The "Host" header
This patch has been modified to require one or more serverNames to be specified or the serviceURL. The edu.yale.its.tp.cas.client.filter.serverName parameter may be specified using a comma, semicolon, and space delimited list of allowable server names or used as before with a single server name. The same 3 files are the only ones that needed modification.
Honoring HOST header is not secure
NOTICE: I believe this patch opens you to the "forged host header" security exploit whereby an Adversary can use a service ticket intended for an arbitrary other service to authenticate to the application using this patch.
This security issue is discussed at the CASFilter page.
-[~awp9]
Don't do it!
This is a pretty simple patch, only 3 files are affected. These are modified from the Java CAS Client 2.1.1 distribution.
- edu.yale.its.tp.cas.client.Util
- Add function to take a TreeSet of serverNames and match with the "Host" header. If there is no match, it will return the first entry.
- edu.yale.its.tp.cas.client.filter.CASFilter
- Added support for configuration using multiple
Unknown macro: {serverName}s in a comma, space, and semilcolon delimited list.
s in a comma, space, and semilcolon delimited list.
- edu.yale.its.tp.cas.client.filter.CASValidateFilter
- Added support for configuration using multiple
- edu.yale.its.tp.cas.client.filter.CASValidateFilter
- Added support for configuration using multiple
Load-balanced SSL-to-unecrypted app servers
This patch also includes support for an SSL issue we needed to fix. We have a load balanacer which provides SSL support for non-SSL enabled application servers behind it. This causes the CAS Filter on the servers to think they are non-SSL servers and create a redirect URL with service=http://... This is bad as it causes security pop-ups in IE 6 and the users may end up using a non-SSL connection if the load balancer is set up wrong. The fix is for the load balancer to inject the "SSL-Https: on" header which we check for in the CAS Filter.