On Wed, Oct 14, 2009 at 9:13 AM, Marvin Addison <[email protected]>wrote:
> > > http://www.ja-sig.org/wiki/display/CASUM/CAS+on+Windows+Quick+Setup+Guide > > ... was a real serious pain, most notably because of the class > > "AuthenticatedLdapContextSource" doesn't even exist and that a class > > in the Spring package replaces the deprecated fore-mentioned class. > > I will put on my TODO list to fix that content problem. > > > I have detailed instructions I've drafted since I finally got the > > stuff in the CAS setup guide running and I'm glad to share them with > > you. I believe them to be accurate > > There is a significant problem in your guide that we discussed > recently on the list, namely the used of pooled="true" for a context > source used for authentication. I will say again, pooling of any kind > for authenticated connections is a serious security liability. Search > the list archives if you need further information; we discussed this > thoroughly in the past week. > I think the reason our original documentation had pooling enabled was that the CAS code explicitly made sure that the second bind didn't get pooled (and only the single user got pooled, which is actually fine). Spring LDAP did not appear to copy that piece of code (which I had thought they did since they based it off of our code). We should probably request that they add that as an option at least. Cheers, Scott > > I respectfully request that you register for the CASUM Wiki and > contribute to our body of documentation that way. If you discover a > glaring content error, by all means correct it if you have time. > > Thanks, > M > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
