That works, mahalo! Aloha. -baron
On Tue, Sep 16, 2014 at 07:10:53AM +0200, Jérôme LELEU wrote: >Hi, > >Yes, for CAS server version < 4.0, the filter will wrongfully block >multi-attributes service setup. >The documentation was updated: >https://github.com/Jasig/cas-server-security-filter to explain that >explicit mappings are required in that case. > >Best regards, > > >Jérôme LELEU >Founder of CAS in the cloud: www.casinthecloud.com | Twitter: @leleuj >Chairman of CAS: www.jasig.org/cas | Creator of pac4j: www.pac4j.org > >2014-09-15 20:37 GMT+02:00 Baron Fujimoto <ba...@hawaii.edu>: > >> On Mon, Aug 11, 2014 at 12:03:48PM -0400, Marvin Addison wrote: >> >[...] >> > >> >Mitigation >> >---------------------------------------- >> >The CAS Service Management facility [1], which is enabled by default, >> >can be used to restrict services that are permitted to use CAS (i.e. >> >allowed to request tickets). Whitelisting trusted services can reduce >> >the scope of attacks like scenario 1 above. >> > >> >The following servlet filter may provide additional defense at the CAS >> >server against some forms of this attack: >> > >> > >> https://github.com/Jasig/cas-server-security-filter/tree/cas-server-security-filter-1.0.0 >> >> This CAS server security filter[*] seems to catch the Services Management >> app if you edit an entry to release more that one attribute. >> >> java.lang.IllegalArgumentException: 'allowedAttributes' parameter appears >> more than once for url: /cas/services/edit.html >> >> org.jasig.cas.security.SecurityFilter.checkParameterOnlyAppearOnce(SecurityFilter.java:79) >> >> org.jasig.cas.security.SecurityFilter.doFilter(SecurityFilter.java:62) >> >> Is there a way to exclude the Services Management app? >> >> Aloha, >> -baron >> >> [*] I found I also needed to deploy an slf4j jar file as well to get this >> to work (slf4j-api-1.7.7.jar was minimally required. Other versions >> probably work, but that seemd to be the latest available. YMMV) >> -- >> Baron Fujimoto <ba...@hawaii.edu> :: UH Information Technology Services >> minutas cantorum, minutas balorum, minutas carboratum desendus pantorum -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
