I was curious if there is a requirement (or if it is highly recommended) that clients using CAS/SSO be encrypted with an SSL certificate (i.e. https). Since CAS does the authentication piece, is there still a need to require SSL on the clients?
The one part of the equation that I see as a risk is someone intercepting the ticket URL parameter and then posing as the client to pull back the attribute XML on the validate call. Or is the ticket parameter so short-lived that this is not a concern? -Adam -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
