[cas-dev] Soulwing java client and server name

Tue Dec 11 08:03:47 EST 2007

Perryn,

All of the Yale and JASIG CAS Clients for Java require you specify a server
name or a serviceUrl.  Andrew Petro has detailed why in previous postings
(mostly related to not being able to trust Host headers).

You are correct that they should not be recommending that.  Can you point me
to the how-to that states this?

Thanks
-Scott

On Dec 11, 2007 4:19 AM, Perryn Fowler <pezlists at gmail.com> wrote:

> Hi,
>
> Several years ago I wrote my own java CAS client as a servlet filter.
>
> I remember that it was considered important not to construct the 'service'
> parameter by use of anything like
> request.getRequestUrl () and instead it was required that the deployer
> provide a 'serverName' parameter for use in cosntructing the URL.
>
> I remember there was a wiki page or something explaining why, but I can't
> seem to find it now. Nevertheless, thinking about it I assume it was
> so an attacker couldn't spoof the necessary http headers and gain access
> to a service with a ticket for a different service.
>
> Fast forward a few years and I've been asked to help put with a troubled
> CAS installation. They are using the soulwing java client, largely because
> of its out-of-the-box Confluence integration.
>
> I was surprised to find that this client allows you to configure it so it
> uses request.getRequestUrl() and in fact encourages you to in How-to
> documentation.
>
> Am I right in worryong about this, or am I missing something?
>
> cheers
> Perryn
>
> --
> -----------------------
> Perryn Fowler
> ThoughtWorks
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>
>

-- 
-Scott Battaglia

LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas-dev/attachments/20071211/1dc92fb2/attachment.html 