JBossTicketRegistry injection of servicetickets
Scott Battaglia
scott.battaglia at gmail.com
Mon Nov 6 09:35:07 EST 2006
The JBossTicketRegistry utilizes multi-casting in order to efficiently
deliver the cache. First, we obviously only recommend you do multi-casting
on a "trusted network" (i.e. one you control). Second, you can enable
encryption in the JGroups configuration. More information on that can be
found here:
http://www.jgroups.org/javagroupsnew/docs/javadoc/org/jgroups/protocols/ENCRYPT.html
Does that help? We should probably update our javadocs to reflect this
information.
Thanks
-Scott
On 11/6/06, Frank Taffelt <frank.taffelt at interface-business.de> wrote:
>
> Hi,
>
> today i made a small presentation about the usage of CAS in a project (CAS
> in a clustered environment with JBossTicketRegistry). During some
> discussions about security we found that someone can inject own
> servicetickets into the serviceticketcluster and then perform a request
> with
> this injected serviceticket.
>
> Have we overlooked something ?
>
> Frank
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20061106/d75d89bf/attachment.html
More information about the cas
mailing list