Cesare, If you use a service registry, CAS should respect it for both login and logout service redirects.
Thanks, Carl Waldbieser On Sep 15, 2014 6:33 PM, "cp" <[email protected]> wrote: > I have deployed a web application that uses cas 3.5.2 for single sign on. > The web application uses the spring security cas authentication facility. > Recently an internal audit find out that is possible to spoof the > application because of unvalidated url redirects during login and logout. > How can I mitigate this issue? > > I've found a similar issue here, for example: > > > https://www.liferay.com/community/security-team/known-vulnerabilities/-/asset_publisher/T8Ei/content/id/40694045 > > see LPS-47482. > > Regards, > Cesare > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
