> After few tests, it shows up that this implementation shows severe security > leaks. It seems that, once a user is correctly identified, the context is > used for all further authentication…. does this has been tested or is this > just a proof of concept ?
This is community-contributed content and has not been verified in any manner whatsoever. We're working to make a clear distinction in documentation between official content and community-contributed content, where the former has been verified and vetted as both secure and consistent with best practices. Unfortunately the CASUM wiki contains both at present. As I said previously, we'd be happy to accept contributions or improvements to the document you're working from, but no one among the core CAS committers has infrastructure or expertise to do GSSAPI with Kerberos. (Well, technically we have the infrastructure and have cobbled together the expertise in the past, but I can't justify the time at present.) M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
