ServerName Property
Andrew Petro
apetro at unicon.net
Wed Sep 5 13:44:43 EDT 2007
Dom,
What was wrong with the idea of using request.getServerName() and
validating it against a configured set of allowable server names, namely
the set of {www.mysite.com , www.mysite.co.uk } ?
Again, the issue is if you allow the requestor to convince you of an
arbitrary server name, not if you allow the requestor to guide you in
selecting among known good server names.
Andrew
> Hi Andrew
>
> I can see the security issue here, and I thank you for your time.
>
> I final word then.
>
> But in my situation bobfiles.com and evil.eve.com are the same app. I'm using
> apache to virtual host this app so that www.mysite.com and www.mysite.co.uk go
> to the same web application.
>
> Do you have another way I can co-host without using the request.getServerName. I
> cannot use a static property because only in site will work, and I don't want to
> double deploy my site.
>
> Thanks
> Dom
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
More information about the cas
mailing list