The "Host" header
Updated to fix security vulnerability
This patch has been modified to require one or more serverNames to be specified or the serviceURL. The edu.yale.its.tp.cas.client.filter.serverName parameter may be specified using a comma, semicolon, and space delimited list of allowable server names or used as before with a single server name. The same 3 files are the only ones that needed modification.
Honoring the HOST header [CAS:only] is not secure
NOTICE: I believe this patch opens you to the "forged host header" security exploit whereby an Adversary can use a service ticket intended for an arbitrary other service to authenticate to the application using this patch.
This security issue is discussed at the CASFilter page.
-[~awp9]
Do it!
This is a pretty simple patch, only 3 files are affected. These are modified from the Java CAS Client 2.1.1 distribution.
- CAS:edu.yale.its.tp.cas.client.Util
- Add function to take a TreeSet of serverNames and a default server. It would attempt to match the allowable server names the "Host" header. If there is no match, it will return the default.
- CAS:edu.yale.its.tp.cas.client.filter.CASFilter
- Added support for configuration using multiple serverNames in a comma, space, and semilcolon delimited list.
- CAS:edu.yale.its.tp.cas.client.filter.CASValidateFilter
- Added support for configuration using multiple serverNames in a comma, space, and semilcolon delimited list.
Load-balanced SSL-to-unecrypted app servers
This patch also includes support for an SSL issue we needed to fix. We have a load balanacer which provides SSL support for non-SSL enabled application servers behind it. This causes the CAS Filter on the servers to think they are non-SSL servers and create a redirect URL with service=http://... This is bad as it causes security pop-ups in IE 6 and the users may end up using a non-SSL connection if the load balancer is set up wrong. The fix is for the load balancer to inject the "SSL-Https: on" header which we check for in the CAS Filter.