> I guess the question is really do we care that they were authenticated > already, or do we care that they used CAS to authenticate?
I must admit I had some concerns about trusting other authentication methods up the chain. We sell CAS on the premise that it's more secure than typical user/pass authentication schemes, which in this case would be trusted by CAS and weaken overall security. On the other hand, if you need to combine CAS with other authentication methods, it's likely a moot point that the auth methods other than CAS are sufficient with regard to security. I am comfortable with allowing a trust mechanism in AuthenticationFilter as long as the security considerations are well documented and it's a configuration option that has to be explicitly enabled. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
