CAS: User logged in as another user

Question

Is it possible that a user puts in his/her credentials and gets logged in as someone else while using CAS? I am currently using CAS 3.4.8 and a grails-app that uses spring security core and cas as client that uses CAS. There had been some customization done to CAS server but not to the overall flow of it.

So is it a bug in the CAS server? Is there any other known cases that resembles this issue?

EDIT 1 The problem got solved. I was using a servlet filter for loading custom themes for CAS that varied according to the url. This was causing concurrency issues. I moved the logic into a spring bean and moved it to login-weblow.xml and the issue was fixed.

Answer 1

I'm the CAS chairman and I've never heard of a bug of that kind : "being logged as someone else". I tend to think that the culprit is your customization : do you properly take into account the multi-threading aspect ?