Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Wiki Markup
h1. The "Host" header
{tip}
This patch has been modified to require one or more serverNames to be specified or the serviceURL. The *edu.yale.its.tp.cas.client.filter.serverName* parameter may be specified using a comma, semicolon, and space delimited list of allowable server names or used as before with a single server name. The same 3 files are the only ones that needed modification.
{tip}
{warning:title=Honoring HOST header is not secure}
NOTICE: I believe this patch opens you to the "forged host header" security exploit whereby an Adversary can use a service ticket intended for an arbitrary other service to authenticate to the application using this patch.
This security issue is discussed at the [CASFilter] page.
-[~awp9]
{warning}

h3. Don't do it!
This is a pretty simple patch, only 3 files are affected. These are modified from the [Java CAS Client 2.1.1|Java CAS Client 2.1.1] distribution. 

* [edu.yale.its.tp.cas.client.Util|^Util.java]
** Add function to take a TreeSet of serverNames and match with the "Host" header. If there is no match, it will return the first entry.
* [edu.yale.its.tp.cas.client.filter.CASFilter|^CASFilter.java]
** Added support for configuration using multiple {serverName}sserverNames in a comma, space, and semilcolon delimited list.
* [edu.yale.its.tp.cas.client.filter.CASValidateFilter|^CASValidateFilter.java]
** Added support for configuration using multiple {serverName}sserverNames in a comma, space, and semilcolon delimited list.

h1. Load-balanced SSL-to-unecrypted app servers

{nocc}
This patch also includes support for an SSL issue we needed to fix. We have a load balanacer which provides SSL support for non-SSL enabled application servers behind it. This causes the CAS Filter on the servers to think they are non-SSL servers and create a redirect URL with service=http://... This is bad as it causes security pop-ups in IE 6 and the users may end up using a non-SSL connection if the load balancer is set up wrong. The fix is for the load balancer to inject the "SSL-Https: on" header which we check for in the CAS Filter.
{nocc}