ServerName Property

Andrew Petro apetro at unicon.net
Wed Sep 5 12:44:06 EDT 2007 

Dom,

Is there actually value in remembering which DNS value to use, or would 
it be acceptable to always switch people over to a canonical one as part 
of the login user experience?

One canonical name for any given application is usually enough, with 
potentially many aliases leading into that application.  It's a thought.

Alternatively, use a filter to set a cookie before authentication time 
to remember this user preference of what the hostname is desired to look 
like.  Do the CAS authentication with a canonical hostname.  Then 
post-authentication use another filter to redirect the user back to the 
hostname she desires to experience.  Basically, what this amounts to: 
use Host: anything you like that doesn't actually matter.  User 
preferences.  Skinning.  Whatever.  But it cannot be relied upon for 
security.

Yet another idea that comes to mind: choosing amount a finite set of 
well known hostnames actually controlled by you is fine.  You needn't 
care whether the hostname is www.mysite.com or www.mysite.co.uk , so 
long as you actually control both those DNS entries, and so long as you 
use for validation the same one that was used to acquire the service 
ticket.  What you do need to care about is that the hostname you use for 
validation is one you control, and not some other hostname that someone 
else controls and so might illicitly proxy to your application.

So modifying the CASFilter etc. to use Host: to select among a set of 
known-good hostnames would be fine.  What is not fine is blindly 
accepting arbitrary values presented by Host:.

Andrew


> Hi Andrew.
>
> I see the security issue here, and I certainly don't want to reduce security. So
> let me flip this on its head and get back to my real world situation. 
>
> I have a web site that uses CAS. I have two DNS entries (dotCom and dotCoUK)
> that point to my server and use apache virtual hosts to handle the two host
> names.  I cannot use a static client server name property because I have two
> values. www.mysite.com and www.mysite.co.uk. 
>
> My solution to the problem was to use the request.getServerName(). I knew that
> you had chosen to use a property for a good reason, which I now understand. 
>
> However, I cannot see another solution to fix this. In my situation, Bobs.files
> and Evil.eve are the same app.
>
> This has taken much of your time and I do appreciate that. I will push my luck
> and ask for a final word from you on this post.
>
> Thanks again.
>
> Dom
>
> PS. I would be happy to add to the wiki on this or other points if you feel that
> it would be helpful to the project. 
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>

More information about the cas mailing list