(sorry I've been AWOL lately, will have a bunch of client code to submit next week - Steve)
A developer here asked a question I am not able to find a flaw with, so I thought I'd run it by the list. Assume that a user goes to a service, is redirected to the CAS server, and then on the redirect back, there is a man in the middle who catches the service name (from the request URL) and the ST. Blocking the genuine user's request, the MITM then send the same ST to the service, who promptly validates and logs the bad guy in as the other user. This would work if the redirect from the CAS server is not done over SSL. I know by default CAS changes service URLs to SSL, but if there is a port number in the hostname it seems to NOT do so (probably because it can't know what port to go to). Two questions, come of this. First is a simple configuration issue with the CAS server. Are my assumptions correct as to when CAS does NOT redirect to the service using SSL? I have one app that does not, and the only thing different about it is that it's hostname is server.dartmouth.edu:8080. Second, as a possible check against this, should the services be performing a minimal check that the client is who they originally were, say with an IP cache or something? Not perfect, but better than nothing if SSL isn't used. Steve _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
