|
All, I just read the security warning that Andrew added to this excellent tutorial. I was thinking of adding one more warning like that, but in the section that describes how to replicate the ticket registry using JBossCache. That's because the instructions are about using multicast to synchronize the ticket registries across the network. This is not likely to be a problem for CAS clusters of servers sitting next to each other in the same data center. However, if one of the goals of clustering is to achieve high availability, which it often is, then implementers will consider locating CAS cluster servers in different physical locations. In these situations, additional care must me taken to assure that secure data does not "leak" into the public network. This potential issue is not unique to using multicast. Using database-based ticket registry could be subject to similar risks. Those risks may be smaller, IMHO, but they exist. Using encryption when talking to a database might be an option. Based on some other postings in this list, I think that CAS does not use the HttpSession to store any secure information. This would mean that the section of the tutorial titled "Tomcat Session Replication" may be fine even though it also uses multicast. So, my question is: should I add that warning to the Clustering CAS tutorial? Thanks, Adam |
begin:vcard fn:Adam Rybicki n:Rybicki;Adam org:Unicon, Inc.;Professional Services adr:Suite 113;;3140 North Arizona Avenue;Chandler;AZ;85225;United States email;internet:[EMAIL PROTECTED] tel;work:+1-480-558-2400 tel;home:+1-310-265-8286 tel;cell:+1-310-980-2758 x-mozilla-html:FALSE url:http://www.unicon.net/ version:2.1 end:vcard
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
