Hello I've been using and older cas 2.x and I'm planning to update and enhance my SSO applications.
I've developed two customized solutions: one as a "classical" filter protected web pages and another one offering CAS SSO as web services. Consuming webservices, my applications receive, after a valid login, a TGT. I discovered if I place this TGT in a browser url as a CAS parameter I can access to a web as a validated user. I found this dangerous and I wonder how to secure such risk. Could I add ip address to TGT to avoid another user to use it ? Any other idea/clue welcome... Tahnks in advance -- Javier Leyba Barcelona - Spain _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
