I'd like to add a few notes here on forcing clearPass to only be available via proxy authentication.
I recently discovered that turning off the casAuthenticationFilter alone is not sufficient to disable clearPass from directly rendering credentials on the page. It is still possible for clearPass to render credentials on the page using the following URL: https://sso.server.edu/cas/login?service=https://sso.server.edu/cas/clearP ass This is seemingly due to the fact that the Java CAS client and specifically its proxy-enabled validation filter allows for an empty proxy chain that is constructed by the above URL. Until the next CAS client release, the quick remedy is to provide an extension of the 'Cas20ProxyTicketValidator' which would be responsible to disallowing empty proxy chains. Regards, -Misagh From: Domazlicky, Eric [mailto:[email protected]] Sent: Wednesday, December 05, 2012 10:04 AM To: [email protected] Subject: [cas-user] Note to ClearPass users of CAS 3.5 I would recommend to any users of CAS 3.5 with ClearPass configured to take a look at the changes in the pull request for CAS-1209: https://issues.jasig.org/browse/CAS-1209 https://github.com/Jasig/cas/pull/151 Basically the pull request removes the CAS Authentication Filter from clearPass-configuration.xml. If you don't remove the CAS Authentication filter your user's cleartext passwords can be disclosed if an attacker gains access to their browser session and visits the clearPass URL (usually https://server.edu/cas/clearPass). With the CAS Authentication Filter disabled in clearPass-configuration.xml, the remaining CAS Proxy Filter protects against an attacker seeing the cleartext password, even if they gain access to the user's browser session by use of the allowedProxyChains attribute. This may seem like a pretty remote security issue since the attacker has to gain access to the users' browser session first. But at least in a Higher Ed environment I think this happens more than we realize (students walking away from computers without logging off etc..). --- Eric Domazlicky Portal/E-Mail Administrator Tacoma Community College -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
