Security question about Cas client
tedzo
tedzo2003 at yahoo.com
Wed Sep 3 16:43:40 EDT 2008
I apologize for this naive question-
I am looking at the cas client code (AuthenticationFilter.java) and I see that if
1. a ticket doesn't exist AND
2. CONST_CAS_ASSERTION is not defined in the session AND
3. CONST_CAS_GATEWAY is not defined
then, the request is redirected to the cas server. What happens if someone somehow sets a bogus ticket such that it appears that a ticket really exists? Is something like this even possible? I mean, can one add a ticket to the request from the middle of the network/client side such that HttpServletRequest.getParameter("ticket") returns the bogus ticket when cas client tries to get the "ticket" parameter from the request?
Thanks for your time.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20080903/e5aed9df/attachment.html
More information about the cas
mailing list