SourceForge.net Logo

JCas - Access Control

 
Home | Documentation | Support | Download | Get Involved | Related Sites

JCas User Guide

        Introduction
        Setup
        First CAS server
        Access Control
        JDBC Database Authorization
        JAAS User Authorization
        SSL Setup
        JSP Taglib
        JCas Client
        JLL - JAAS Login Library

Reference

        Release Notes
        JCas Configuration
        FAQ
        Help Forum

JCas Developers

        API Javadocs
        CAS Specification

Overview

Due to fact that CAS is a security sensitive mechanism that transports passwords over network connections, JCas provides several ways to control what kind of clients can connect to the server and request authorization. These methods prevents that unauthorized clients connect to your system and/or hack passwords (e.g. by brute-force attacks).

The following restrictions can be applied:

The following sections describe each method in detail.

Network Connectivity Configuration

Many application operate on systems connected to a potentially insecure network, in most cases the Internet, while their backend systems are located in a trusted network. The following picture demonstrates this setup.

Assuming that CAS server is running on this system, you propably do not want clients from the insecure network to connect to your CAS server.

Another possible setup is a server in a potentially insecure network - again, in most cases the internet - and the only trusted clients are located on the system itself. Thus, only clients from the local system should be allowed to connect for authorization.

Both cases can be solved by configuring JCas to listen only on those network interfaces (also called network adapters) that trusted clients will come in. The <Address> tag is used to achieve this. It is located inside the <Bind> tag because it defines the network interfaces that JCas binds to.

Network interfaces can be defined by hostname the interface is bound to, or alternatively by their IP address. The following part of a JCas configuration will bind the server to a network adapter that connects the server to a company's intranet. Its internal hostname is webserver.intranet.mycompany.com.

    ...
    <Bind>
        <Address>webserver.intranet.mycompany.com</Address>
    </Bind>
    ...
    
Of course, you can use localhost, if you need to allow local CAS clients only.

SSL Configuration

Although SSL/TLS protocol enables servers to restrict client connections, this option has not yet been integrated into JCas. In a future release, JCas can be configured to accept clients that present known certificates only (client certification).

Configuration of Client Properties

If you cannot apply one of the methods described above for whatever reasons, JCas offers a possibility to deny clients who's properties do not match certain criterias. Currently, only two criterias can be used - a client's TCP/IP address or its agent. Both configurations are grouped together in one or multiple <AllowFrom> tags.

<AllowFrom> tags can be specified for the complete server and/or for specific, defined schemes. Please notice, that general <AllowFrom> restrictions overrule scheme specific definitions.

Example: If a general rule allows clients from subnet 192.168.0.* only, and a scheme specific rule allows clients from 10.7.23.* only, latter clients will not be able to connect to JCas because the general rule doesn't permit so.

(In fact, no client will ever go through. There will be no client that satisfies both conditions.)

If multiple <AllowFrom> tags are defined (either generally or scheme specific) then only one rule must match to allow access.

TCP/IP Address

There are two ways to allow clients coming from certain IP addresses only:
  • Specifying hostname or IP address of valid clients, or
  • specifying network address of valid clients.
Both methods basically work similar: After a client connected to JCas, the server will verify which IP address the client comes from (from TCP/IP stack) and try to match it against one of the given possibilities. Placeholders (asterisks only) can be used to group more than one possible client.

Hostnames and IP addresses can be defined by the <Address> tag within <AllowFrom>. If multiple definitions are given, only one needs to match.

The following example will allow clients from two domains only: sourceforge.net and apache.org:

    ...
    <AllowFrom>
        <Address>*.sourceforge.net</Address>
        <Address>*.apache.org</Address>
    </AllowFrom>
    ...
    
Next example will allow clients coming from subnet 192.168.0.* only:
    ...
    <AllowFrom>
        <Subnet>192.168.0.*</Subnet>
    </AllowFrom>
    ...
    
Attention! Using this kind of restriction will not deny clients connecting through a proxy that is running on a system with a permitted address.

Agent Software

If you want to allow certain software agents only to connect, you can specify it's agent name in the <Agent tag within <AllowFrom>. Again, multiple tags can be used. Here is an example:
    ...
    <AllowFrom>
        <Agent>libcas/*</Agent>
        <Agent>JCas/1.*</Agent>
    </AllowFrom>
    ...
    
Here, libcas client agents and JCas Version 1 client agents are allowed only.