If you haven't made any changes, then the Services Manager actually relies on CAS to do its authentication (the password listed below would be ignored).
It would just use that list of users for authorization. On Mon, Apr 16, 2012 at 10:57 AM, Henrik Geijstedt < [email protected]> wrote: > Hi, > > I'm looking for some advise on how to lock down the CAS Service Manager > (/cas/services/manage.html) from being accessed by other than admins. > As of now I have the following config for accessing that part: > > deployerConfigContext.xml: > <sec:user-service id="userDetailsService"> > <sec:user name="test" password="test" authorities="ROLE_ADMIN" /> > </sec:user-service> > > cas.properties: > > cas.securityContext.serviceProperties.service=${server.prefix}/services/j_acegi_cas_security_check > cas.securityContext.serviceProperties.adminRoles=ROLE_ADMIN > > cas.securityContext.casProcessingFilterEntryPoint.loginUrl=${server.prefix}/login > cas.securityContext.ticketValidator.casServerUrlPrefix=${server.prefix} > > With this configuration anyone that knows the userid/password of an admin > user can access the console. > It feels a bit weak, so my question is: How is this normally handled? > > Can we setup this in a safer way? > Things that I had in mind was something like the following: > - IP white list > - URL lookdown (looking down /cas/services/* on a proxy in front of cas..) > > I would really appreciate some input on this, or a few pointers on where > to start. > > > Thanks and regards, > > Henrik > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
