Interesting. You guys really have thought through very many possible attacks and have accounted for each of them!
So the most secure way is to statically configure the server name. However, this makes life difficult for those of us who deploy to development, test, and production environments. Static configuration of the server name means that we need a different configuration for each deployment, and that makes the deployment scripts much more complicated. A more convenient (and I think still nearly as secure) method might be to use the host header, but validate it. In other words, the client configuration contains a white list of acceptable server names. We can then list all possible server names (such as names for dev, test, and production) in the single configuration file so that the same file will work for all three environments. Nathan Kopp Applications Strategist Information Technology Group Campus Crusade for Christ, Int'l 407-826-2939 Office | 407-484-8485 Mobile | 407-826-2968 Fax From: Scott Battaglia [mailto:scott.battag...@gmail.com] Sent: Tuesday, March 02, 2010 9:39 AM To: cas-dev@lists.jasig.org Subject: Re: [cas-dev] Getting Rid of Computed Service Name What Consequences? Please see the FAQ that Luke pointed out. There's a reason WHY we don't use the host header. And its not because we don't know it exists ;-) -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
