Hi Andrew, Thanks for your reply.
Just in case I didn't quite digest the two explanations correctly in the FAQ. A user that has access to only a subset of services that have been CASified can gain access to all services by forging the host entry. The user would have to first authenticate against a service they do have access to, creating a valid service ticket, then forge the host entry and switch to another service they didn't have access too. If this is correct and in my implementation all users have access to all services, I could have confidence in allowing the host entry to construct the service url. Because in order to exploit this security issue the user has to have access to at least one service. Dom _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
