Security question about Cas client

tedzo tedzo2003 at yahoo.com
Wed Sep 3 18:43:22 EDT 2008 

Scott,
Thank you for your response.
Your answer initially threw me off and then I realized that I was looking at 3.1 client code while intending to look at 2.1.1 code. So, let me ask afresh-
While looking at the AuthenticationFilter.java class I see that 
1. if the ticket is null or empty AND
2. the session contains an attribute named CAS_FILTER_USER
then, the request is not redirected to cas server, it is forwarded on. So, what happens if someone somehow sets a bogus value for CAS_FILTER_USER? Could one set a parameter from the client side/middle of the network?
Thanks.



----- Original Message ----
From: Scott Battaglia <scott.battaglia at gmail.com>
To: Yale CAS mailing list <cas at tp.its.yale.edu>
Sent: Wednesday, September 3, 2008 2:38:17 PM
Subject: Re: Security question about Cas client

As long as you've configured the ValidationFilter then there's no problem.  If you haven't configured anything to validate tickets then that's an issue ;-)

-Scott



On 9/3/08, tedzo <tedzo2003 at yahoo.com> wrote:
I apologize for this naive question-
I am looking at the cas client code (AuthenticationFilter.java) and I see that if 
1. a ticket doesn't exist AND
2. CONST_CAS_ASSERTION is not defined in the session AND
3. CONST_CAS_GATEWAY is not defined
 
then, the request is redirected to the cas server. What happens if someone somehow sets a bogus ticket such that it appears that a ticket really exists? Is something like this even possible? I mean, can one add a ticket to the request from the middle of the network/client side such that HttpServletRequest.getParameter("ticket") returns the bogus ticket when cas client tries to get the "ticket" parameter from the request?
 
Thanks for your time.

_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas




-- 
-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia


      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20080903/8a6d5beb/attachment.html

More information about the cas mailing list