CAS and SSL
Scott Battaglia
scott.battaglia at gmail.com
Tue May 1 18:00:58 EDT 2007
I've used it without SSL to quickly throw up a CAS instance to test.
However, as you said, its not very secure that way. And should never be
deployed in production like that.
-Scott
On 5/1/07, Andrew Petro <apetro at unicon.net> wrote:
>
> I hasten to note that there's a reason the Yale Java CAS client has a
> hardcoded check that the URLs it is using to communicate with CAS are SSL
> secured -- performing the CAS protocol over insecure channels is not secure,
> introducing the potential for man-in-the-middle attacks.
>
> I don't understand the appeal in turning off SSL. SSL is core to the
> security of the CAS protocol and to the concept of a CAS server as a trusted
> intermediary.
>
> Andrew
>
> Scott Battaglia wrote:
>
> You can deploy the CAS Server without SSL and it will function fine. The
> only change would be:
>
> 1. In the cas-servlet.xml, the two cookie generators need the "secure"
> property set to false.
> 2. If you plan on doing proxy callback to clients without SSL, the
> HttpBasedServiceCredentialsAuthenticationHandler needs to be configured to
> allow non-https urls. Its a property on the handler.
>
> I believe that is everything for the server. On the clients, it depends
> on the client. For the Yale CAS Client, there is a hardcoded check for
> https that would need to be removed.
>
> -Scott
>
> On 5/1/07, webzo <webzo2000 at yahoo.com> wrote:
> >
> > I have some questions about CAS and SSL.
> >
> > What parts of CAS actually require SSL? The client (CASFilter) seems to
> > require that the validateUrl callback be "https" rather than "http". How
> > about the server side? What parts there require SSL be used? The reason for
> > these questions are that I am trying to find out if there is a way to use
> > CAS without installing certificates. I know, Scott, Andrew and others on
> > this forum have stated many times that CAS should be used with SSL. Still, I
> > am in a situation where I need to use CAS with out any certificates being
> > installed (because it is going to be hard to install it on the system in
> > question).
> > I saw a message (http://tp.its.yale.edu/pipermail/cas/2006-April/002652.html)
> > where the implication seemed to be that SSL can be disabled with code
> > changes. Can someone (Scott?) please provide more information on how to do
> > this?
> >
> > Thanks
> >
> > ------------------------------
> > Ahhh...imagining that irresistible "new car" smell?
> > Check out new cars at Yahoo! Autos.<http://us.rd.yahoo.com/evt=48245/*http://autos.yahoo.com/new_cars.html;_ylc=X3oDMTE1YW1jcXJ2BF9TAzk3MTA3MDc2BHNlYwNtYWlsdGFncwRzbGsDbmV3LWNhcnM->
> >
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
> >
>
>
> --
> -Scott Battaglia
>
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
>
> ------------------------------
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.eduhttp://tp.its.yale.edu/mailman/listinfo/cas
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
--
-Scott Battaglia
LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070501/2df42c83/attachment.html
More information about the cas
mailing list