I failed to add that, although it depends on how your requirements and use cases, typically, using a file-based service registry is likely the simplest option to manage and deploy. Something like a JSON/YAML based service registry. Each registry type has of course its own pros and cons as far as security and maintenance go, but regardless of the type, you still want to make sure everything in the registry is trusted and authorized by you.
HTH. - Misagh > On Feb 27, 2015, at 12:51 AM, Misagh Moayyed <[email protected]> wrote: > > No that is not an acceptable practice. As a security best practice, it is > strongly recommended to limit the service management facility to only include > the list of known applications that are authorized to use CAS. Leaving the > management interface open for all applications may create an opportunity for > security attacks, and in fact, most vulnerabilities the project has patched > would be blocked to some degree if the registry is only limited to authorized > applications and trusted domains. I would even go a step further and > recommend that you use regex patterns for service ids that would be > registered in CAS and do only allow https applications. (i.e. ^https://) > > - Misagh > > P.S: Come to think of it, we probably should drop support for ant-style > patterns too. > > >> On Feb 26, 2015, at 11:51 PM, Carl R Daudt <[email protected]> wrote: >> >> I have a question concerning best practice in regards to registering >> services with CAS. >> >> We have had a consultant configuring a CAS 4.0 installation for my >> institution for providing authentication to approximately 20-30 services. I >> anticipated that CAS would be configured so that services would need to be >> registered in some sort of registry, either in memory (serviceRegistryDao >> bean), LDAP, some other database, or in a file. Instead, the consultant >> delivered the product to us so that any service is allowed to authenticate >> to the server. >> >> Is the practice of allowing any service to be granted a service ticket a >> common, acceptable practice? If not, are certain service registry types >> (local file vs database vs ...) advisable over others? >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
