2013-11-26 CAS AppSec Working Group Call

Owned by David Ohsie
Last updated: Aug 02, 2018 by Jim HelwigVersion comment
1 min read

Meeting Details

Tuesday Nov 26.  14:00 - 15:00 US - Eastern (GMT -04:00)

Webex: https://emccorp.webex.com/emccorp/j.php?J=642289088

Webex has international dial-back capability
Passcode:        62405979
USA:             857-207-4204/888-643-3084
France:         0157323313/0805540147
Germany:         06950985552/08006646745
US Cell Link:    tel://8572074204,62405979#
Meeting Number: 642 289 088
Meeting Password: This meeting does not require a password.

Participants

Agenda

Meeting Notes

Dynamic Scan results

  1. Make TGT to be secure and httpOnly: This can be done in CAS code.
  2. Make Session cookies secure and httpOnly: This is a container configuration.  Add to "securing your CAS server" guide.
  3. Add http header X-FRAME-OPTIONS to avoid embedding.  Either add to top.jsp or in the servlet.
  4. Avoid URL rewriting to include JSESSIONID in the URI.  This is either a container option or servlet 3.0 config, but the serlvet spec method seems to turn that off when cookies are not enabled in the browser.
  5. Consider using the login page indicate the need to turn on cookies in the browser.
  6. Consider revving the CAS protocol doc to describe how CAS can do a post instead of a redirect with the tickets in a URI.


Action Items

key summary assignee status

Unable to locate Jira server for this macro. It may be due to Application Link configuration.

Post Meeting Notes (catch-all, Alibi's)