CAS 3.0 upgrade : new security alert

Chandra Ambadipudi chandrasekhar.ambadipudi at phoenix.edu
Thu Aug 3 22:05:07 EDT 2006 

Scott and team,
    
    First of all thankyou very much for these detailed instructions. I tried them and it all worked like a charm. 
  
   Now I have one more question. How does CAS works if my application is behind the firewall. I have one application deployed in two machine cluster (let's  a Machine A and Machine B). They both are load balanced using dns round robin and the load balancer itself maps on to a common name. My applications are not on HTTPS, but I have generated certificates for the two machines A & B so that they can usel ssl for ServiceToken validation. Is this setup correct? or I should generate certificate for the clustered URL and put that on both machines? The connection from servers A & B can go to my cas machine directly (it doesn't have to be re-routed thro the load balancer again)
 
Please advice,
Thanks
Chandra

________________________________

From: cas-bounces at tp.its.yale.edu on behalf of Scott Battaglia
Sent: Wed 7/26/2006 9:13 PM
To: Yale CAS mailing list
Subject: Re: CAS 3.0 upgrade : new security alert



Chandra,

First you'll need to make a JSP page that creates the JavaScript you
need, constructing the redirect url from the service parameter and the
ticket (which should be in the request attribute).  You'll want to
define this JSP page in the default_views.properties file.  And example
entry is:

casLoginGenericSuccessView.(class)=org.springframework.web.servlet.view.JstlView
casLoginGenericSuccessView.url=/WEB-INF/view/jsp/default/ui/casGenericSuccess.jsp


Next, you'll need to modify the web-flow.xml
http://developer.ja-sig.org/source/browse/jasig/cas3/webapp/WEB-INF/login-webflow.xml?r=1.7

You'll need to change the end-state titled "redirect".  The view will
need to become the name of the JSP page, as referenced in the
view.properties file that you modified (in the example above, the name
is casLoginGenericSuccessView).

-Scott

Chandra Ambadipudi wrote:
>       Thank you very much for the reply. Makes sense now, because we
> were wondering what in CAS 3.0 could do some thing like this and we
> played with all options in properties :)
>
>       I would like to get further information on replacing redirect
> with JavaScript, could you please refer me what I need to do for this.
> As much as I like this alert information in internet, we are pretty much
> using it in intranet and I don't think we need this at all for our
> purpose. Definitely if there is a way to avoid that I would take that
> approach.
>
> Thanks
> Chandra
>
>
> -----Original Message-----
> From: cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu]
> On Behalf Of Scott Battaglia
> Sent: Tuesday, July 25, 2006 12:08 PM
> To: Yale CAS mailing list
> Subject: Re: CAS 3.0 upgrade : new security alert
>
> You are most likely receiving the alert because CAS3 uses HTTP redirects
>
> (302 response) to tell the browser to redirect to the application. CAS 2
>
> utilized JavaScript redirects to accomplish a similar thing.
>
> If running your applications on HTTPS is not an option (though we
> recommend it), you can replace the CAS3 redirect with a similar JSP page
>
> to the one that CAS 2 has. I'm not sure if there is a way to have IE
> disable that warning message.
>
> If you want details on replacing the redirect with JavaScript, let me
> know.
>
> -Scott
>
> Scott Battaglia
> Application Developer, Architecture & Engineering Team
> Enterprise Systems and Services, Rutgers University
> v: 732.445.0097 | f: 732.445.5493 | scott_battaglia at rutgers.edu
>
>
>
> Chandra Ambadipudi wrote:
>  
>> Hi,
>>
>> We are using CAS for an internal SSO solution for over an year. We
>> have CAS hosted on https and our participating applications are on
>> http. When I tried to upgrade to 3.0 we are receiving a new alert from
>>    
>
>  
>> IE (6.0 sp2). The alert is displayed after successful authentication
>> in CAS and right before we actually are forwarded to our application
>> (which is on http). The alert titled "Security Alert" says that "You
>> are about to be redirected to a non-secure channel do you want to
>> proceed....etc". While researching on it, it seems like a genuine
>>    
> alert
>  
>> (per Microsoft documentation) except that we were not getting this
>> error using CAS 2.0. When I rolled back to 2.0 I don't see this
>> warning, if it is a pure IE related thing I should get with CAS 2.0
>> also right? (even in 2.0 the setup is same, cas is on https machine
>> and every thing else is on http). Is there some thing I am missing
>> here? Is there a way I can force the system not to display this
>>    
> message?
>  
>> Any help is greatly appreciated,
>>
>> Thanks
>>
>> Chandra
>>
>>
>>    
> ------------------------------------------------------------------------
>  
>> _______________________________________________
>> Yale CAS mailing list
>> cas at tp.its.yale.edu
>> http://tp.its.yale.edu/mailman/listinfo/cas
>>  
>>    
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>  

_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20060803/7ba65e2b/attachment.html

More information about the cas mailing list