We have a similar situation. To mitigate the potential risks, we allow the localhost service registrations to facilitate developers work, but only in our non-production CAS environments, and they must be on one of our networks (or VPNs) and not some random public IP address.
On Thu, Jul 11, 2024 at 10:53 PM jehan procaccia <jehanpr...@gmail.com> wrote: > Hello > > developers ask us to allow serviceID of type https://localhost/* > <https://urldefense.com/v3/__https://localhost/*__;Kg!!PvDODwlR4mBZyAb0!URWRjrOCyXTGfxsaiEgD5IQvj3CUO4hAxPBqheFZ8RpSoLVtjN40ghaZu7qhzzPxIoSqQOKC-qeoqu9oHuM$> > or https://127.0.0.1/* > <https://urldefense.com/v3/__https://127.0.0.1/*__;Kg!!PvDODwlR4mBZyAb0!URWRjrOCyXTGfxsaiEgD5IQvj3CUO4hAxPBqheFZ8RpSoLVtjN40ghaZu7qhzzPxIoSqQOKC-qeoWJuVgHI$> > in order to allow them to develop on their local machine ans test locally . > As system and network administrators we are afraid that this opening of > localhost serviceID might allow the entire world ( all Internet connected > device and hence hackers !) to access our CAS server, allowing them for > example to brute force the web login interface or whatever other mischief > possible . > Is this a real security breach to allow serviceID like https://localhost/* > <https://urldefense.com/v3/__https://localhost/*__;Kg!!PvDODwlR4mBZyAb0!URWRjrOCyXTGfxsaiEgD5IQvj3CUO4hAxPBqheFZ8RpSoLVtjN40ghaZu7qhzzPxIoSqQOKC-qeoqu9oHuM$> > , or we are anyway already exposed by our production services which allows > https://*.our-domain.fr/* > <https://urldefense.com/v3/__https://*.our-domain.fr/*__;Kio!!PvDODwlR4mBZyAb0!URWRjrOCyXTGfxsaiEgD5IQvj3CUO4hAxPBqheFZ8RpSoLVtjN40ghaZu7qhzzPxIoSqQOKC-qeowlXL-KU$> > serviceID which could be also used by hackers if the spoof our urls ? > > thanks for your security advice regarding this question . > > > -- > - Website: https://apereo.github.io/cas > <https://urldefense.com/v3/__https://apereo.github.io/cas__;!!PvDODwlR4mBZyAb0!URWRjrOCyXTGfxsaiEgD5IQvj3CUO4hAxPBqheFZ8RpSoLVtjN40ghaZu7qhzzPxIoSqQOKC-qeo8keoBLM$> > - Gitter Chatroom: https://gitter.im/apereo/cas > <https://urldefense.com/v3/__https://gitter.im/apereo/cas__;!!PvDODwlR4mBZyAb0!URWRjrOCyXTGfxsaiEgD5IQvj3CUO4hAxPBqheFZ8RpSoLVtjN40ghaZu7qhzzPxIoSqQOKC-qeon5p1p0I$> > - List Guidelines: https://goo.gl/1VRrw7 > <https://urldefense.com/v3/__https://goo.gl/1VRrw7__;!!PvDODwlR4mBZyAb0!URWRjrOCyXTGfxsaiEgD5IQvj3CUO4hAxPBqheFZ8RpSoLVtjN40ghaZu7qhzzPxIoSqQOKC-qeo9Cpmzec$> > - Contributions: https://goo.gl/mh7qDG > <https://urldefense.com/v3/__https://goo.gl/mh7qDG__;!!PvDODwlR4mBZyAb0!URWRjrOCyXTGfxsaiEgD5IQvj3CUO4hAxPBqheFZ8RpSoLVtjN40ghaZu7qhzzPxIoSqQOKC-qeoA397xFU$> > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/f278051d-a428-4232-8ccc-ac0bf042ff81n%40apereo.org > <https://urldefense.com/v3/__https://groups.google.com/a/apereo.org/d/msgid/cas-user/f278051d-a428-4232-8ccc-ac0bf042ff81n*40apereo.org?utm_medium=email&utm_source=footer__;JQ!!PvDODwlR4mBZyAb0!URWRjrOCyXTGfxsaiEgD5IQvj3CUO4hAxPBqheFZ8RpSoLVtjN40ghaZu7qhzzPxIoSqQOKC-qeooFoMdUo$> > . > -- Baron Fujimoto <ba...@hawaii.edu> ::: UH Information Technology Services minutas cantorum, minutas balorum, minutas carboratum descendus pantorum -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL2N7ig8jPA%2BdjwvcdZdyAm%2BuWXUaeiUvr1m8bMzbxM20g%40mail.gmail.com.
