I second what Andy says, and just want to add that service ticket validation is the necessary step in a secure CAS protocol, and the simple answer is - “no, you cannot skip the ST validation step”.
Best, Dmitriy. > On Jun 29, 2015, at 3:55 PM, Andrew Morgan <[email protected]> wrote: > > On Mon, 29 Jun 2015, Ajay Madhavan wrote: > >> I want to skip service validation. I want to distribute the validation >> among all my webapps where i can obtain the username from the service >> ticket. >> >> I still want to use CAS for service ticket generation. > > If you don't validate the ST over a back-channel connection, then how do you > prevent someone from spoofing the username? An attacker could put whatever > they want in the ST value to become any other user. > > Validating the ST is a necessary step for security. > > I don't understand what you mean by "distribute the validation among all my > webapps". > > Andy > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
