Javier, [
I discovered if I place this TGT in a browser url as a CAS parameter I can access to a web as a validated user. ] TGTs are security-sensitive and should not be exposed. CAS goes to some lengths to model these as "secure cookies" that will only be passed between browser and the CAS server and only via SSL. Your CAS integrations should similarly guard TGTs as if they were short-lived client-side SSL certificates, since in spirit, that's what they are. In the typical case, one application authenticates via CAS to another application via proxy ticket, in the context of a real end user SSO interaction. If there's a CAS-using end user in the loop this is to be preferred, and it results in applications not interacting with the TGT (but instead having a PGT, which is also security sensitive and should be appropriately protected from exposure). It is possible and has been done to use CAS to authenticate one application to another outside the context of end users. Rutgers does this in their WOLP (web online payment) system, about which I hope Scott can say a few words. It's a use story that would be worth better documenting in the CAS wiki. It's not clear that it's useful for your web application to parse and use a TGT, since you can use whatever primary credentials authentication method that authenticated to your application to CAS. TGTs exist for end user convenience. Web applications are less impatient. Adding the IP address to the TGT probably doesn't add reliable security -- remote address headers and IP addresses are in principle forgeable. More important is to protect access to the TGT than to expose the TGT and attempt heroics to keep the Adversary from using it once he's got his nefarious hands on it. Andrew http://support.unicon.net/user/3 Javier Leyba wrote: > Hello > > I've been using and older cas 2.x and I'm planning to update and > enhance my SSO applications. > > I've developed two customized solutions: one as a "classical" filter > protected web pages and another one offering CAS SSO as web services. > > Consuming webservices, my applications receive, after a valid login, a > TGT. I discovered if I place this TGT in a browser url as a CAS > parameter I can access to a web as a validated user. I found this > dangerous and I wonder how to secure such risk. > > Could I add ip address to TGT to avoid another user to use it ? Any > other idea/clue welcome... > > Tahnks in advance > > > > _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
