Default ClearPass Configuration Allows Circumventing Allowed Proxy Chains

Description

The default clearpass-configuration.xml includes the normal (non-Proxy) CAS authentication fitler for protecting /clearPass. Only the Cas20ProxyReceivingTicketValidationFilter needs to be there. In the current state anyone using the default clearpass-configuration.xml file can trivially access the user's password (assuming access to their browser window) by accessing:
https://server.edu/cas/clearPass

thus circumventing the allowed Proxy chains protection mechanism.

I'm preparing a pull request to show how to remove the non-Proxy AuthenticationFilter leaving only the Cas20ProxyReceivingTicketValidationFilter, but it's a trivial fix.

Environment

None

Status

Assignee

Misagh Moayyed

Reporter

Eric Domazlicky

Labels

None

Estimated End Date

None

Audience

None

Components

Fix versions

Affects versions

3.5.2

Priority

Major