A) Yes. This is done using a special validation filter that is part of the CAS client, [1] in conjunction with the attribute repository that is configured inside the CAS deployerConfigContext.xml file.
B) This is done through the CAS Service Registry, which defines which applications/services are allowed to talk to CAS. [2] [1] https://wiki.jasig.org/display/CASC/Saml11TicketValidationFilter+Example <https://wiki.jasig.org/display/CASC/Saml11TicketValidationFilter+Example> [2] https://wiki.jasig.org/display/CASUM/Services+Management <https://wiki.jasig.org/display/CASUM/Services+Management> -Misagh On 5/23/2012 10:01 AM, Myn Harry wrote: > Hi List: > > Thank you very much for all your help. > > I have security/workflow questions that I am not sure if it is due to > my beginner understanding of CAS. > > My understanding of CAS workflow, whereby user is authenticating to > application via CAS, is as follows: > > 1 - User accesses protected page on application; application redirects > user to CAS for authentication > 2 - User successfully authenticates in CAS and is redirected back to > application. > 3 - The application calls CAS to retrieve the user's attributes (g.g. > student number) > > For point 3 above, assuming my described flow is correct: > > A) Does the application , at point 3, call an API on CAS to retrieve > the user's attributes? > B) How does CAS prevent an unauthorized application, from spoofing a > legitimate application, from using CAS for authentication? > > Thanks. > > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
