Thanks for your reply, We have actually removed the Service Management URL from the list of URL:s that CAS will do authentication for. The reason for that is that we had requirements that the Service Management console needs to be protected in a stronger way than username/password used for our other applications.
Regards, Henrik Geijstedt On 16 apr 2012, at 17.07, Scott Battaglia wrote: If you haven't made any changes, then the Services Manager actually relies on CAS to do its authentication (the password listed below would be ignored). It would just use that list of users for authorization. On Mon, Apr 16, 2012 at 10:57 AM, Henrik Geijstedt <[email protected]<mailto:[email protected]>> wrote: Hi, I'm looking for some advise on how to lock down the CAS Service Manager (/cas/services/manage.html) from being accessed by other than admins. As of now I have the following config for accessing that part: deployerConfigContext.xml: <sec:user-service id="userDetailsService"> <sec:user name="test" password="test" authorities="ROLE_ADMIN" /> </sec:user-service> cas.properties: cas.securityContext.serviceProperties.service=${server.prefix}/services/j_acegi_cas_security_check cas.securityContext.serviceProperties.adminRoles=ROLE_ADMIN cas.securityContext.casProcessingFilterEntryPoint.loginUrl=${server.prefix}/login cas.securityContext.ticketValidator.casServerUrlPrefix=${server.prefix} With this configuration anyone that knows the userid/password of an admin user can access the console. It feels a bit weak, so my question is: How is this normally handled? Can we setup this in a safer way? Things that I had in mind was something like the following: - IP white list - URL lookdown (looking down /cas/services/* on a proxy in front of cas..) I would really appreciate some input on this, or a few pointers on where to start. Thanks and regards, Henrik -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
