[cas-dev] Soulwing java client and server name

Perryn Fowler pezlists at gmail.com
Wed Dec 12 06:03:02 EST 2007 

Hi Scott,
Hi Scott,

I have raised a issue at the soulwing site with all the details -
http://www.soulwing.org/jira/browse/SCC-18 ( I think you may need to
register to view it )

cheers
Perryn

PS For anyone who is interested I found the wiki page that explains the
exploit. http://www.ja-sig.org/wiki/display/CASC/CASFilter - perhaps this
page could be made harder to miss somehow?

On Dec 12, 2007 12:03 AM, Scott Battaglia <scott.battaglia at gmail.com> wrote:

> Perryn,
>
> All of the Yale and JASIG CAS Clients for Java require you specify a
> server name or a serviceUrl.  Andrew Petro has detailed why in previous
> postings (mostly related to not being able to trust Host headers).
>
> You are correct that they should not be recommending that.  Can you point
> me to the how-to that states this?
>
> Thanks
> -Scott
>
> On Dec 11, 2007 4:19 AM, Perryn Fowler < pezlists at gmail.com> wrote:
>
> > Hi,
> >
> > Several years ago I wrote my own java CAS client as a servlet filter.
> >
> > I remember that it was considered important not to construct the
> > 'service' parameter by use of anything like
> > request.getRequestUrl () and instead it was required that the deployer
> > provide a 'serverName' parameter for use in cosntructing the URL.
> >
> > I remember there was a wiki page or something explaining why, but I
> > can't seem to find it now. Nevertheless, thinking about it I assume it was
> > so an attacker couldn't spoof the necessary http headers and gain access
> > to a service with a ticket for a different service.
> >
> > Fast forward a few years and I've been asked to help put with a troubled
> > CAS installation. They are using the soulwing java client, largely because
> > of its out-of-the-box Confluence integration.
> >
> > I was surprised to find that this client allows you to configure it so
> > it uses request.getRequestUrl() and in fact encourages you to in How-to
> > documentation.
> >
> > Am I right in worryong about this, or am I missing something?
> >
> > cheers
> > Perryn
> >
> > --
> > -----------------------
> > Perryn Fowler
> > ThoughtWorks
> > _______________________________________________
> > cas-dev mailing list
> > cas-dev at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas-dev
> >
> >
>
>
> --
> -Scott Battaglia
>
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>
>


-- 
-----------------------
Perryn Fowler
ThoughtWorks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas-dev/attachments/20071212/2fa73428/attachment.html

More information about the cas-dev mailing list