Commit 33cb6327 authored by Misagh Moayyed's avatar Misagh Moayyed
Browse files

updated docs. updated to 2.0.4

parent e99c39fd
...@@ -196,11 +196,26 @@ The filters are configured to sanitize authentication request parameters and rej ...@@ -196,11 +196,26 @@ The filters are configured to sanitize authentication request parameters and rej
It is **STRONGLY** recommended that all CAS deployments be evaluated and include this configuration if necessary to prevent protocol attacks in situations where the CAS container and environment are unable to block malicious and badly-configured requests. It is **STRONGLY** recommended that all CAS deployments be evaluated and include this configuration if necessary to prevent protocol attacks in situations where the CAS container and environment are unable to block malicious and badly-configured requests.
#### Security Response Headers
As part of the CAS Security Filter, the CAS project automatically provides the necessary configuration to
insert HTTP Security headers into the web response to prevent against HSTS, XSS, X-FRAME and other attacks.
These settings are presently off by default, and may be enabled via the following settings:
{% highlight xml %}
# httpresponse.header.cache=false
# httpresponse.header.hsts=false
# httpresponse.header.xframe=false
# httpresponse.header.xcontent=false
# httpresponse.header.xss=false
{% endhighlight %}
To review and learn more about these options, please visit [this guide][cas-sec-filter].
### Spring Webflow Sessions ### Spring Webflow Sessions
The CAS project uses Spring Webflow to manage and orchestrate the authentication process. The conversational state of the The CAS project uses Spring Webflow to manage and orchestrate the authentication process. The conversational state of the
webflow used by CAS is managed by the client which is then passed and tracked throughout various states of the authentication webflow used by CAS is managed by the client which is then passed and tracked throughout various states of the authentication
process. This state must be secured and encrypted to prevent session hijacking. While CAS provides default encryptions process. This state must be secured and encrypted to prevent session hijacking. While CAS provides default encryptions
settings out of the box, it is **STRONGLY** recommended that [all CAS deployments](../installation/Webflow-Customization.html) be evaluated prior to production rollouts and regenerate this configuration to prevent attacks. settings out of the box, it is **STRONGLY** recommended that [all CAS deployments](../installation/Webflow-Customization.html) be evaluated prior to production rollouts and regenerate this configuration to prevent attacks.
## User-Driven Security Features ## User-Driven Security Features
The following features may be employed to afford some user control of the SSO experience. The following features may be employed to afford some user control of the SSO experience.
......
...@@ -73,12 +73,7 @@ ...@@ -73,12 +73,7 @@
<type>test-jar</type> <type>test-jar</type>
<scope>test</scope> <scope>test</scope>
</dependency> </dependency>
<dependency>
<groupId>org.jasig.cas</groupId>
<artifactId>cas-server-webapp-support</artifactId>
<version>${project.version}</version>
<scope>test</scope>
</dependency>
</dependencies> </dependencies>
<properties> <properties>
......
...@@ -1561,7 +1561,7 @@ ...@@ -1561,7 +1561,7 @@
<xml.apis.version>1.4.01</xml.apis.version> <xml.apis.version>1.4.01</xml.apis.version>
<jstl.version>1.2</jstl.version> <jstl.version>1.2</jstl.version>
<openid4java.version>0.9.8</openid4java.version> <openid4java.version>0.9.8</openid4java.version>
<cas-server-security-filter.version>2.0.4-SNAPSHOT</cas-server-security-filter.version> <cas-server-security-filter.version>2.0.4</cas-server-security-filter.version>
<google.guava.version>18.0</google.guava.version> <google.guava.version>18.0</google.guava.version>
<javax.el-api.version>3.0.0</javax.el-api.version> <javax.el-api.version>3.0.0</javax.el-api.version>
<javax.el-impl.version>2.2.6</javax.el-impl.version> <javax.el-impl.version>2.2.6</javax.el-impl.version>
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment