receives. This authenticates
that CAS client instance as actually being connected to the web application
listening at YaleInfo's SSL URL.
> But in fact CAS Client must get the PGT through the PGTIOU obtained from
XML document which was returned through the "ticket validation response" by
CAS server. I think it's superfluous.
The pgtiou is the key whereby the CAS client knows *which* PGT to associate
with the user whose service ticket has just been validated.
通过再次阅读cas的协议细则,发现PGTIOU设置非常合理和必要。
题外:
在网上搜索该问题,看到的相关文章十之八九就是一模一样,有的竟然连语气都是一样的。难道抄袭别人不感到羞耻吗?至少抄袭的时候也应该读懂与理解吧!就算不理解至少要把抄袭的文章看完吧!连修改遮蔽作假的功夫都省了,堂而皇之的大搞拿来主义。这不是在愚弄大家,而是在骗自己。这样的人不配做一个程序员,这样的网站也不配做技术类的网站。支持原创,支持创新。多些沉淀,少些浮华!