We had similar requirements and we worked them out by wrapping Jasig's Authentication Filter by our own Authentication Filter.
If anyone is interested in details: http://midnightit.wordpress.com/2010/02/15/cas-branded-authentication-filter/ Regards, Yuriy Zubarev On Sun, Feb 14, 2010 at 7:05 PM, Scott Battaglia <[email protected]> wrote: > It is a security risk to essentially trust the Host header sent by the > client (since its controlled by the client). > > Its atypical to deploy the same application under multiple hosts (the bulk > of our deployers don't). Its often not recommended (what if you decide that > you no longer want one domain per language but everyone has bookmarked those > URLs?) > > That said if there's enough interest we could probably allow the serverName > to take an accepted list of hosts (though there'd have to be some discussion > on cas-dev about it). > > > On Thu, Feb 11, 2010 at 8:15 AM, Sander Bos <[email protected]> wrote: >> >> Hi there, >> >> we have one war running multiple websites, e.g. www.example.com and >> www.example.nl and www.example.de >> We use the URL to determine what language to show to the user. >> >> Now we want to have CAS integration on this site, but it is giving us >> problems. Because we have one war available under several URLs, we cannot >> specify just one serverName in the filter configuration (which it always >> will redirect back to, the redirection to 'service' parameter is the >> problem, it means an undesired language switch for our users). And it does >> not appear that there is a way to specify them or get around this with the >> available Java client. >> >> Some googling found these links that seem to indicate it is a security >> risk: >> >> http://www.ja-sig.org/wiki/display/CASC/Using+the+Host+header+for+multiple+DNS+names >> http://www.ja-sig.org/wiki/display/CASC/CASFilter >> But we do not want to allow just any host, we know our app represents a >> fixed set of hosts (all having the same content and security levels, just in >> different languages), and we want to allow for exactly those hosts to be >> used (like by the way with the patch of the first URL). >> >> We looked at the code, in particular AbstractCasFilter and >> AuthenticationFilter, there really appears to be only room for one >> serverName. Also, everything is final so it is not easy for us to add our >> own extension. For the authentication filter we could wrap the >> httpservletresponse and intercept the sendRedirect call to change the URL. >> But we cannot do a similar trick for the validation filter as far as we can >> see, it will always use the fixed serverName (that will then not necessary >> match up with the language). >> >> Is there something we are overlooking here. I do not think using one war >> deployment to serve multiple hostnames is such an exceptional situation? >> >> Thanks in advance for your reply, >> >> Sander Bos >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> >> >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
