Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

IdentifierScopeProposalDevelopment complexityEfficiencyBackward compatibleTargetFeedbacks
SEC_1ServiceBy default, we could define a service which does not allow HTTP in its pattern matching, for the in-memory services registry (deployerConfigContext.xml file)EasyNot very useful in practice as almost all CAS deployers use their own services registry in production. But it’s a good way to make people aware of the “HTTP risk”Yes in most cases as almost nobody uses the in-memory services registry in production4.0 ? 
SEC_2aServiceAdd a allowHttpForService flag for the CAS server to define if the service can be in HTTP (/login, /validate, /serviceValidate urls) : false by defaultMediumUseful to make people aware of the fact they need to setup something to allow HTTP servicesNo, already existing HTTP services could not work any more without enabling this flag  
SEC_2bServiceReuse the secure flag already used by the proxy handler to define if the service can be in HTTP (/login, /validate, /serviceValidate urls)MediumUseful to make people aware of the fact they need to setup something to allow HTTP servicesNo, already existing HTTP services could not work any more without enabling this flag  
SEC_3ProxyChange the default value of the allowToProxy flag to falseEasyUseful. It would avoid any security issue with proxy by disabling it by defaultYes in most cases. Services are already defined with their allowToProxy flag. Only new deployement would be impacted or very specific mechanism using the default allowToProxy flag value4.0 ? 
SEC_4ProxyCheck proxy callback urls against the services registryMediumUseful. If a default truststore is used (all certificates trusted), it would avoid any unexpected proxy callbackNo, it can break proxies which are not declared in the services registry (though, services definition should match proxy callback urls generally)  
SEC_5ProxySetup by default empty truststore and keystoreMediumUseful. It would avoid any call to an untrusted proxyNo. For CAS deployers who use proxies, it would stop to work unless they change the default CAS configuration  
SEC_6ServiceCheck /validate and /serviceValidate urls against the list of the trusted certificates using the checkAgainstCertificates flag defined for each service (true by default)MediumRather useful. It would check the SSL certificate even if the url has already been checked : DNS attack ?No. All services in HTTPS would stop to work in the appropriate certificates are not in the truststore.  
SEC_7ProxyRemove critical information from the urls : use POST instead of GET requests for proxy callbacks and /proxy urlHard (clients must be upgraded as well)Useful. Avoid criticial information in logs or from being indexed...No. Very invasive change as clients should be also upgraded.  
  • No labels