Re: JBossTicketRegistry injection of servicetickets

Scott Battaglia Mon, 06 Nov 2006 06:38:02 -0800

The JBossTicketRegistry utilizes multi-casting in order to efficiently deliver the cache. First, we obviously only recommend you do multi-casting on a "trusted network" (i.e. one you control). Second, you can enable encryption in the JGroups configuration. More information on that can be found here:

http://www.jgroups.org/javagroupsnew/docs/javadoc/org/jgroups/protocols/ENCRYPT.html

Does that help? We should probably update our javadocs to reflect this information.

Thanks
-Scott

On 11/6/06, Frank Taffelt <[EMAIL PROTECTED]> wrote:

Hi,

today i made a small presentation about the usage of CAS in a project (CAS
in a clustered environment with JBossTicketRegistry). During some
discussions about security we found that someone can inject own
servicetickets into the serviceticketcluster and then perform a request with
this injected serviceticket.

Have we overlooked something ?

Frank

_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas

_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas

Re: JBossTicketRegistry injection of servicetickets

Reply via email to