Hello, We are considering to use CAS server as Shibboleth IdP's external authenticator. We found Unicon's 'shib-cas-authenticator' ( https://github.com/Unicon/shib-cas-authenticator) project in github which is also referenced in CAS wiki.
I have a question regarding 'shib-cas-authenticator' implementation: I see that after successful ST validation by CAS client net.unicon.idp.casauth.CasAuthenticatorResource.java (in CAS client protected casauth.war) creates a redirect response with a redirect location pointing to IdP. This redirect location URL contains username in query string also. A malicious or compromised user-agent can skip the redirect and send a get request to IdP's callback servlet using some other username instead of the one CAS client validated earlier. IdP's external authenticator facility will not be aware of this and will go forward as usual with changed username. My question is: Is it implementor’s responsibility to ensure the secure delivery of username to callback servlet (like digitally sign the query parameter) which is not documented or implemented? Am I missing something here? Thanks, Mahbub -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
