Security Guide
CAS的TGT是一个bearer token。
当ST通过service URL回传给应用时。
CAS一般要求连接数据库等其他系统,我们一般建议使用安全传输(SSL/TLS, IPSec),有严格访问控制的私有网络和企业网络是个例外,但是我们依然建议使用安全传输。LDAP客户端认证是一个好的解决方案,可以带来足够的安全。
Forced Authentication(强制认证)
Passive Authentication(被动认证)
Proxy Authentication
Proxy认证或者delegated认证,为CAS提供了一种强大、重要、有潜力的特性。CASv2和CASv3协议支持Proxy认证,它们通过proxy tickets在用户的支持下请求。服务为用户代理认证,通常用于服务不直接和用户交互的情况下。
然而,proxy tickets在那些接受proxy tickets的服务中引起了一些安全风险。(the list of services through which the end-user’s authentication have been delegated to arrive at the ticket validating service). Services can opt out of accepting proxy tickets entirely (and avoid responsibility for validating proxy chains) by simply validating tickets against the /serviceValidate validation endpoint, but experience has shown it’s easy to be confused about this and configure to unintentionally use the /proxyValidate endpoint yet not scrutinize any proxy chains that appear in the ticket validation response. 所以proxy认证要求合适的安全控制和谨慎的配置。如果不需要,建议禁用proxy代理组件。
Multi-factor Authentication(多阶认证)
Levels of identity assurance (LOA) for credentials and groups of credentials must be established.
Security policy versus credential LOA must be established per service.
Service access policy must be configured via the service management facility.
The first two tasks are vital but outside the scope of this document. Application of service access policy via the service management facility is implemented by declaring the authentication handlers that must successfully authenticate credentials in order to permit access; for example, an LDAP authentication handler and an RSA SecureID authentication handler.
Since multi-factor authentication requires development of institutional security policy, advanced component configuration (and possibly custom component development), and UI design, it should be regarded more as a framework than a feature. See the multi-factor configuration section for detailed discussion of configuration concerns and implementation recommendations.
Credential Caching and Replay
The ClearPass extension provides a mechanism to capture primary authentication credentials, cache them (encrypted), and replay on demand as needed to access legacy services. While proxy authentication is recommended in lieu of password replay, it may be required to integrate legacy services with CAS. See the ClearPass documentation for detailed information.
Service Management(服务管理)
Authorized services
Forced authentication
Attribute release
Proxy authentication control
Theme control
Multi-factor service access policy
Authorized Services(认证服务)
SSO Cookie Encryption(SSO Cookie加密)
一个ticket-granting cookie是一个HTTP cookie,由CAS设置。标记着SSO会话的建立。这个cookie值默认由cas.properties文件中的定义加密和签名。每次部署必需重新生成。详见这个指导。
Ticket Expiration Policies(票据失效策略)
SSO会话时长 (sliding expiration, absolute)
Ticket 重用
Single Sign-Out(单点注销)
又可写做single log-out (SLO)。通过一个SSO会话主发布停止访问服务的期望,CAS服务被通知SSO会话结束。尽管这可以提高安全,但根本上并不会结束访问。下面的控制可以用来降低SLO带来的风险:
SLO可以以两种方式实现:从CAS服务器(back-channel logout)或从浏览器(front-channel logout)。从服务器的话,SLO过程依赖SimpleHttpClient类有一个线程池:它的大小必需合适的定义来处理所有的注销请求。未被处理的注销请求会临时存储在一个队列里。队列的大小一般是全局线程池容量的20%. 这两个值是重要的设置,都不可以超过实际的容量。
Login Throttling(登录限制)
Credential Encryption(凭证加密)
一个开源的产品叫做Java Simplified Encryption,允许你在运行期间替换文件中的明文密码Jasypt可以被集成到Spring配置框架中,所以当配置文件加载的时候它的属性值可以被读取。Jasypt’s approach replaces the the property management technique with one that recognizes encrypted strings and decrypts them. This method uses password-based encryption, which means that the system still needs a secret password in order to decrypt our credentials. We don’t want to simply move the secret from one file to another, and Jasypt avoids that by passing the key as an environment variable or even directly to the application through a web interface each time it is deployed.
CAS Security Filter(安全过滤器)
The CAS project provides a number of a blunt generic security filters suitable for patching-in-place Java CAS server and Java CAS client deployments vulnerable to certain request parameter based bad-CAS-protocol-input attacks. The filters are configured to sanitize authentication request parameters and reject the request if it is not compliant with the CAS protocol in the event that for instance, a parameter is repeated multiple times, includes multiple values, contains unacceptable values, etc.
It is STRONGLY recommended that all CAS deployments be evaluated and include this configuration if necessary to prevent protocol attacks in situations where the CAS container and environment are unable to block malicious and badly-configured requests.
Security Response Headers
As part of the CAS Security Filter, the CAS project automatically provides the necessary configuration to insert HTTP Security headers into the web response to prevent against HSTS, XSS, X-FRAME and other attacks. These settings are presently off by default, and may be enabled via the following settings:
# httpresponse.header.cache=false
# httpresponse.header.hsts=false
# httpresponse.header.xframe=false
# httpresponse.header.xcontent=false
# httpresponse.header.xss=false
To review and learn more about these options, please visit this guide.
Spring Webflow Sessions
The CAS project uses Spring Webflow to manage and orchestrate the authentication process. The conversational state of the webflow used by CAS is managed by the client which is then passed and tracked throughout various states of the authentication process. This state must be secured and encrypted to prevent session hijacking. While CAS provides default encryptions settings out of the box, it is STRONGLY recommended that all CAS deployments be evaluated prior to production rollouts and regenerate this configuration to prevent attacks.
User-Driven Security Features
The following features may be employed to afford some user control of the SSO experience.
Long Term Authentication
The long term authentication feature, commonly referred to as “Remember Me”, is selected (usually via checkbox) on the CAS login form to avoid reauthentication for an extended period of time. Long term authentication allows users to elect additional convenience at the expense of reduced security. The extent of reduced security is a function of the characteristics of the device used to establish a CAS SSO session. A long-term SSO session established from a device owned or operated by a single user is marginally less secure than a standard CAS SSO session. The only real concern would be the increased lifetime and resulting increased exposure of the CAS ticket-granting ticket. Establishing a long-term CAS SSO session from a shared device, on the other hand, may dramatically reduce security. The likelihood of artifacts from previous SSO sessions affecting subsequent SSO sessions established by other users, even in the face of single sign-out, may increase the likelihood of impersonation. While there are no feasible mitigations for improving security of long-term SSO sessions on a shared device, educating users on the inherent risks may improve overall security.
It is important to note that forced authentication supercedes long term authentication, thus if a service were configured for forced authentication, authentication would be required for service access even in the context of a long-term session.
Long term authentication support must be explicitly enabled through configuration and UI customization during the installation process. Thus deployers choose to offer long-term authentication support, and when available users may elect to use it via selection on the CAS login form.
CAS supports optional notification of service access during an established SSO session. By default CAS transparently requests tickets needed for service access and presents them to the target service for validation, whereby upon successful validation access to the service is permitted. In most cases this happens nearly instantly and the user is not aware of the CAS authentication process required to access CAS-enabled services. There may be some security benefit to awareness of this process, and CAS supports a warn flag that may be selected by the user on the CAS login screen to provide an interstitial notification page that is displayed prior to accessing a service. By default the notification page offers the user an option to proceed with CAS authentication or abort by navigating away from the target service.