We proxy CAS with an apache web server and use this in our httpd.conf file.
It seems to work.
<Location /cas/v1>
Order deny,allow
Deny from all
Allow from n.n.n.n
</Location>
On Fri, Jul 15, 2016 at 7:34 AM, Misagh Moayyed <[email protected]> wrote:
> Support is added to throttle requests, but nothing that would “secure” it.
> We *could* restrict it to a set of trusted ip patterns, but I don’t think
> that’s all that practical or useful if done by CAS. Best bet likely would
> be to resort to good old firewall mechanics perhaps. If you have other
> suggestions, please share.
>
> --
> Misagh
>
> From: [email protected] <[email protected]>
> <[email protected]>
> Reply: [email protected] <[email protected]>
> <[email protected]>
> Date: July 15, 2016 at 1:47:32 AM
> To: jasig-cas-user <[email protected]>
> <[email protected]>
> Cc: [email protected] <[email protected]> <[email protected]>,
> [email protected] <[email protected]> <[email protected]>
> Subject: Re: [cas-user] CAS with REST services
>
> Is there any information about securing the CAS REST API?
>
>
> Op woensdag 13 juli 2016 21:49:26 UTC+2 schreef Misagh Moayyed:
>>
>> They are both conceptually, more or less, the same. The caveat with the
>> REST API is, you will have to manage the SSO session, and you will need to
>> manually pass in the uid/psw to CAS while with the proxy scenario, the user
>> is required to be present to do that for you automatically and CAS keeps
>> SSO. Also, turning on the REST API has the potential of becoming the target
>> of DOS attacks, unless properly secured.
>>
>> --
>> Misagh
>>
>> From: Robert <[email protected]>
>> Reply: Robert <[email protected]>
>> Date: July 11, 2016 at 1:36:54 AM
>> To: CAS Community <[email protected]>
>> Subject: [cas-user] CAS with REST services
>>
>> We are currently using CAS 3 for a traditional web application, and we are
>> moving towards a more modern architecture with a single page application
>> and rest services. My first question would be if the CAS protocol is still
>> the right choice for us. I don't have experience with development using
>> CAS
>> so far, but I tried to gather information about it.
>>
>> Looking at the CAS protocol at
>> https://apereo.github.io/cas/4.2.x/protocol/CAS-Protocol.html
>> it seems that the normal web flow is not appropriate anymore for our
>> application. I read that CAS 4 contains a REST service for requesting
>> TGTs and
>> STs. So I had the following simple solution in mind for our application.
>> The client (browser) would initially request a TGT from the CAS server and
>> store this. Each time when the client needs to call one of our REST
>> services,
>> it would request a ST from the CAS server and call our service with the
>> ST.
>> The application service would verify the ST with the CAS server before
>> executing the method. The downside of this solution is that 2 additional
>> remote
>> calls need to be made for each app service call.
>>
>> Documentation seems to point towards Proxy Granting Tickets, such as in
>> the
>> Spring Security documentation
>>
>> http://docs.spring.io/spring-security/site/docs/4.1.0.RELEASE/reference/htmlsingle/#cas-pt-client
>> But I can't find a conceptual explanation why I need it and how it works.
>> When I look at the CAS protocol documentation for proxy's it just seems to
>> add even more overhead compared to my solution and we would need a proxy
>> web
>> application. that we need to call instead of the actual app service.
>> https://apereo.github.io/cas/4.2.x/protocol/CAS-Protocol.html
>>
>> Thanks for any help you can provide me.
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> To post to this group, send email to [email protected].
>> Visit this group at
>> https://groups.google.com/a/apereo.org/group/cas-user/.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/5c81eba4-f0ed-45ac-a362-d7f4d95c8077%40apereo.org
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/5c81eba4-f0ed-45ac-a362-d7f4d95c8077%40apereo.org?utm_medium=email&utm_source=footer>
>> .
>> For more options, visit https://groups.google.com/a/apereo.org/d/optout.
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> To post to this group, send email to [email protected].
>> Visit this group at
>> https://groups.google.com/a/apereo.org/group/cas-user/.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.57869b3a.5faee68a.14275%40unicon.net
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.57869b3a.5faee68a.14275%40unicon.net?utm_medium=email&utm_source=footer>
>> .
>> For more options, visit https://groups.google.com/a/apereo.org/d/optout.
>>
> --
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To post to this group, send email to [email protected].
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/
> .
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/a0d557c0-2fb6-45e9-9cdd-624fd5fedc96%40googlegroups.com
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/a0d557c0-2fb6-45e9-9cdd-624fd5fedc96%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
> For more options, visit https://groups.google.com/a/apereo.org/d/optout.
>
> --
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To post to this group, send email to [email protected].
> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/
> .
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.5788f47f.72781cd1.f1b%40unicon.net
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.5788f47f.72781cd1.f1b%40unicon.net?utm_medium=email&utm_source=footer>
> .
>
> For more options, visit https://groups.google.com/a/apereo.org/d/optout.
>
--
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAKFJ3FP5KLvwt97XSGhQ9mQ%3DoTkup_ZX%3DV7qFcOMVROaFxkMw%40mail.gmail.com.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.
