Hello, Looking for opinions/experience protecting the CAS server webapp against, among other things, 'hotlinking'.
E.g. requests routed via remote (compromised) site masquerading with 'stolen' CAS server content as part of a phishing expedition. One method is to evaluate HTTP 'Referer' for static content requests and, if populated and not your site's URL, consider it being used without your authorization. On detection, dynamically change something about your page, e.g. CSS or an image(s), to alert the subject something is amiss. Yes, it's only a small additional layer of protection, principally against unsophisticated attackers, but we've seen this in the wild and--unfortunately--sometimes it works. I see two technical implementations offhand: (1) tukey.org UrlrRewriteFilter, and (2) fronting the webapp with Apache httpd and using mod_rewrite. Other ideas? Thanks. Tom. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
