On Jan 28, 2008 1:01 AM, Barrow H Kwan <[EMAIL PROTECTED]> wrote: > > > If I have setup app1.example.com to authenticate cas1.example.com and > app2.example.com to authenticate cas2.example.com. > > If I configured cas1 and cas2 in a cluster, is it possible for me to login > once ( either cas1 or cas2 ) and access both app1 and app2 ?
If you configured CAS in a cluster, I would recommend something like the following, either: (a) make it so that both CAS instances appear to be under the same domain ( i.e. cas.example.com) or (b) create domains such that you have cas1.sso.example.com and cas2.sso.example.com and ensure that nothing else gets put under the sso.example.com domain. Why? Because in order for those two servers to see the cookie it would have be domain scoped to sso.example.com and you don't want any other applications/services to see it. The problem with (b) is that it provides no failover (if cas2 is down app2, cannot use cas1). -Scott > > > > ================= > Barrow Kwan > ThoughtWorks, Inc. > > New from ThoughtWorks: Mingle, an Agile project management application. > Mingle. Project Intelligence. Powerfully Simple. > More at http://studios.thoughtworks.com > > > > *"Scott Battaglia" <[EMAIL PROTECTED]>* > Sent by: [EMAIL PROTECTED] > > 01/27/08 11:42 AM > Please respond to > Yale CAS mailing list <[email protected]> > > To > "Yale CAS mailing list" <[email protected]> > cc > Subject > Re: Security concern with CAS cluster > > > > > If you've configured *app.example.com* <http://app.example.com/> to > authenticate to *cas.example.com* <http://cas.example.com/>, its > impossible for it to utilize the fake CAS server (because it would > explicitly configured to use *cas.example.com* <http://cas.example.com/>). > (my guess would be your *cas.example.com* <http://cas.example.com/>session > was still active). > > That said, your cookieDomain for your TicketGrantingTIcket should be as > restrictive as possible. It should use > *cas.example.com*<http://cas.example.com/>and not > *example.com* <http://example.com/>. Exposing the cookie to more domains > than necessary exposes your TGT to applications that should not have access > to it. > > Setting a max cookie age of -1 means that its only valid for the duration > of the browser session (i.e. until you completely exit the > browser...though if you exit/restart quick enough it may still be in there). > > -Scott > > On Jan 27, 2008 12:59 AM, Barrow H Kwan <[EMAIL PROTECTED]<[EMAIL PROTECTED]>> > wrote: > > After I added "cookieDomain" in cas-servlet.xml under bean > "warnCookieGenerator" and "ticketGrantingTicketCookieGenerator" ( eg with > value="*example.com* <http://example.com/>" ). I can use a fake CAS > server to authenticate ( eg use the sample username=password ) and access > any other CAS server under the *example.com* <http://example.com/> domain. > > Basically, if I have a production CAS server, > *cas.example.com*<http://cas.example.com/>and an app, > *app.example.com* <http://app.example.com/>. I connect to * > app.example.com* <http://app.example.com/>, it redirect me to * > cas.example.com* <http://cas.example.com/>, then I login ( backend is LDAP > ) and it let me access *app.example.com* <http://app.example.com/>. Now > I setup another CAS server called > *fake-cas.example.com*<http://fake-cas.example.com/>( with the cookieDomain > set ) that use username=password for authentication. > I open my browser and go to > *fake-cas.example.com*<http://fake-cas.example.com/>and login with > username=password. then go to > *app.example.com* <http://app.example.com/>, it let me in without login > through *cas.example.com* <http://cas.example.com/>. > > is this a security hole or it is because of my setting? also in the > instruction > "*http://www.ja-sig.org/wiki/display/CASUM/Clustering+CAS*<http://www.ja-sig.org/wiki/display/CASUM/Clustering+CAS>" > , the cookieMaxAge is -1, does it mean the cookie will not expire at all ? > > > > ================= > Barrow Kwan > ThoughtWorks, Inc. > > New from ThoughtWorks: Mingle, an Agile project management application. > Mingle. Project Intelligence. Powerfully Simple. > More at *http://studios.thoughtworks.com*<http://studios.thoughtworks.com/> > > _______________________________________________ > Yale CAS mailing list* > [EMAIL PROTECTED] <[email protected]>* > **http://tp.its.yale.edu/mailman/listinfo/cas*<http://tp.its.yale.edu/mailman/listinfo/cas> > > > > > -- > -Scott Battaglia > > LinkedIn: > *http://www.linkedin.com/in/scottbattaglia*<http://www.linkedin.com/in/scottbattaglia> > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > -- -Scott Battaglia LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
