SEC-2127: Support multiple hostnames #2353
Comments
|
Rob Winch said: I don't this this is necessary. As discussed in this thread on the forums, you should properly configure your application server to work behind a proxy. There are a few custom properties you need to add to WebSphere to get this to work: In short, I don't think this is a necessary enhancement. If you disagree, please provide a little more details as to why you feel the proposed solution does not work. |
|
Condor said: Thanks for the info. I'll have a look at those websphere config options tomorrow. But at most that would solve issue 2 and not 1 and 3. The main issue remains that you can only specify one (absolute) cas service url. |
|
Rob Winch said: I think this is a valid request. I will rephrase to ensure we are on the same page. Given the configuration settings, we should be able to have a configuration (out of the box) that uses the current HttpServletRequest object to create the service URL. For now you can ensure your application uses an instance of ServiceAuthenticationDetails for the Authentication.getDetails() and it will use the serviceUrl within it. The default implementation of this will use the current URL to create the service URL which works well for PGTs for rest services. You can create your own implementation that returns the authentication URL with the current host. There are some details about this within the reference. |
|
Condor said: Thanks, that would indeed be a good solution to issue 1. Tomorrow I'll also have a look at those classes you mentioned. And what is your take on issue 3? |
|
Rob Winch said: I think for issue 3 you should probably be sending the user to a controller after successful logout and implementing the logic to redirect to in the controller. This decouples your logic from Spring Security. It is not all that common for the CAS Server to be hosted on multiple domains as this prevents SSO (i.e. the TGT cookie will not be found if the domains switch). |
|
Condor said: No I think you misunderstood. The CAS server is on a single host name (otherwise CAS wouldn't work as you already mention). My goal is that after single logout on the CAS server I want to redirect to a public page on the original webserver. The CAS server has an option to allow a service parameter for this. I just needed to create a logout handler that added this parameter to the request. |
|
Condor said: True, the solution was simple, but maybe more people could benefit from an extended SimpleUrlLogoutSuccessHandler that allows adding a service parameter to the defaultTargetUrl. This is of course only required when you need a service parameter with the domain copied from the request url, otherwise you can simply include the parameter in the defaultTargetUrl itself. |
|
Condor said: Coming back to your ServiceAuthenticationDetails reference. That was not the only thing that needed changing:
|
|
Puneet Goyal said: @condor , Could you please elaborate your fix, i am experiencing the same issue. |
|
Condor said: Example implementation for CAS 3.5.2 |
|
Condor said: These example files implement all three changes mentioned above. For issue 3 the CAS server was configured with: |
|
Puneet Goyal said: Thanks for the prompt response. Don't we need only "/j_spring_cas_security_check" here as rest part of the absolute URL will be constructed at runtime using request's Object. |
|
Condor said: It's not required when ${cas.service.url} is just a host, but I included it in case it contained a path too. The security-context.xml is a context file that is included in my web-context.xml, so it does not contain the context for a complete application. |
|
Puneet Goyal said: Thanks for the fix, i really appreciate the prompt response. |
|
Rob Winch said: You might take a look at the discussion on SEC-1374 which talks about how using the host name opens up an exploit. |
|
Condor said: Good point. I should add validation to only allow predefined hosts. |
spring-projects-issues
added
in: cas
|
This issue relates to #1617 |
Can you provide a URL for the example of CAS 3.5.2 |
Condor (Migrated from SEC-2127) said:
I have 3 related problems with the Spring Security CAS client:
This all works, but I assume that more people are having this problem. So I would like to request that these feature are added to the library. Thanks.
The text was updated successfully, but these errors were encountered: