Dom,
What was wrong with the idea of using request.getServerName() and
validating it against a configured set of allowable server names, namely
the set of {www.mysite.com , www.mysite.co.uk } ?
Again, the issue is if you allow the requestor to convince you of an
arbitrary server name, not if you allow the requestor to guide you in
selecting among known good server names.
Andrew
> Hi Andrew
>
> I can see the security issue here, and I thank you for your time.
>
> I final word then.
>
> But in my situation bobfiles.com and evil.eve.com are the same app. I'm using
> apache to virtual host this app so that www.mysite.com and www.mysite.co.uk go
> to the same web application.
>
> Do you have another way I can co-host without using the
> request.getServerName. I
> cannot use a static property because only in site will work, and I don't want
> to
> double deploy my site.
>
> Thanks
> Dom
>
>
> _______________________________________________
> Yale CAS mailing list
> [email protected]
> http://tp.its.yale.edu/mailman/listinfo/cas
>
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
