I apologize for this naive question-
I am looking at the cas client code (AuthenticationFilter.java) and I see that
if
1. a ticket doesn't exist AND
2. CONST_CAS_ASSERTION is not defined in the session AND
3. CONST_CAS_GATEWAY is not defined
then, the request is redirected to the cas server. What happens if someone
somehow sets a bogus ticket such that it appears that a ticket really exists?
Is something like this even possible? I mean, can one add a ticket to the
request from the middle of the network/client side such that
HttpServletRequest.getParameter("ticket") returns the bogus ticket when cas
client tries to get the "ticket" parameter from the request?
Thanks for your time.
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
