> What are the ramifications of allowing an application to use http as defined > in the service manager?
It simply means the ST will be delivered to the client over http, so it would be vulnerable to interception. Under normal circumstances the ST is single use and has a validity window measured in seconds, so that's a pretty small attack window. > My gut feeling says this is wrong Trust your gut. Lean in your vendor to do the right thing and run over SSL. It's not so much interception of the ST as general vulnerability to data theft transmitted in the clear. Why have authentication at all if the subsequent data provided by the app is easy to steal? M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
