[cas-dev] Soulwing java client and server name

Perryn Fowler pezlists at gmail.com
Wed Dec 12 06:07:47 EST 2007 

Actually If I had been paying attention, I would have noticed that Carl
Harris ( the soulwing developer) was already on the case..
http://www.soulwing.org/jira/browse/SCC-17<http://www.soulwing.org/jira/browse/SCC-18>

On Dec 12, 2007 10:03 PM, Perryn Fowler <pezlists at gmail.com> wrote:

> Hi Scott,
> Hi Scott,
>
> I have raised a issue at the soulwing site with all the details -
> http://www.soulwing.org/jira/browse/SCC-18 ( I think you may need to
> register to view it )
>
> cheers
> Perryn
>
> PS For anyone who is interested I found the wiki page that explains the
> exploit. http://www.ja-sig.org/wiki/display/CASC/CASFilter - perhaps this
> page could be made harder to miss somehow?
>
>
> On Dec 12, 2007 12:03 AM, Scott Battaglia <scott.battaglia at gmail.com >
> wrote:
>
> > Perryn,
> >
> > All of the Yale and JASIG CAS Clients for Java require you specify a
> > server name or a serviceUrl.  Andrew Petro has detailed why in previous
> > postings (mostly related to not being able to trust Host headers).
> >
> > You are correct that they should not be recommending that.  Can you
> > point me to the how-to that states this?
> >
> > Thanks
> > -Scott
> >
> > On Dec 11, 2007 4:19 AM, Perryn Fowler < pezlists at gmail.com> wrote:
> >
> > > Hi,
> > >
> > > Several years ago I wrote my own java CAS client as a servlet filter.
> > >
> > > I remember that it was considered important not to construct the
> > > 'service' parameter by use of anything like
> > > request.getRequestUrl () and instead it was required that the deployer
> > > provide a 'serverName' parameter for use in cosntructing the URL.
> > >
> > > I remember there was a wiki page or something explaining why, but I
> > > can't seem to find it now. Nevertheless, thinking about it I assume it was
> > > so an attacker couldn't spoof the necessary http headers and gain
> > > access to a service with a ticket for a different service.
> > >
> > > Fast forward a few years and I've been asked to help put with a
> > > troubled CAS installation. They are using the soulwing java client, largely
> > > because of its out-of-the-box Confluence integration.
> > >
> > > I was surprised to find that this client allows you to configure it so
> > > it uses request.getRequestUrl() and in fact encourages you to in
> > > How-to documentation.
> > >
> > > Am I right in worryong about this, or am I missing something?
> > >
> > > cheers
> > > Perryn
> > >
> > > --
> > > -----------------------
> > > Perryn Fowler
> > > ThoughtWorks
> > > _______________________________________________
> > > cas-dev mailing list
> > > cas-dev at tp.its.yale.edu
> > > http://tp.its.yale.edu/mailman/listinfo/cas-dev
> > >
> > >
> >
> >
> > --
> > -Scott Battaglia
> >
> > LinkedIn: http://www.linkedin.com/in/scottbattaglia
> > _______________________________________________
> > cas-dev mailing list
> > cas-dev at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas-dev
> >
> >
>
>
> --
> -----------------------
> Perryn Fowler
> ThoughtWorks




-- 
-----------------------
Perryn Fowler
ThoughtWorks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas-dev/attachments/20071212/71178ede/attachment.html

More information about the cas-dev mailing list