> The mod_auth_cas will validate the CAS server’s certificate if > “CASValidateServer On” is set in the cas.conf file. The java filters don’t > seem to have this feature.
It's correct that the Java filters don't have support for this, but the reason is that the underlying JVM performs certificate validation. It's configurable in Java as well, but via system properties. See http://download.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html for more info. > Because of this I believe that setting “CASValidateServer Off” is not really > a “bad thing”. If your logic is that "if Java doesn't do it, then M-A-C doesn't need to either," then you've got a faulty conclusion based on an untrue premise. Certificate validation is on by default in Java and it's a fair bit of work to disable. That said, if you really trust the server at cas.yourschool.edu, then it's perfectly reasonable to disable certificate checking. While certificate trust configuration can be tedious and a maintenance burden over time, I personally like the security of knowing it's there. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
