Wiki Markup |
---|
h1. The "Host" header {tip:title=Updated to fix security vulnerability} This patch has been modified to require one or more serverNames to be specified or the serviceURL. The *edu.yale.its.tp.cas.client.filter.serverName* parameter may be specified using a comma, semicolon, and space delimited list of allowable server names or used as before with a single server name. The same 3 files are the only ones that needed modification. {tip} {warning:title=Honoring the HOST header [CAS:only] is not secure} NOTICE: I believe this patch opens you to the "forged host header" security exploit whereby an Adversary can use a service ticket intended for an arbitrary other service to authenticate to the application using this patch. This security issue is discussed at the [CASC:CASFilter] page. -[~awp9] {warning} h3. Do it! This is a pretty simple patch, only 3 files are affected. These are modified from the [Java CAS Client 2.1.1|CAS:Java CAS Client 2.1.1] distribution. * [CAS:edu.yale.its.tp.cas.client.Util|^Util.java] ** Add function to take a [TreeSet|http://java.sun.com/j2se/1.4.2/docs/api/java/util/TreeSet.html] of serverNames and a default server. It would attempt to match the allowable server names the "Host" header. If there is no match, it will return the default. * [CAS:edu.yale.its.tp.cas.client.filter.CASFilter|^CASFilter.java] ** Added support for configuration using multiple serverNames in a comma, space, and semilcolon delimited list. * [CAS:edu.yale.its.tp.cas.client.filter.CASValidateFilter|^CASValidateFilter.java] ** Added support for configuration using multiple serverNames in a comma, space, and semilcolon delimited list. h1. Load-balanced SSL-to-unecrypted app servers {nocc} This patch also includes support for an SSL issue we needed to fix. We have a load balanacer which provides SSL support for non-SSL enabled application servers behind it. This causes the CAS Filter on the servers to think they are non-SSL servers and create a redirect URL with service=http://... This is bad as it causes security pop-ups in IE 6 and the users may end up using a non-SSL connection if the load balancer is set up wrong. The fix is for the load balancer to inject the "SSL-Https: on" header which we check for in the CAS Filter. {nocc} |
Page Comparison
Manage space
Manage content
Integrations