> Lets say for some reason client application didn't validate > the ticket with the CAS (Assuming client application server went down).
> Because of this usage count for this ticket in CAS server is still 0. > That means ticket is still active in CAS server. In the mean time > some one gets hold of this ticket (Don't ask me how) and enters > above URL on their new browser session. Since the validation > communication happens directly between client application and CAS server, > will CAS server validate this ticket? Yes. Service tickets can be validated once and only once. They have a relatively short expiration window, I believe five minutes by default. If the Adversary gets hold of the service ticket within the window, he can validate it against the CAS server and get the validation response. > If not, please let me know how it is prevented, Tickets expire aggressively so the Adversary has a short window in which to get the ticket. You've asked me not to ask you How the Adversary is getting the service ticket, but I have to ask anyway. How did the Adversary get the service ticket? If the client application service URL is an SSL'ed URL, then CAS is directing the web browser to redirect to an SSL'ed URL and at no point is the service ticket exposed in the clear on the wire. So, in order to get at the service ticket, the Adversary either hacked the web browser or the client application. Either way the Adversary could get at the username of the end user. So validating the service ticket with CAS didn't get the Adversary anything he could have gotten anyway. > if yes, is there a way to prevent it? I suppose you could introduce client cert or other authentication of the service ticket validation request such that CAS server would validate service tickets only on validation request where the presented client cert (or other authentication mechanism) authenticates the Service associated with the service ticket. _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
