Re: [cas-user] SimpleHttpClient.java Security Review positive to DOS

2015-11-10 Thread Marvin Addison 
>
> boolean readInput = true;
> while (readInput) {
> readInput =StringUtils.isNotBlank(in.readLine());
> }
>

There's absolutely nothing wrong with that line in the overall design of
the reader. The whole purpose of the component is to buffer the entire
stream contents in memory, regardless of whether it's done line-by-line or
all-in-one. The end result is the same.

While there may be some merit to the criticism that buffering the entire
response creates a DOS vector, it's hardly uncommon and is the only way to
parse XML via DOM.

M

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

[cas-user] SimpleHttpClient.java Security Review positive to DOS

2015-11-10 Thread MrCrowley 
Hi there,a security scan done with IBM appscan indicates that SimpleHttpClient 
can be vulnerable to DOS.
     in = new BufferedReader(new 
InputStreamReader(connection.getInputStream()));
                boolean readInput = true;                while (readInput) {    
                readInput =StringUtils.isNotBlank(in.readLine());               
 }
This part of the code reads the buffer without considering the lenght of the 
stream so if there are no spaces in it,we can have a out of memory error, if we 
have spaces with a huge buffer the appserver can close the connection givin a 
DOS.
This is the result of a static analisys.
I think it would be useful to share.

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] hazelcast tickets not replicating

2015-11-10 Thread Paul B. Henson 
On Mon, Nov 02, 2015 at 07:29:14AM -0800, Jonas Steinberg wrote:

> My cas server is essentially a copy of this 
> 

This is for CAS 4.

> I used this  to integrate hazelcast
 
These are for CAS 3.

If you're using CAS 4 you need to use:

https://github.com/unicon-cas-addons/cas-addon-hazelcast-ticket-registry

> Any insight would be greatly appreciated!

If the mixed versions weren't a cut and paste typo, try matching the
addon version to the CAS version...

We're currently using CAS 3 with the hazelcast ticket registry and it
works fine. We haven't tried CAS 4 yet, we're tentatively looking at the
CAS protocol support in the shib idp v3 (with the Unicon hazelcast
support addon for state replication).

-- 
Paul B. Henson  |  (909) 979-6361  |  http://www.cpp.edu/~henson/
Operating Systems and Network Analyst  |  hen...@cpp.edu
California State Polytechnic University  |  Pomona CA 91768

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user