[cas-dev] Soulwing java client and server name
Perryn Fowler
pezlists at gmail.com
Tue Dec 11 04:19:31 EST 2007
Hi,
Several years ago I wrote my own java CAS client as a servlet filter.
I remember that it was considered important not to construct the 'service'
parameter by use of anything like
request.getRequestUrl() and instead it was required that the deployer
provide a 'serverName' parameter for use in cosntructing the URL.
I remember there was a wiki page or something explaining why, but I can't
seem to find it now. Nevertheless, thinking about it I assume it was
so an attacker couldn't spoof the necessary http headers and gain access to
a service with a ticket for a different service.
Fast forward a few years and I've been asked to help put with a troubled CAS
installation. They are using the soulwing java client, largely because of
its out-of-the-box Confluence integration.
I was surprised to find that this client allows you to configure it so it
uses request.getRequestUrl() and in fact encourages you to in How-to
documentation.
Am I right in worryong about this, or am I missing something?
cheers
Perryn
--
-----------------------
Perryn Fowler
ThoughtWorks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas-dev/attachments/20071211/6100d095/attachment.html
More information about the cas-dev
mailing list