I'm not too familiar with the Yale Client but session state is supposed to be stored on the server side so I don't know of a way to manipulate those parameters as part of the request.
-Scott -Scott Battaglia PGP Public Key Id: 0x383733AA LinkedIn: http://www.linkedin.com/in/scottbattaglia On Wed, Sep 3, 2008 at 6:43 PM, tedzo <[EMAIL PROTECTED]> wrote: > Scott, > Thank you for your response. > > Your answer initially threw me off and then I realized that I was looking > at 3.1 client code while intending to look at 2.1.1 code. So, let me ask > afresh- > While looking at the AuthenticationFilter.java class I see that > 1. if the ticket is null or empty AND > 2. the session contains an attribute named CAS_FILTER_USER > > then, the request is not redirected to cas server, it is forwarded on. So, > what happens if someone somehow sets a bogus value for > CAS_FILTER_USER? Could one set a parameter from the client side/middle of > the network? > > Thanks. > > ----- Original Message ---- > From: Scott Battaglia <[EMAIL PROTECTED]> > To: Yale CAS mailing list <[email protected]> > Sent: Wednesday, September 3, 2008 2:38:17 PM > Subject: Re: Security question about Cas client > > As long as you've configured the ValidationFilter then there's no problem. > If you haven't configured anything to validate tickets then that's an issue > ;-) > > -Scott > > > On 9/3/08, tedzo <[EMAIL PROTECTED]> wrote: >> >> I apologize for this naive question- >> I am looking at the cas client code (AuthenticationFilter.java) and I see >> that if >> 1. a ticket doesn't exist AND >> 2. CONST_CAS_ASSERTION is not defined in the session AND >> 3. CONST_CAS_GATEWAY is not defined >> >> then, the request is redirected to the cas server. What happens if someone >> somehow sets a bogus ticket such that it appears that a ticket really >> exists? Is something like this even possible? I mean, can one add a ticket >> to the request from the middle of the network/client side such that >> HttpServletRequest.getParameter("ticket") returns the bogus ticket when cas >> client tries to get the "ticket" parameter from the request? >> >> Thanks for your time. >> >> >> _______________________________________________ >> Yale CAS mailing list >> [email protected] >> http://tp.its.yale.edu/mailman/listinfo/cas >> >> > > > -- > -Scott Battaglia > PGP Public Key Id: 0x383733AA > LinkedIn <http://www.linkedin.com/>: > http://www.linkedin.com/in/scottbattaglia > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > >
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
