Scott, Thank you for your response. Your answer initially threw me off and then I realized that I was looking at 3.1 client code while intending to look at 2.1.1 code. So, let me ask afresh- While looking at the AuthenticationFilter.java class I see that 1. if the ticket is null or empty AND 2. the session contains an attribute named CAS_FILTER_USER then, the request is not redirected to cas server, it is forwarded on. So, what happens if someone somehow sets a bogus value for CAS_FILTER_USER? Could one set a parameter from the client side/middle of the network? Thanks.
----- Original Message ---- From: Scott Battaglia <[EMAIL PROTECTED]> To: Yale CAS mailing list <[email protected]> Sent: Wednesday, September 3, 2008 2:38:17 PM Subject: Re: Security question about Cas client As long as you've configured the ValidationFilter then there's no problem. If you haven't configured anything to validate tickets then that's an issue ;-) -Scott On 9/3/08, tedzo <[EMAIL PROTECTED]> wrote: I apologize for this naive question- I am looking at the cas client code (AuthenticationFilter.java) and I see that if 1. a ticket doesn't exist AND 2. CONST_CAS_ASSERTION is not defined in the session AND 3. CONST_CAS_GATEWAY is not defined then, the request is redirected to the cas server. What happens if someone somehow sets a bogus ticket such that it appears that a ticket really exists? Is something like this even possible? I mean, can one add a ticket to the request from the middle of the network/client side such that HttpServletRequest.getParameter("ticket") returns the bogus ticket when cas client tries to get the "ticket" parameter from the request? Thanks for your time. _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas -- -Scott Battaglia PGP Public Key Id: 0x383733AA LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
