I think I don't follow you, anyway here's some source code that I have found on github:
https://github.com/Jasig/java-cas-client/blob/master/cas-client-core/src/main/java/org/jasig/cas/client/authentication/AuthenticationFilter.java 2012/11/9 Venkat <[email protected]> > Hi, > > I have a question about JSESSIONID in URLs. > We have a web-app in jboss secured through CAS. > The clients get TGT and ST(Service Ticket) passing the service URL. > When they make the first call using ST, they get back the JSESSIONID > in the redirected URL. > Clients use JSESSIONID for all subsequent URLs that's supported by the > webapp and all calls work fine with no need to get new ST. The question is > how secure is it to use JSESSIONID. For all subsequent URLs, Is CAS > validation happening on JSESSIONID or is CAS completely by passed and not > redirected at all? Just wondering how CAS Validation filters work with > JSESSIONID. > > Thanks > Venkat > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- Carlos -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
