Dom, Is there actually value in remembering which DNS value to use, or would it be acceptable to always switch people over to a canonical one as part of the login user experience?
One canonical name for any given application is usually enough, with potentially many aliases leading into that application. It's a thought. Alternatively, use a filter to set a cookie before authentication time to remember this user preference of what the hostname is desired to look like. Do the CAS authentication with a canonical hostname. Then post-authentication use another filter to redirect the user back to the hostname she desires to experience. Basically, what this amounts to: use Host: anything you like that doesn't actually matter. User preferences. Skinning. Whatever. But it cannot be relied upon for security. Yet another idea that comes to mind: choosing amount a finite set of well known hostnames actually controlled by you is fine. You needn't care whether the hostname is www.mysite.com or www.mysite.co.uk , so long as you actually control both those DNS entries, and so long as you use for validation the same one that was used to acquire the service ticket. What you do need to care about is that the hostname you use for validation is one you control, and not some other hostname that someone else controls and so might illicitly proxy to your application. So modifying the CASFilter etc. to use Host: to select among a set of known-good hostnames would be fine. What is not fine is blindly accepting arbitrary values presented by Host:. Andrew > Hi Andrew. > > I see the security issue here, and I certainly don't want to reduce security. > So > let me flip this on its head and get back to my real world situation. > > I have a web site that uses CAS. I have two DNS entries (dotCom and dotCoUK) > that point to my server and use apache virtual hosts to handle the two host > names. I cannot use a static client server name property because I have two > values. www.mysite.com and www.mysite.co.uk. > > My solution to the problem was to use the request.getServerName(). I knew that > you had chosen to use a property for a good reason, which I now understand. > > However, I cannot see another solution to fix this. In my situation, > Bobs.files > and Evil.eve are the same app. > > This has taken much of your time and I do appreciate that. I will push my luck > and ask for a final word from you on this post. > > Thanks again. > > Dom > > PS. I would be happy to add to the wiki on this or other points if you feel > that > it would be helpful to the project. > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
