No that is not an acceptable practice. As a security best practice, it is strongly recommended to limit the service management facility to only include the list of known applications that are authorized to use CAS. Leaving the management interface open for all applications may create an opportunity for security attacks, and in fact, most vulnerabilities the project has patched would be blocked to some degree if the registry is only limited to authorized applications and trusted domains. I would even go a step further and recommend that you use regex patterns for service ids that would be registered in CAS and do only allow https applications. (i.e. ^https://)
- Misagh P.S: Come to think of it, we probably should drop support for ant-style patterns too. > On Feb 26, 2015, at 11:51 PM, Carl R Daudt <[email protected]> wrote: > > I have a question concerning best practice in regards to registering services > with CAS. > > We have had a consultant configuring a CAS 4.0 installation for my > institution for providing authentication to approximately 20-30 services. I > anticipated that CAS would be configured so that services would need to be > registered in some sort of registry, either in memory (serviceRegistryDao > bean), LDAP, some other database, or in a file. Instead, the consultant > delivered the product to us so that any service is allowed to authenticate to > the server. > > Is the practice of allowing any service to be granted a service ticket a > common, acceptable practice? If not, are certain service registry types > (local file vs database vs ...) advisable over others? > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
