I do have a secure mechanism to encrypt my service ticket with the public key and then decrypt it later using the private-key.
Also there are multiple webapps which are being protected by the CAS service and I dont want the service validate to be a bottle neck for each of those webapps. I know service ticket generation does do that. But I want to see if I can skip service validation at least. Thanks Ajay On Mon, Jun 29, 2015 at 1:04 PM, Dmitriy Kopylenko <[email protected]> wrote: > I second what Andy says, and just want to add that service ticket > validation is the necessary step in a secure CAS protocol, and the simple > answer is - “no, you cannot skip the ST validation step”. > > Best, > Dmitriy. > > > On Jun 29, 2015, at 3:55 PM, Andrew Morgan <[email protected]> wrote: > > > > On Mon, 29 Jun 2015, Ajay Madhavan wrote: > > > >> I want to skip service validation. I want to distribute the validation > >> among all my webapps where i can obtain the username from the service > >> ticket. > >> > >> I still want to use CAS for service ticket generation. > > > > If you don't validate the ST over a back-channel connection, then how do > you prevent someone from spoofing the username? An attacker could put > whatever they want in the ST value to become any other user. > > > > Validating the ST is a necessary step for security. > > > > I don't understand what you mean by "distribute the validation among all > my webapps". > > > > Andy > > > > -- > > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
