If you use Apache in front of Tomcat/JBoss then just have Apache handle the problem and specify which urls go to JBoss/Tomcat.
-Scott -Scott Battaglia PGP Public Key Id: 0x383733AA LinkedIn: http://www.linkedin.com/in/scottbattaglia On Mon, Oct 20, 2008 at 10:25 PM, David Whitehurst <[EMAIL PROTECTED]>wrote: > Benn: > > The security guy believes that I should protect the CAS URL from crazy > characters. The security people call this "SQL injection > vulnerability". Even though we know that any URL after a /cas virtual > is protected they still don't like it. > > I'm going to add a servlet filter to disallow any foreign characters > on the URL and then pass some other error page. I can't explain this > away so I'm just going to fix it for them. > > Thanks for the posts > > David > > On Mon, Oct 20, 2008 at 9:37 PM, Benn Oshrin > <[EMAIL PROTECTED]> wrote: > > I don't know where you're going with this, so I'll just come back to > > the original point. CAS behaves like Apache would if you had a > > directory foo protected by a .htaccess and you requested > > foo/no-exist.html, which presumably doesn't exist. You get prompted > > for credentials, and then are told no such file or directory. > > > > This sounds right. You're trying to access a protected resource, and > > the state of existence of that resource is protected as well. > > > > -Benn- > > > > David Whitehurst <[EMAIL PROTECTED]> wrote on October 20, 2008 > > 11:21:42 AM -0400: > > > > ] Scott: > > ] > > ] Your sentence is the key: > > ] > > ] You can configure this by editing your web.xml to whatever you'd like > > ] ;-) > > ] > > ] It starts with the question, "Is it truly an issue"? > > ] > > ] When a web server returns a resource for a bogus URL is that wrong? I > > ] personally think that when businesses pay 50K for a tool to spot web > > ] application security issues this is really wrong. Then, allowing that > > ] to assist in hiring less-qualified security personnel is major wrong. > > ] And, if the tool is wrong, wouldn't that raise some questions as to > > ] whether the tool will even be effective for the primary goal of > > ] application security? > > ] > > ] Let me be the devil's advocate, if you could install Confluence on > > ] someone else's server, and you could access their database, and > > ] install admin.php on the CAS virtual to start it, you could > > ] effectively wreck their database through the CAS virtual. And the > > ] recommendation is in: contact vendor for CAS product and revoke the > > ] use of admin.php. Huh? > > ] > > ] Thanks Scott > > ] > > ] David > > ] > > ] > > ] > > ] On 10/20/08, Scott Battaglia <[EMAIL PROTECTED]> wrote: > > ]> By default, if you access a CAS page and it does not exist, you are > > ]> redirected to the CAS login page. You can configure this by editing > > ]> your web.xml to whatever you'd like ;-) > > ]> > > ]> -Scott > > ]> > > ]> -Scott Battaglia > > ]> PGP Public Key Id: 0x383733AA > > ]> LinkedIn: http://www.linkedin.com/in/scottbattaglia > > ]> > > ]> > > ]> > > ]> On Mon, Oct 20, 2008 at 10:40 AM, David Whitehurst > > ]> <[EMAIL PROTECTED]> wrote: > > ]> > > > ]> > Should the URL > > ]> http://www.myserver.com/cas/database/mydb.mdb return > > ]> > any HTML resource other than a CAS error page? > > ]> > > > ]> > I'm asking because a formal security scan of my CAS installation > > ]> > has found an issue and I will respond with one of the two > > ]> > responses: > > ]> > > > ]> > 1. The URL returns the CAS login page and I think this to be > > ]> > correct. > > ]> > > > ]> > 2. The URL should return an error page and not provide a resource > > ]> > of any > > ]> kind. > > ]> > > > ]> > I'm asking this group what seems most reasonable. The login page > > ]> > for me personally is best but I would like to gather some opinion > > ]> > here. > > ]> > > > ]> > > > ]> > Thanks, > > ]> > > > ]> > > > ]> > David > > ]> > _______________________________________________ > > ]> > Yale CAS mailing list > > ]> > [email protected] > > ]> > http://tp.its.yale.edu/mailman/listinfo/cas > > ]> > > > ]> > > ]> > > ]> _______________________________________________ > > ]> Yale CAS mailing list > > ]> [email protected] > > ]> http://tp.its.yale.edu/mailman/listinfo/cas > > ]> > > ]> > > ] _______________________________________________ > > ] Yale CAS mailing list > > ] [email protected] > > ] http://tp.its.yale.edu/mailman/listinfo/cas > > > > > > > > > > _______________________________________________ > > Yale CAS mailing list > > [email protected] > > http://tp.its.yale.edu/mailman/listinfo/cas > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas >
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
