We have a similar situation. To mitigate the potential risks, we allow the localhost service registrations to facilitate developers work, but only in our non-production CAS environments, and they must be on one of our networks (or VPNs) and not some random public IP address.
On Thu, Jul 11, 2024 at 10:53 PM jehan procaccia <[email protected]> wrote: > Hello > > developers ask us to allow serviceID of type https://localhost/* > <https://urldefense.com/v3/__https://localhost/*__;Kg!!PvDODwlR4mBZyAb0!URWRjrOCyXTGfxsaiEgD5IQvj3CUO4hAxPBqheFZ8RpSoLVtjN40ghaZu7qhzzPxIoSqQOKC-qeoqu9oHuM$> > or https://127.0.0.1/* > <https://urldefense.com/v3/__https://127.0.0.1/*__;Kg!!PvDODwlR4mBZyAb0!URWRjrOCyXTGfxsaiEgD5IQvj3CUO4hAxPBqheFZ8RpSoLVtjN40ghaZu7qhzzPxIoSqQOKC-qeoWJuVgHI$> > in order to allow them to develop on their local machine ans test locally . > As system and network administrators we are afraid that this opening of > localhost serviceID might allow the entire world ( all Internet connected > device and hence hackers !) to access our CAS server, allowing them for > example to brute force the web login interface or whatever other mischief > possible . > Is this a real security breach to allow serviceID like https://localhost/* > <https://urldefense.com/v3/__https://localhost/*__;Kg!!PvDODwlR4mBZyAb0!URWRjrOCyXTGfxsaiEgD5IQvj3CUO4hAxPBqheFZ8RpSoLVtjN40ghaZu7qhzzPxIoSqQOKC-qeoqu9oHuM$> > , or we are anyway already exposed by our production services which allows > https://*.our-domain.fr/* > <https://urldefense.com/v3/__https://*.our-domain.fr/*__;Kio!!PvDODwlR4mBZyAb0!URWRjrOCyXTGfxsaiEgD5IQvj3CUO4hAxPBqheFZ8RpSoLVtjN40ghaZu7qhzzPxIoSqQOKC-qeowlXL-KU$> > serviceID which could be also used by hackers if the spoof our urls ? > > thanks for your security advice regarding this question . > > > -- > - Website: https://apereo.github.io/cas > <https://urldefense.com/v3/__https://apereo.github.io/cas__;!!PvDODwlR4mBZyAb0!URWRjrOCyXTGfxsaiEgD5IQvj3CUO4hAxPBqheFZ8RpSoLVtjN40ghaZu7qhzzPxIoSqQOKC-qeo8keoBLM$> > - Gitter Chatroom: https://gitter.im/apereo/cas > <https://urldefense.com/v3/__https://gitter.im/apereo/cas__;!!PvDODwlR4mBZyAb0!URWRjrOCyXTGfxsaiEgD5IQvj3CUO4hAxPBqheFZ8RpSoLVtjN40ghaZu7qhzzPxIoSqQOKC-qeon5p1p0I$> > - List Guidelines: https://goo.gl/1VRrw7 > <https://urldefense.com/v3/__https://goo.gl/1VRrw7__;!!PvDODwlR4mBZyAb0!URWRjrOCyXTGfxsaiEgD5IQvj3CUO4hAxPBqheFZ8RpSoLVtjN40ghaZu7qhzzPxIoSqQOKC-qeo9Cpmzec$> > - Contributions: https://goo.gl/mh7qDG > <https://urldefense.com/v3/__https://goo.gl/mh7qDG__;!!PvDODwlR4mBZyAb0!URWRjrOCyXTGfxsaiEgD5IQvj3CUO4hAxPBqheFZ8RpSoLVtjN40ghaZu7qhzzPxIoSqQOKC-qeoA397xFU$> > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/f278051d-a428-4232-8ccc-ac0bf042ff81n%40apereo.org > <https://urldefense.com/v3/__https://groups.google.com/a/apereo.org/d/msgid/cas-user/f278051d-a428-4232-8ccc-ac0bf042ff81n*40apereo.org?utm_medium=email&utm_source=footer__;JQ!!PvDODwlR4mBZyAb0!URWRjrOCyXTGfxsaiEgD5IQvj3CUO4hAxPBqheFZ8RpSoLVtjN40ghaZu7qhzzPxIoSqQOKC-qeooFoMdUo$> > . > -- Baron Fujimoto <[email protected]> ::: UH Information Technology Services minutas cantorum, minutas balorum, minutas carboratum descendus pantorum -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL2N7ig8jPA%2BdjwvcdZdyAm%2BuWXUaeiUvr1m8bMzbxM20g%40mail.gmail.com.
