Versions Compared

Old Version 26

changes.mady.by.user ScottS

Saved on

compared with

New Version Current

changes.mady.by.user ScottS

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin
Wiki Markup
h1. The "Host" header
{tip:title=Updated to fix security vulnerability}
This patch has been modified to require one or more serverNames to be specified or the serviceURL. The *edu.yale.its.tp.cas.client.filter.serverName* parameter may be specified using a comma, semicolon, and space delimited list of allowable server names or used as before with a single server name. The same 3 files are the only ones that needed modification.
{tip}
{warning:title=Honoring the HOST header [CAS:only] is not secure}
NOTICE: I believe this patch opens you to the "forged host header" security exploit whereby an Adversary can use a service ticket intended for an arbitrary other service to authenticate to the application using this patch.
This security issue is discussed at the [CASFilter] page.
-[~awp9]
{warning}

h3. Do it!
This is a pretty simple patch, only 3 files are affected. These are modified from the [Java CAS Client 2.1.1|CAS:Java CAS Client 2.1.1] distribution. 

* [CAS:edu.yale.its.tp.cas.client.Util|^Util.java]
** Add function to take a [TreeSet|http://java.sun.com/j2se/1.4.2/docs/api/java/util/TreeSet.html] of serverNames and a default server. It would attempt to match the allowable server names the "Host" header. If there is no match, it will return the default.
* [CAS:edu.yale.its.tp.cas.client.filter.CASFilter|^CASFilter.java]
** Added support for configuration using multiple serverNames in a comma, space, and semilcolon delimited list.
* [CAS:edu.yale.its.tp.cas.client.filter.CASValidateFilter|^CASValidateFilter.java]
** Added support for configuration using multiple serverNames in a comma, space, and semilcolon delimited list.

h1. Load-balanced SSL-to-unecrypted app servers

{nocc}
This patch also includes support for an SSL issue we needed to fix. We have a load balanacer which provides SSL support for non-SSL enabled application servers behind it. This causes the CAS Filter on the servers to think they are non-SSL servers and create a redirect URL with service=http://... This is bad as it causes security pop-ups in IE 6 and the users may end up using a non-SSL connection if the load balancer is set up wrong. The fix is for the load balancer to inject the "SSL-Https: on" header which we check for in the CAS Filter.
{nocc}