Restrict the URLs of services that may use CAS

Question

Restrict the URLs of services that may use CAS

arpost opened this issue 8 years ago · 2 comments

A service redirects to the CAS login URL and provides a query parameter containing a URL from the service to return to after successful login. By default, CAS places no restrictions on the service URL. Is there a way to configure that? If so, this task is to make it possible to specify a white list of URLs in either cas.properties or application.properties.

Answer 1 · 2016-07-11T19:26:54.000Z

It looks like there is a service management tool with a GUI to add and manage attributes and URL's. managing that tool seems like an overkill for our requirement considering CAS is used only for development.
The other option seems to be specify a regular expression in the deployerConfigContext.xml to define accepted service URL's. i tested the below entry in the xml file and works well except for that on the VM's eureka since eureka-webapp is a ROOT application in tomcat on the VM and eureka is accessed by just https://ipaddress (eg:https:/162.7.9.8). Ideally i would think the server name should have eureka(string) in it or we need to have /eureka-webapp after the IP address. (if that makes sense we might need to have that convention). let me know if this is an option.

Answer 2 · 2016-07-11T21:58:50.000Z

Forcing eureka to be always at a /eureka or similar path is not an option.

On Jul 11, 2016, at 12:26 PM, Akshatha Pai notifications@github.com wrote:

It looks like there is a service management tool with a GUI to add and manage attributes and URL's. managing that tool seems like an overkill for our requirement considering CAS is used only for development.
The other option seems to be specify a regular expression in the deployerConfigContext.xml to define accepted service URL's. i tested the below entry in the xml file and works well except for that on the VM's eureka since eureka-webapp is a ROOT application in tomcat on the VM and eureka is accessed by just https://ipaddress (eg:https:/162.7.9.8). Ideally i would think the server name should have eureka(string) in it or we need to have /eureka-webapp after the IP address. (if that makes sense we might need to have that convention). let me know if this is an option.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or mute the thread.