On Tue, Jul 21, 2009 at 3:52 AM, Sander Bos <[email protected]> wrote:
> > <snip /> > > I have no real idea on how often releases of the CAS client are made (3.1.3 > is the previous I can download, and that is from June 2008). > We're actually on 3.1.6: http://www.jasig.org/jasig-cas-client-java-316-release > > > I do see it correctly right that not being able to specify > allowedProxyChains in a proxy authentication scenario is a big security > risk. A malicious web application could have the user do a single sign on > action on the CAS server for itself, and then request any user priviliged > information from web applications that allow proxying and use the same CAS > server? > > Kind regards, > > --Sander. > > > > -- > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
