nitron / django-cas-provider Goto Github PK

Currently, the only interaction django-cas-provider has with the user is to prompt for credentials. If a user accessed two services A and B and logs in to grant a service ticket for A, then B can silently get a service ticket. If this process is fast enough, the user may log in to application B without even realizing it.

This, the CAS provider should prompt for authorization for granting service tickets, especially after the single-sign-on session is already opened (e.g. the user is already logged in). This behavior could optionally be disabled by the user.

I have a sneaky suspicion the 'login' response is incorrect, at least according to the spec.

http://www.jasig.org/cas/protocol

It defines the response as:

yes<LF>
username<LF>

Whereas django-cas-provider's response is:

yes<CR><LF>
username<CR><LF>

I was quite surprised to see that my LOGIN_REDIRECT_URL is consistently ignored and I'm always redirected to /account/ after login. It seems that the cas_provider.views.login view uses an extra parameter with the URL to redirect to.

This should be changed to use the LOGIN_REDIRECT_URL setting for two reasons. First, the replacement login view should behave as much as possible like the one in django.contrib.auth. Second, I cannot use the include(cas_provider.urls) shortcut in my project's urls.py if I plan to use the success_redirect parameter.

I believe that you have reversed the order of CRLF characters in the "validate" method. It should be "\r\n".
It makes e.g. Hudson's (pardon, I mean Jenkins's :-) ) CAS plugin ignore the username.

Fairly sure that 'validate' should check that the ticket and service parameters match. Currently if once service gets a service ticket, it can then provide that ticket to another service and impersonate the user.

In views.py, service is not checked for a '?' after a successful login, just if the user is already logged in. This generates an url like http://domain.com/abcd?param1=32&param2=ki?ticket=kdjcso, which is invalid.