Security and allowed services

36 views
Skip to first unread message

Adam Crownoble

unread,
Dec 6, 2012, 4:24:49 PM12/6/12
to rubycas...@googlegroups.com
I'm curious what people are doing to limit what services can be authenticated through CAS. I've noticed that JASIG CAS server does service authorization through a Service Management admin feature. We want to make sure that we don't allow just anybody to redirect a user to our CAS login and have a listener setup to grab the username and extra attributes for that person.

Is there any existing mechanism to prevent this other than some sort of complex firewalling? If not, I'd be happy to add it as a configuration option.

Robert Mitwicki

unread,
Dec 7, 2012, 2:37:27 AM12/7/12
to rubycas...@googlegroups.com
I think that one of the best is whitelist, where you define what domains you allow to use your cas.
Right now this feature is in review stage and soon will be integrated with the main branch.
But you can check this feature right now, you can find it here: https://github.com/rubycas/rubycas-server/pull/87
Is not the best implementation but only one which we have right now on the way :) 
But we work on that.

If you have any other ideas what kind of solution we could have, feel free to share. 
Best regards

Nils Caspar

unread,
Dec 7, 2012, 3:13:47 AM12/7/12
to rubycas...@googlegroups.com
On Friday, December 7, 2012 8:37:27 AM UTC+1, mitfik wrote:
But you can check this feature right now, you can find it here: https://github.com/rubycas/rubycas-server/pull/87
 
We use a variation of this pull request in production. But it is the wrong approach: A whitelist changes ways too often to be stored in a configuration file. Changes in the config file will lead to a redeployment.
I think storing the whitelist in the database would be much better. As we don't have an admin interface yet, some rake tasks to manage the whitelist would be more than enough.

Cheers,
Nils
 

Adam Crownoble

unread,
Dec 7, 2012, 11:50:00 AM12/7/12
to rubycas...@googlegroups.com
Thanks mitfik. I looked through the code but didn't think to look at the pull requests.

I agree that that particular implementation could be improved on. I'll see if I can work on it and submit a pull request with a better solution.

- Adam

Adam Crownoble

unread,
Dec 7, 2012, 4:12:58 PM12/7/12
to rubycas...@googlegroups.com
Nils, I commented on the pull request but not here. What do you think of an IP range whitelist? That way you could just enter an IP range for the subnet your servers are on and be done.

- Adam
Reply all
Reply to author
Forward
0 new messages