Hi, I think I get useful information, thank you very much! Galen
-----Original Message----- From: Scott Battaglia [mailto:[email protected]] Sent: Thu 7/9/2009 9:45 AM To: [email protected] Subject: Re: [cas-user] Security questions concerning service ticket and TGC 2009/7/8 Gao, Galen <[email protected]> > Hi, > We are now testing the CAS server for realizing cross domain SSO and > my > supervisor has got some questions after we demonstrated this application > to > him. We tried to search for those answers to the questions online, but > still > we want to ask yor directly for further confirmation. > How secure is the service ticket(ST)? > The Service Ticket is an opaque identifier which carries no information itself. It can only be used once and MUST be validated against the CAS server in combination with the service url in order to retrieve anything useful. > For example, if a hacker steals the > ticket through the way between the CAS client and browser, he can simulate > the > user to do all his actions. > That assumes you're running your application over non-HTTPS. But then at that point, you could do any number of things including session hijacking, cookie stealing, etc. that wouldn't involve CAS at all. Essentially, you run a HUGE risk whenever your run an application, CASified or not, over non-HTTPS. We NEVER recommend you do that. > So my questions are the following, besides the > ticket length is between 32 to 256 bytes and randomly generated and used > for > one time only, what is the ticket number composed of(I mean, is it > composed of > only nunbers, or also with characters or any marks else)? > I recommend you read the specification: http://www.jasig.org/cas/protocol specifically section 3.1.1 > And will the ticket > be encrypted or use some check digits? What's more, will the length of > the > ticket be generated randomly also? > It doesn't need to be encrypted. It doesn't contain any useful information. Again, I would recommend you read and understand the specification. The length is always the same (though its configurable at build time). Cheers, Scott > Looking forward to your quick reply! > Best regards, > Galen > > -- > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
<<winmail.dat>>
