I would recommend to any users of CAS 3.5 with ClearPass configured to take a look at the changes in the pull request for CAS-1209: https://issues.jasig.org/browse/CAS-1209 https://github.com/Jasig/cas/pull/151
Basically the pull request removes the CAS Authentication Filter from clearPass-configuration.xml. If you don't remove the CAS Authentication filter your user's cleartext passwords can be disclosed if an attacker gains access to their browser session and visits the clearPass URL (usually https://server.edu/cas/clearPass). With the CAS Authentication Filter disabled in clearPass-configuration.xml, the remaining CAS Proxy Filter protects against an attacker seeing the cleartext password, even if they gain access to the user's browser session by use of the allowedProxyChains attribute. This may seem like a pretty remote security issue since the attacker has to gain access to the users' browser session first. But at least in a Higher Ed environment I think this happens more than we realize (students walking away from computers without logging off etc..). --- Eric Domazlicky Portal/E-Mail Administrator Tacoma Community College -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
