As long as you've configured the ValidationFilter then there's no problem.
If you haven't configured anything to validate tickets then that's an issue
;-)
-Scott
On 9/3/08, tedzo <[EMAIL PROTECTED]> wrote:
>
> I apologize for this naive question-
> I am looking at the cas client code (AuthenticationFilter.java) and I see
> that if
> 1. a ticket doesn't exist AND
> 2. CONST_CAS_ASSERTION is not defined in the session AND
> 3. CONST_CAS_GATEWAY is not defined
>
> then, the request is redirected to the cas server. What happens if someone
> somehow sets a bogus ticket such that it appears that a ticket really
> exists? Is something like this even possible? I mean, can one add a ticket
> to the request from the middle of the network/client side such that
> HttpServletRequest.getParameter("ticket") returns the bogus ticket when cas
> client tries to get the "ticket" parameter from the request?
>
> Thanks for your time.
>
>
> _______________________________________________
> Yale CAS mailing list
> [email protected]
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
--
-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
