On Wed, 11 Oct 2006, Stephen A. Cochran wrote: > This would work if the redirect from the CAS server is not done over > SSL. I know by default CAS changes service URLs to SSL, but if there is > a port number in the hostname it seems to NOT do so (probably because it > can't know what port to go to).
I don't know about the new CAS code, but as of version 2, CAS allowed redirects to insecure (non-https) services on the assumption they wanted best-efforts authentication. But for the reasons you describe, CAS never guaranteed that such authentications were secure: if the service does not use https, the user cannot assume the server is authentic, the server cannot assume the user is authentic, and the traffic may be intercepted arbitrarily. This of course does not compromise the security of the central CAS server or other (https-protected) services that use CAS. Shawn _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
