FWIW, decided to implement (for now) fronting with Apache httpd and
doing about the simplest thing possible: munging the look and feel.
> RewriteEngine On
> RewriteOptions Inherit
> RewriteCond %{HTTP_REFERER} !^$
> RewriteCond %{HTTP_REFERER} !^https://servername\.ucdavis\.edu/cas/ [NC]
> RewriteRule \.(gif|jpg|css)$ - [F]
>
> ProxyPass /cas/ ajp://localhost:8009/cas/
Tom.
On 06/17/2013 10:44 AM, Tom Poage wrote:
> Hello,
>
> Looking for opinions/experience protecting the CAS server webapp against,
> among other things, 'hotlinking'.
>
> E.g. requests routed via remote (compromised) site masquerading with 'stolen'
> CAS server content as part of a phishing expedition.
>
> One method is to evaluate HTTP 'Referer' for static content requests and, if
> populated and not your site's URL, consider it being used without your
> authorization. On detection, dynamically change something about your page,
> e.g. CSS or an image(s), to alert the subject something is amiss. Yes, it's
> only a small additional layer of protection, principally against
> unsophisticated attackers, but we've seen this in the wild
> and--unfortunately--sometimes it works.
>
> I see two technical implementations offhand: (1) tukey.org UrlrRewriteFilter,
> and (2) fronting the webapp with Apache httpd and using mod_rewrite.
>
> Other ideas?
>
> Thanks.
> Tom.
>
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
