One of our apps that is protected by CAS does the following-
1. User logs in by going to CAS login page.
2. Back in the app, the username is retrieved from the session, and the roles
that are granted to him are queried (by the front-end, javascript, I think).
3. Certain features are enabled/disabled based on retrieved roles.
Is it possible for a malicious user to modify the username returned by CAS (and
thus obtaining unauthorized access to functionality on the page)? I guess the
question is the username provided by CAS in the session modifiable in any way
by n end user?
Thanks for your response.
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
