HttpClient and SSL
CAS 3 switches to using Apache HttpClient. Shawn Bayren raises the concern that this removes the validation of SSL certificates:
>> - The switch to Jakarta Commons's HttpClient may have been a mistake;
>> at the very least, you need to drive the HttpClient code so that it
>> validates SSL certificates, as the old implementation did (by relying
>> on the Java API client's inherent behavior). If you don't do this –
>> i.e., as the code stands now, unless I'm overlooking a deep
>> configuration parameter somewhere – then nothing actually
>> authenticates the HTTPS service you're connecting to, letting it be
>> spoofed arbitrarily.
>>
>>
>>
> I'll check into this. I'm not 100% familiar with the HttpClient API either so I'll need to read up on it. Dmitriy may know more about the configuration stuff than I do though.
>
http://jakarta.apache.org/commons/httpclient/sslguide.html