Service ticket validation is more or less integral to how CAS works. Maybe if you could explain a bit more in depth what you are trying to accomplish, it might make more sense to the members of the community, and you could receive better advice.
Also, why do you believe there would be some kind of bottleneck validating service tickets? What kind of volume have you measured or are you expecting in terms of validations per unit of time? Thanks, Carl Waldbieser ITS Systems Programmer Lafayette College ----- Original Message ----- From: "Ajay Madhavan" <ajayma...@gmail.com> To: cas-user@lists.jasig.org Sent: Monday, June 29, 2015 4:20:49 PM Subject: Re: [cas-user] Embedding username info in Service ticket I do have a secure mechanism to encrypt my service ticket with the public key and then decrypt it later using the private-key. Also there are multiple webapps which are being protected by the CAS service and I dont want the service validate to be a bottle neck for each of those webapps. I know service ticket generation does do that. But I want to see if I can skip service validation at least. Thanks Ajay On Mon, Jun 29, 2015 at 1:04 PM, Dmitriy Kopylenko <dkopyle...@unicon.net> wrote: > I second what Andy says, and just want to add that service ticket > validation is the necessary step in a secure CAS protocol, and the simple > answer is - “no, you cannot skip the ST validation step”. > > Best, > Dmitriy. > > > On Jun 29, 2015, at 3:55 PM, Andrew Morgan <mor...@orst.edu> wrote: > > > > On Mon, 29 Jun 2015, Ajay Madhavan wrote: > > > >> I want to skip service validation. I want to distribute the validation > >> among all my webapps where i can obtain the username from the service > >> ticket. > >> > >> I still want to use CAS for service ticket generation. > > > > If you don't validate the ST over a back-channel connection, then how do > you prevent someone from spoofing the username? An attacker could put > whatever they want in the ST value to become any other user. > > > > Validating the ST is a necessary step for security. > > > > I don't understand what you mean by "distribute the validation among all > my webapps". > > > > Andy > > > > -- > > You are currently subscribed to cas-user@lists.jasig.org as: > dkopyle...@unicon.net > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > -- > You are currently subscribed to cas-user@lists.jasig.org as: > ajayma...@gmail.com > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to cas-user@lists.jasig.org as: waldb...@lafayette.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
