Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 33 Next »

The "Host" header

Updated to fix security vulnerability

This patch has been modified to require one or more serverNames to be specified or the serviceURL. The edu.yale.its.tp.cas.client.filter.serverName parameter may be specified using a comma, semicolon, and space delimited list of allowable server names or used as before with a single server name. The same 3 files are the only ones that needed modification.

Honoring the HOST header [CAS:only] is not secure

NOTICE: I believe this patch opens you to the "forged host header" security exploit whereby an Adversary can use a service ticket intended for an arbitrary other service to authenticate to the application using this patch.
This security issue is discussed at the CASFilter page.
-[~awp9]

Do it!

This is a pretty simple patch, only 3 files are affected. These are modified from the Java CAS Client 2.1.1 distribution.

Load-balanced SSL-to-unecrypted app servers

Unknown macro: {nocc}

This patch also includes support for an SSL issue we needed to fix. We have a load balanacer which provides SSL support for non-SSL enabled application servers behind it. This causes the CAS Filter on the servers to think they are non-SSL servers and create a redirect URL with service=http://... This is bad as it causes security pop-ups in IE 6 and the users may end up using a non-SSL connection if the load balancer is set up wrong. The fix is for the load balancer to inject the "SSL-Https: on" header which we check for in the CAS Filter.

  • No labels