On Mon, 29 Jun 2015, Ajay Madhavan wrote:
I want to skip service validation. I want to distribute the validation
among all my webapps where i can obtain the username from the service
ticket.
I still want to use CAS for service ticket generation.
If you don't validate the ST over a back-channel connection, then how do
you prevent someone from spoofing the username? An attacker could put
whatever they want in the ST value to become any other user.
Validating the ST is a necessary step for security.
I don't understand what you mean by "distribute the validation among all
my webapps".
Andy
--
You are currently subscribed to cas-user@lists.jasig.org as:
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
