Hi,
I'm looking for some advise on how to lock down the CAS Service Manager
(/cas/services/manage.html) from being accessed by other than admins.
As of now I have the following config for accessing that part:
deployerConfigContext.xml:
<sec:user-service id="userDetailsService">
<sec:user name="test" password="test" authorities="ROLE_ADMIN" />
</sec:user-service>
cas.properties:
cas.securityContext.serviceProperties.service=${server.prefix}/services/j_acegi_cas_security_check
cas.securityContext.serviceProperties.adminRoles=ROLE_ADMIN
cas.securityContext.casProcessingFilterEntryPoint.loginUrl=${server.prefix}/login
cas.securityContext.ticketValidator.casServerUrlPrefix=${server.prefix}
With this configuration anyone that knows the userid/password of an admin user
can access the console.
It feels a bit weak, so my question is: How is this normally handled?
Can we setup this in a safer way?
Things that I had in mind was something like the following:
- IP white list
- URL lookdown (looking down /cas/services/* on a proxy in front of cas..)
I would really appreciate some input on this, or a few pointers on where to
start.
Thanks and regards,
Henrik
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
