Can someone explain to me how #2 is not a CAS *server* issue? There weren't any examples given. For #1, I can see how if you are running CAS open to all services you could trick someone into using the wrong service. However, for #2, I have a hard time seeing how the server would allow you to request a ticket for A and then use it for B. Is the idea that the client is *really* requesting a ticket for B in the first place?
Thanks, Carl Waldbieser >> 1. A malicious service that can obtain a valid ticket can use it to >> access another service in violation of the CAS protocol requirement >> that a ticket issued for a service can only be used to access the >> service for which the ticket was granted. This type of access amounts >> to an illicit proxy: the attacker is proxying authentication for the >> target. >> >> 2. A malicious user can request a ticket for service A and use it to >> access service B with the access privileges of A. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user