CAS 5.2.3 -support for XSS protection

Mr Rao

unread,

Oct 2, 2018, 5:55:52 PM10/2/18

to CAS Community

Hi,

We were using XSSFilter in old version of cas since its using web.xml we were able to add this to web.xml.

Can any one help on how can I do this in CAS 5.2.3? Basically we want to protect from cross site scripting attacks.

Chava

Andy Ng

unread,

Oct 3, 2018, 6:10:00 AM10/3/18

to CAS Community

Hi Chava,

See if these properties are what you after?

https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#http-web-requests

Also, for what each properties does what, you can reference the source code here:

[ https://github.com/apereo/cas/blob/5.2.x/core/cas-server-core-configuration/src/main/java/org/apereo/cas/configuration/model/core/web/security/HttpWebRequestProperties.java ]

Cheers!

- Andy

Mr Rao

unread,

Oct 3, 2018, 6:15:09 PM10/3/18

to CAS Community

Hi Andy,

These settings for setting http response and by default they are enabled. I was looking for stripping off the xss script code from http request params and headers. Here is what I did and seems working fine. I've created XSSFilter and added it to FilterChain by using below code. My implementation of getParam , getParams, getHeader methods strips off the xss injection code not getting into application code.

@Configuration("WebFilterConfiguration")
public class XifinWebFilterConfiguration {

    @Bean
    public FilterRegistrationBean xssFilter() {
        FilterRegistrationBean filterRegBean = new FilterRegistrationBean();
        filterRegBean.setFilter(new XSSFilter());
        filterRegBean.addUrlPatterns("/*");
        filterRegBean.setOrder(Ordered.HIGHEST_PRECEDENCE);
        return filterRegBean;
    }
}

Chava

Andy Ng

unread,

Oct 3, 2018, 9:30:29 PM10/3/18

to CAS Community

Hi Chava,

Ops, guess I misunderstand your question then. Cool that your code worked!

Cheers!

- Andy

Chava

unread,

Oct 4, 2018, 7:48:13 PM10/4/18

to cas-...@apereo.org

no problem. Thanks for quick response

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e24f3026-1462-4ae1-b057-450a3c81689f%40apereo.org.

Reply all

Reply to author

Forward