thanks Scott, option a is exactly what I am trying to implement and it seems working great so far.
================= Barrow Kwan ThoughtWorks, Inc. New from ThoughtWorks: Mingle, an Agile project management application. Mingle. Project Intelligence. Powerfully Simple. More at http://studios.thoughtworks.com "Scott Battaglia" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 01/29/08 12:28 PM Please respond to Yale CAS mailing list <[email protected]> To "Yale CAS mailing list" <[email protected]> cc Subject Re: Security concern with CAS cluster On Jan 28, 2008 1:01 AM, Barrow H Kwan <[EMAIL PROTECTED]> wrote: If I have setup app1.example.com to authenticate cas1.example.com and app2.example.com to authenticate cas2.example.com. If I configured cas1 and cas2 in a cluster, is it possible for me to login once ( either cas1 or cas2 ) and access both app1 and app2 ? If you configured CAS in a cluster, I would recommend something like the following, either: (a) make it so that both CAS instances appear to be under the same domain (i.e. cas.example.com) or (b) create domains such that you have cas1.sso.example.com and cas2.sso.example.com and ensure that nothing else gets put under the sso.example.com domain. Why? Because in order for those two servers to see the cookie it would have be domain scoped to sso.example.com and you don't want any other applications/services to see it. The problem with (b) is that it provides no failover (if cas2 is down app2, cannot use cas1). -Scott ================= Barrow Kwan ThoughtWorks, Inc. New from ThoughtWorks: Mingle, an Agile project management application. Mingle. Project Intelligence. Powerfully Simple. More at http://studios.thoughtworks.com "Scott Battaglia" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 01/27/08 11:42 AM Please respond to Yale CAS mailing list <[email protected]> To "Yale CAS mailing list" <[email protected]> cc Subject Re: Security concern with CAS cluster If you've configured app.example.com to authenticate to cas.example.com, its impossible for it to utilize the fake CAS server (because it would explicitly configured to use cas.example.com). (my guess would be your cas.example.com session was still active). That said, your cookieDomain for your TicketGrantingTIcket should be as restrictive as possible. It should use cas.example.com and not example.com. Exposing the cookie to more domains than necessary exposes your TGT to applications that should not have access to it. Setting a max cookie age of -1 means that its only valid for the duration of the browser session (i.e. until you completely exit the browser...though if you exit/restart quick enough it may still be in there). -Scott On Jan 27, 2008 12:59 AM, Barrow H Kwan <[EMAIL PROTECTED]> wrote: After I added "cookieDomain" in cas-servlet.xml under bean "warnCookieGenerator" and "ticketGrantingTicketCookieGenerator" ( eg with value="example.com" ). I can use a fake CAS server to authenticate ( eg use the sample username=password ) and access any other CAS server under the example.com domain. Basically, if I have a production CAS server, cas.example.com and an app, app.example.com. I connect to app.example.com, it redirect me to cas.example.com, then I login ( backend is LDAP ) and it let me access app.example.com. Now I setup another CAS server called fake-cas.example.com ( with the cookieDomain set ) that use username=password for authentication. I open my browser and go to fake-cas.example.com and login with username=password. then go to app.example.com, it let me in without login through cas.example.com. is this a security hole or it is because of my setting? also in the instruction "http://www.ja-sig.org/wiki/display/CASUM/Clustering+CAS"; , the cookieMaxAge is -1, does it mean the cookie will not expire at all ? ================= Barrow Kwan ThoughtWorks, Inc. New from ThoughtWorks: Mingle, an Agile project management application. Mingle. Project Intelligence. Powerfully Simple. More at http://studios.thoughtworks.com _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas -- -Scott Battaglia LinkedIn: http://www.linkedin.com/in/scottbattaglia _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas -- -Scott Battaglia LinkedIn: http://www.linkedin.com/in/scottbattaglia _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
