It is a security risk to essentially trust the Host header sent by the client (since its controlled by the client).
Its atypical to deploy the same application under multiple hosts (the bulk of our deployers don't). Its often not recommended (what if you decide that you no longer want one domain per language but everyone has bookmarked those URLs?) That said if there's enough interest we could probably allow the serverName to take an accepted list of hosts (though there'd have to be some discussion on cas-dev about it). On Thu, Feb 11, 2010 at 8:15 AM, Sander Bos <[email protected]> wrote: > > Hi there, > > we have one war running multiple websites, e.g. www.example.com and > www.example.nl and www.example.de > We use the URL to determine what language to show to the user. > > Now we want to have CAS integration on this site, but it is giving us > problems. Because we have one war available under several URLs, we cannot > specify just one serverName in the filter configuration (which it always > will redirect back to, the redirection to 'service' parameter is the > problem, it means an undesired language switch for our users). And it does > not appear that there is a way to specify them or get around this with the > available Java client. > > Some googling found these links that seem to indicate it is a security > risk: > > http://www.ja-sig.org/wiki/display/CASC/Using+the+Host+header+for+multiple+DNS+names > http://www.ja-sig.org/wiki/display/CASC/CASFilter > But we do not want to allow just any host, we know our app represents a > fixed set of hosts (all having the same content and security levels, just in > different languages), and we want to allow for exactly those hosts to be > used (like by the way with the patch of the first URL). > > We looked at the code, in particular AbstractCasFilter and > AuthenticationFilter, there really appears to be only room for one > serverName. Also, everything is final so it is not easy for us to add our > own extension. For the authentication filter we could wrap the > httpservletresponse and intercept the sendRedirect call to change the URL. > But we cannot do a similar trick for the validation filter as far as we can > see, it will always use the fixed serverName (that will then not necessary > match up with the language). > > Is there something we are overlooking here. I do not think using one war > deployment to serve multiple hostnames is such an exceptional situation? > > Thanks in advance for your reply, > > Sander Bos > > -- > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
