Prevent CSRF attacks for cas 5.3.x document or steps

56 views
Skip to first unread message

Raheem Shaik

unread,
Dec 12, 2019, 1:37:19 AM12/12/19
to CAS Community
Can you please provide any document to prevent CSRF for CAS v5.3.10 or
Any steps to add cas.properties to achieve this.


Regards,
Raheem Shaik


Raheem Shaik

unread,
Dec 16, 2019, 12:27:24 PM12/16/19
to CAS Community
I did not get any response for this, can some one provide guide or docs to me .

Ray Bon

unread,
Dec 16, 2019, 12:42:31 PM12/16/19
to cas-...@apereo.org
Raheem,

Can you provide scenario where this would be an issue?

Ray

********************************************

 

Inmar Confidentiality Note:  This e-mail and any attachments are confidential and intended to be viewed and used solely by the intended recipient.  If you are not the intended recipient, be aware that any disclosure, dissemination, distribution, copying or use of this e-mail or any attachment is prohibited.  If you received this e-mail in error, please notify us immediately by returning it to the sender and delete this copy and all attachments from your system and destroy any printed copies.  Thank you for your cooperation.

 

Notice of Protected Rights:  The removal of any copyright, trademark, or proprietary legend contained in this e-mail or any attachment is prohibited without the express, written permission of Inmar, Inc.  Furthermore, the intended recipient must maintain all copyright notices, trademarks, and proprietary legends within this e-mail and any attachments in their original form and location if the e-mail or any attachments are reproduced, printed or distributed.

 

********************************************

--
Ray Bon
Programmer Analyst
Development Services, University Systems

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.

Raheem Shaik

unread,
Dec 17, 2019, 1:04:06 AM12/17/19
to cas-...@apereo.org
Hi Ray,

We are using cas:v5.2.6 in  our development environment and it is working fine,  so we are planning to move our production environment for that process, we need to implement some security settings or fixes as per our security team.
  
For testing CSRF is highly concerned for us and they provided code that need to be saved it in html and execute it. 
Submission of the form via CSRF will request a service scope. Supply https://*.<domain name> and resubmit the request, and you will receive the TGT, which can be used to receive a valid bearer token that can be used for subsequent requests.  

So we need to prevent this from happening, can you please help me to resolve this issue. 

Regards,
Raheem Shaik 

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/3e3f31382452445f0fabc596d783c20db1bcb6e5.camel%40uvic.ca.

Cemal Önder

unread,
Dec 18, 2019, 1:33:47 AM12/18/19
to CAS Community
I did not find any relevant documentation on CAS. But when I check source code I can see there is a CSRF support for embedded tomcat. If this is the case then make this property true:

Raheem Shaik

unread,
Dec 19, 2019, 8:29:15 AM12/19/19
to cas-...@apereo.org
Hi Cemal,

I have tested with the property  `cas.server.csrf.enabled=true' and getting below error
    "timestamp"1576761526181,
    "status"403,
    "error""Forbidden",
    "message""No message available",
    "path""/cas/v1/tickets"

also from browser Authorization Denied and you do not have permissions

image.png

Can please let me know if any other settings needs to be added to my cas.properties file along with csrf enabled.
Regards,
Raheem Shaik

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/cdee7a25-ffee-470e-b56f-21c0466e1d4f%40apereo.org.
Reply all
Reply to author
Forward
0 new messages