Hi, SSL is the heart of security: the CAS server absolutely requires it to protect password, CASTGC cookies...
When a critical information is transported between the CAS server and a client application, it should be protected. It's the case of the service ticket and indeed when the service ticket is sent back to the client application, it has to be protected. The short lifetime of the ST is somehow a protection but I would recommend to use SSL anyway. Sometimes, it might be acceptable not to use SSL for some not critical client applications (not acting as proxy). If a CAS service acts as proxy, the proxy callback url must always be accessed through SSL as the PGT is transported on this url. Best regards, Jérôme 2014-03-10 12:52 GMT+01:00 Adam Causey <[email protected]>: > I was curious if there is a requirement (or if it is highly recommended) > that clients using CAS/SSO be encrypted with an SSL certificate (i.e. > https). Since CAS does the authentication piece, is there still a need to > require SSL on the clients? > > The one part of the equation that I see as a risk is someone intercepting > the ticket URL parameter and then posing as the client to pull back the > attribute XML on the validate call. Or is the ticket parameter so > short-lived that this is not a concern? > > -Adam > > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
