• Browse
  • Pages
  • News
  • Labels
  • Attachments
  • Mail
  • Advanced
  • activity.name

  • People Directory
• Log In

1. Dashboard
2. > CAS Clients
3. > …
4. > Clients
5. > Java Client
6. > Yale Java Client
7. > Using the Host header for multiple DNS names

• Log In

Using the Host header for multiple DNS names

Added by Keith Zantow, last edited by Scott Battaglia on Feb 01, 2007  (view change)

Table of Contents Clients .Net Cas Client .Net Http module Acegi as CAS Client ASP.NET Forms Authentication AuthCAS CAS + Seam Web Applications CAS and JSR-168 CASBar- Toolbar for Firefox 2 CAS Client for Java 3.0 CAS Client for Java 3.1 CASP CAS Proxying with ASP.Net Forms Authentication ColdFusion client script Copy of CAS Client for Java 3.0 ISAPI Filter Java Client JSP Client mod_auth_cas MOD_CAS mod_python auth module PAM Module Perl Client phpCAS Prado client RPM Modules Ruby on Rails CAS Client Seraph as CAS Client Soulwing CAS Client Symfony CAS Client VBScript Virginia Tech CAS Clients WebObjects Client Yale CAS client distribution CASifying Applications CASifying Apache OFBiz CASifying Joomla 1.5 CASifying OpenCms CASifying SharePoint & ASP.NET Web Sites Confluence as CAS Client EZPublish Fisheye and Crucible Roller weblogger Tomcat uPortal Client WordPress Client Zimbra Zope client School Contributed Clients Virginia Tech Yale University

The "Host" header Updated to fix security vulnerability This patch has been modified to require one or more serverNames to be specified or the serviceURL. The edu.yale.its.tp.cas.client.filter.serverName parameter may be specified using a comma, semicolon, and space delimited list of allowable server names or used as before with a single server name. The same 3 files are the only ones that needed modification. Honoring the HOST header [CAS:only] is not secure NOTICE: I believe this patch opens you to the "forged host header" security exploit whereby an Adversary can use a service ticket intended for an arbitrary other service to authenticate to the application using this patch. This security issue is discussed at the CASFilter page. -Andrew Petro Do it! This is a pretty simple patch, only 3 files are affected. These are modified from the Java CAS Client 2.1.1 distribution. CAS:edu.yale.its.tp.cas.client.Util Add function to take a TreeSet of serverNames and a default server. It would attempt to match the allowable server names the "Host" header. If there is no match, it will return the default. CAS:edu.yale.its.tp.cas.client.filter.CASFilter Added support for configuration using multiple serverNames in a comma, space, and semilcolon delimited list. CAS:edu.yale.its.tp.cas.client.filter.CASValidateFilter Added support for configuration using multiple serverNames in a comma, space, and semilcolon delimited list. Load-balanced SSL-to-unecrypted app servers Unknown macro: {nocc} This patch also includes support for an SSL issue we needed to fix. We have a load balanacer which provides SSL support for non-SSL enabled application servers behind it. This causes the CAS Filter on the servers to think they are non-SSL servers and create a redirect URL with service=http://... This is bad as it causes security pop-ups in IE 6 and the users may end up using a non-SSL connection if the load balancer is set up wrong. The fix is for the load balancer to inject the "SSL-Https: on" header which we check for in the CAS Filter.

Labels parameters

Labels

Enter labels to add to this page:

 

Looking for a label? Just start typing.

Powered by a free Atlassian Confluence Open Source Project License granted to Java Architectures Special Interest Group. Evaluate Confluence today.

• Powered by Atlassian Confluence 2.9, the Enterprise Wiki.
• Printed by Atlassian Confluence 2.9, the Enterprise Wiki.
• Bug/feature request –
• Atlassian news –
• Contact administrators