The potential illicit proxy is made possible by the nuance of HTTP whereby the requestor specifies the hostname (among other information) in the header of the request. Relying upon the presenter of the service ticket to also specify the service identifier to check it against amounts to defeating the CAS feature of validating that tickets authenticate to the service that's actually trying to validate them. Any CAS client library relying on a requestor-provisioned HTTP header to define the service identifier will be vulnerable to a man-in-the-middle illicit proxy.
So no, it is not possible to avoid the CAS-using web application's having to know its own service identifier, independent of information it is getting from presenters of CAS tickets looking to authenticate to it. In the specific case of the Yale Java CAS Client JSP tag library, you set the expected service parameter value as a nested tag within the <cas:auth/>. http://www.ja-sig.org/wiki/display/CASC/Using+the+CAS+JSP+tags > Thank you Andrew. > So, is it possible to avoid the serverName parameter by using jsp tag library > method of casifying an App? > > Thanks again. _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
