Hi
Thanks very much for your response.
Yes I agree that the problem are the people who are not fully aware of
the consequences, just as myself ;-)
I guess you mean for example
<cas:json-services-registry
config-file="file:/path/to/servicesRegistry.conf"/>
right?
I am currently using 3.5.2 and IIUC it is using
<bean
id="serviceRegistryDao"
class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl">
<property name="registeredServices">
<list>
<bean
class="org.jasig.cas.services.RegexRegisteredService">
<property name="id" value="0" />
<property name="name" value="HTTP and IMAP" />
<property name="description" value="Allows
HTTP(S) and IMAP(S) protocols" />
<property name="serviceId"
value="^(https?|imaps?)://.*" />
<property name="evaluationOrder" value="10000001" />
inside deployerConfigContext.xml, right? Or otherwise where is
"http*://**" currently configured?
Thanks
Michael
Am 29.08.14 10:58, schrieb Jérôme LELEU:
> Hi,
>
> It's a rather old article and you can't use the CAS server without a
> services registry anymore. But the idea remains the same.
>
> Defining precisely the possible services is more than a good practice, it
> should be mandatory for any CAS administrator. Never define http*://** as
> the only service, except for tests of course.
>
> Security requires time and efforts. One would never install a Linux server
> and open all ports and allow directories for write to anyone: the same
> applies for the CAS server.
>
> We are heading more and more towards security and your proposal is close to
> the ones we made (at the CAS AppSec working group):
> https://wiki.jasig.org/display/CAS/Proposals+to+mitigate+security+risks and
> are implementing since 4.0.
>
> Since CAS 4.0, the CAS server doesn't also ship with the default handler
> (login = pwd).
>
> There is not issue with the CAS server security itself, the problem is that
> people are not fully aware of all (the consequences of) the (default)
> settings. And things are going to be more and more restrictive to help CAS
> deployers gain the right perspective on this.
>
> Any contribution will always be appreciated.
>
> Thanks.
> Best regards,
>
>
> Jérôme LELEU
> Founder of CAS in the cloud: www.casinthecloud.com | Twitter: @leleuj
> Chairman of CAS: www.jasig.org/cas | Creator of pac4j: www.pac4j.org
>
>
> 2014-08-29 10:34 GMT+02:00 Michael Wechner <[email protected]>:
>
>> Hi
>>
>> I recently got aware of a possible phishing attack using the service
>> redirect, whereas it is described in detail at
>>
>> http://palizine.plynt.com/issues/2011Sep/sso-flaws/
>>
>> The solution seems to be rather simple, that one has to register the
>> services inside CAS, in order to prevent
>> redirects to mailicious URLs.
>>
>> Thinking about it some more I thought it might be best to enforce the
>> registration, which means by default
>> only redirects are being executed for services which are registered. The
>> configuration could be in a such a way,
>> that one could still alllow any service URLs, but one would have to
>> configure this explicitely and hence would be aware of the risk
>> explicitely.
>>
>> WDYT?
>>
>> Thanks
>>
>> Michael
>>
>> --
>> You are currently subscribed to [email protected] as:
>> [email protected]
>> To unsubscribe, change settings or access archives, see
>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
