In the session it isn't assuming you're not calling any session code that would overwrite the username. However, if you're exposing the username to the UI layer as part of your JavaScript, we can't control what happens there.
Cheers, Scott On Fri, Nov 13, 2009 at 2:22 AM, tedzo <[email protected]> wrote: > One of our apps that is protected by CAS does the following- > 1. User logs in by going to CAS login page. > 2. Back in the app, the username is retrieved from the session, and the > roles that are granted to him are queried (by the front-end, javascript, I > think). > 3. Certain features are enabled/disabled based on retrieved roles. > > Is it possible for a malicious user to modify the username returned by CAS > (and thus obtaining unauthorized access to functionality on the page)? I > guess the question is the username provided by CAS in the session modifiable > in any way by n end user? > > Thanks for your response. > > -- > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
