Always a step ahead! :-)
By the way, I'm finishing up the process of upgrading to CAS 3.3.5 and I'm loving it! The Maven WAR Overlay method works wonderfully, and the server is highly configurable and has very many great new features (compared to our current server, which is running 3.0.x). Great job! -Nathan From: Scott Battaglia [mailto:scott.battag...@gmail.com] Sent: Tuesday, March 02, 2010 11:48 AM To: cas-dev@lists.jasig.org Subject: Re: [cas-dev] Getting Rid of Computed Service Name What Consequences? The latest CAS client includes multiple configuration options including web.xml (two levels in the web.xml), JNDI, and Spring. That should satisfy just about everyone's needs to configure the host outside of the application war ;-) On Tue, Mar 2, 2010 at 11:45 AM, Nathan Kopp <nathan.k...@ccci.org> wrote: Interesting. You guys really have thought through very many possible attacks and have accounted for each of them! So the most secure way is to statically configure the server name. However, this makes life difficult for those of us who deploy to development, test, and production environments. Static configuration of the server name means that we need a different configuration for each deployment, and that makes the deployment scripts much more complicated. A more convenient (and I think still nearly as secure) method might be to use the host header, but validate it. In other words, the client configuration contains a white list of acceptable server names. We can then list all possible server names (such as names for dev, test, and production) in the single configuration file so that the same file will work for all three environments. Nathan Kopp Applications Strategist Information Technology Group Campus Crusade for Christ, Int'l 407-826-2939 Office | 407-484-8485 Mobile | 407-826-2968 Fax From: Scott Battaglia [mailto:scott.battag...@gmail.com] Sent: Tuesday, March 02, 2010 9:39 AM To: cas-dev@lists.jasig.org Subject: Re: [cas-dev] Getting Rid of Computed Service Name What Consequences? Please see the FAQ that Luke pointed out. There's a reason WHY we don't use the host header. And its not because we don't know it exists ;-) -- You are currently subscribed to cas-dev@lists.jasig.org as: scott.battag...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev -- You are currently subscribed to cas-dev@lists.jasig.org as: nathan.k...@ccci.org To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
