CAS and SSL
webzo
webzo2000 at yahoo.com
Tue May 1 18:25:56 EDT 2007
Scott, Andrew- Thanks for the response.
I fully understand the implications of not using SSL. The idea is to deploy CAS and the webapps using CAS within an appliance and pottentially with no support from an administrator during installation of the appliance. So, in order to reduce complexity and chances of installation failure, we may need to turn off SSL. It is possible that we won't have to do it, however, I needed a plan B.
I will try what's described by Scott.
Thanks again.
----- Original Message ----
From: Scott Battaglia <scott.battaglia at gmail.com>
To: Yale CAS mailing list <cas at tp.its.yale.edu>
Sent: Tuesday, May 1, 2007 3:00:58 PM
Subject: Re: CAS and SSL
I've used it without SSL to quickly throw up a CAS instance to test. However, as you said, its not very secure that way. And should never be deployed in production like that.
-Scott
On 5/1/07, Andrew Petro <apetro at unicon.net> wrote:
I hasten to note that there's a reason the Yale Java CAS client has a hardcoded check that the URLs it is using to communicate with CAS are SSL secured -- performing the CAS protocol over insecure channels is not secure, introducing the potential for man-in-the-middle attacks.
I don't understand the appeal in turning off SSL. SSL is core to the security of the CAS protocol and to the concept of a CAS server as a trusted intermediary.
Andrew
Scott Battaglia wrote:
You can deploy the CAS Server without SSL and it will function fine. The only change would be:
1. In the cas-servlet.xml, the two cookie generators need the "secure" property set to false.
2. If you plan on doing proxy callback to clients without SSL, the HttpBasedServiceCredentialsAuthenticationHandler needs to be configured to allow non-https urls. Its a property on the handler.
I believe that is everything for the server. On the clients, it depends on the client. For the Yale CAS Client, there is a hardcoded check for https that would need to be removed.
-Scott
On 5/1/07, webzo <webzo2000 at yahoo.com> wrote:
I have some questions about CAS and SSL.
What parts of CAS actually require SSL? The client (CASFilter) seems to require that the validateUrl callback be "https" rather than "http". How about the server side? What parts there require SSL be used? The reason for these questions are that I am trying to find out if there is a way to use CAS without installing certificates. I know, Scott, Andrew and others on this forum have stated many times that CAS should be used with SSL. Still, I am in a situation where I need to use CAS with out any certificates being installed (because it is going to be hard to install it on the system in question).
I saw a message ( http://tp.its.yale.edu/pipermail/cas/2006-April/002652.html) where the implication seemed to be that SSL can be disabled with code changes. Can someone (Scott?) please provide more information on how to do this?
Thanks
Ahhh...imagining that irresistible "new car" smell?
Check out new cars at Yahoo! Autos.
_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas
--
-Scott Battaglia
LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________Yale CAS mailing listcas at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas
_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas
--
-Scott Battaglia
LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070501/01840fd1/attachment.html
More information about the cas
mailing list