Overview
Due to fact that CAS is a security sensitive mechanism that transports passwords over
network connections, JCas provides several ways to control what kind of clients can
connect to the server and request authorization. These methods prevents that unauthorized
clients connect to your system and/or hack passwords (e.g. by brute-force attacks).
The following restrictions can be applied:
The following sections describe each method in detail.
Network Connectivity Configuration
Many application operate on systems connected to a potentially insecure network, in most
cases the Internet, while their backend systems are located in a trusted network. The
following picture demonstrates this setup.
Assuming that CAS server is running on this system, you propably do not want clients
from the insecure network to connect to your CAS server.
Another possible setup is a server in a potentially insecure network - again, in most cases
the internet - and the only trusted clients are located on the system itself. Thus, only
clients from the local system should be allowed to connect for authorization.
Both cases can be solved by configuring JCas to listen only on those network interfaces
(also called network adapters) that trusted clients will come in. The <Address>
tag is used to achieve this. It is located inside the <Bind> tag because
it defines the network interfaces that JCas binds to.
Network interfaces can be defined by hostname the interface is bound to, or alternatively
by their IP address. The following part of a JCas configuration will bind the server
to a network adapter that connects the server to a company's intranet. Its internal
hostname is webserver.intranet.mycompany.com.
...
<Bind>
<Address>webserver.intranet.mycompany.com</Address>
</Bind>
...
Of course, you can use localhost, if you need to allow local CAS clients only.
SSL Configuration
Although SSL/TLS protocol enables servers to restrict client connections, this option
has not yet been integrated into JCas. In a future release, JCas can be configured
to accept clients that present known certificates only (client certification).
Configuration of Client Properties
If you cannot apply one of the methods described above for whatever reasons, JCas offers
a possibility to deny clients who's properties do not match certain criterias. Currently,
only two criterias can be used - a client's TCP/IP address or its agent. Both configurations
are grouped together in one or multiple <AllowFrom> tags.
<AllowFrom> tags can be specified for the complete server and/or for
specific, defined schemes. Please notice, that general <AllowFrom>
restrictions overrule scheme specific definitions.
| Example: |
If a general rule allows clients from subnet 192.168.0.*
only, and a scheme specific rule allows clients from 10.7.23.*
only, latter clients will not be able to connect to JCas because
the general rule doesn't permit so.
(In fact, no client will ever go through. There will be no client
that satisfies both conditions.)
|
If multiple <AllowFrom> tags are defined (either generally or scheme specific)
then only one rule must match to allow access.
TCP/IP Address
There are two ways to allow clients coming from certain IP addresses only:
- Specifying hostname or IP address of valid clients, or
- specifying network address of valid clients.
Both methods basically work similar: After a client connected to JCas, the server will
verify which IP address the client comes from (from TCP/IP stack) and try to match
it against one of the given possibilities. Placeholders (asterisks only) can be used
to group more than one possible client.
Hostnames and IP addresses can be defined by the <Address> tag within
<AllowFrom>. If multiple definitions are given, only one needs to match.
The following example will allow clients from two domains only: sourceforge.net and
apache.org:
...
<AllowFrom>
<Address>*.sourceforge.net</Address>
<Address>*.apache.org</Address>
</AllowFrom>
...
Next example will allow clients coming from subnet 192.168.0.* only:
...
<AllowFrom>
<Subnet>192.168.0.*</Subnet>
</AllowFrom>
...
Attention! Using this kind of restriction will not deny clients connecting
through a proxy that is running on a system with a permitted address.
Agent Software
If you want to allow certain software agents only to connect, you can specify it's
agent name in the <Agent tag within <AllowFrom>. Again,
multiple tags can be used. Here is an example:
...
<AllowFrom>
<Agent>libcas/*</Agent>
<Agent>JCas/1.*</Agent>
</AllowFrom>
...
Here, libcas client agents and JCas
Version 1 client agents are allowed only.
|