Hi, It's a rather old article and you can't use the CAS server without a services registry anymore. But the idea remains the same.
Defining precisely the possible services is more than a good practice, it should be mandatory for any CAS administrator. Never define http*://** as the only service, except for tests of course. Security requires time and efforts. One would never install a Linux server and open all ports and allow directories for write to anyone: the same applies for the CAS server. We are heading more and more towards security and your proposal is close to the ones we made (at the CAS AppSec working group): https://wiki.jasig.org/display/CAS/Proposals+to+mitigate+security+risks and are implementing since 4.0. Since CAS 4.0, the CAS server doesn't also ship with the default handler (login = pwd). There is not issue with the CAS server security itself, the problem is that people are not fully aware of all (the consequences of) the (default) settings. And things are going to be more and more restrictive to help CAS deployers gain the right perspective on this. Any contribution will always be appreciated. Thanks. Best regards, Jérôme LELEU Founder of CAS in the cloud: www.casinthecloud.com | Twitter: @leleuj Chairman of CAS: www.jasig.org/cas | Creator of pac4j: www.pac4j.org 2014-08-29 10:34 GMT+02:00 Michael Wechner <michael.wech...@wyona.com>: > Hi > > I recently got aware of a possible phishing attack using the service > redirect, whereas it is described in detail at > > http://palizine.plynt.com/issues/2011Sep/sso-flaws/ > > The solution seems to be rather simple, that one has to register the > services inside CAS, in order to prevent > redirects to mailicious URLs. > > Thinking about it some more I thought it might be best to enforce the > registration, which means by default > only redirects are being executed for services which are registered. The > configuration could be in a such a way, > that one could still alllow any service URLs, but one would have to > configure this explicitely and hence would be aware of the risk > explicitely. > > WDYT? > > Thanks > > Michael > > -- > You are currently subscribed to cas-user@lists.jasig.org as: > lel...@gmail.com > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
