Re: [cas-user] Locking down CAS Service Manager

Mon, 16 Apr 2012 12:49:03 -0700 

Thanks for your comments Marvin. It helped a lot.

The combination of credentials and an IP filter was exactly what I was looking 
for.
If you want to layer IP filtering on top of credentials, that's fine;
you can do crude IP filtering with Spring Security using something like the 
following:

 <sec:http pattern="/services/**"
   entry-point-ref="casProcessingFilterEntryPoint"
   use-expressions="true" auto-config="true">
   <sec:intercept-url pattern="/services/**" 
access="hasIpAddress('${cas.securityContext.svcManage.allowedSubnet}')" />
 </sec:http>


Regards,

Henrik


On 16 apr 2012, at 17.24, Marvin S. Addison wrote:

With this configuration anyone that knows the userid/password of an
admin user can access the console. It feels a bit weak

I honestly don't understand the basis of that comment unless you're in an 
environment where you share credentials or you lack password policy to enforce 
strong passwords.

How is this normally handled?

In most institutions, you would integrate with an enterprise directory
where users are members one or more groups that have privileges to
access the CAS service manager.  In our environment, the group is
some.prefix.cas.manager, and the Spring Security configuration looks
like ROLE_SOME_PREFIX_CAS_MANAGER.

Can we setup this in a safer way? Things that I had in mind was
something like the following: - IP white list - URL lookdown (looking
down /cas/services/* on a proxy in front of cas..)

I think the premise of your comment is suspect.  The security value of
IP filtering and DNS restrictions in most cases are less secure than
authentication credentials of any reasonable strength.

If you want to layer IP filtering on top of credentials, that's fine;
you can do crude IP filtering with Spring Security using something like the 
following:

 <sec:http pattern="/services/**"
   entry-point-ref="casProcessingFilterEntryPoint"
   use-expressions="true" auto-config="true">
   <sec:intercept-url pattern="/services/**" 
access="hasIpAddress('${cas.securityContext.svcManage.allowedSubnet}')" />
 </sec:http>

M

--
You are currently subscribed to 
[email protected]<mailto:[email protected]> as: 
[email protected]<mailto:[email protected]>
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user


-- 
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Reply via email to