A servlet filter to use with CAS server 3.1 allowing to determine which url can be authorized as service url

When an organization hosts many web apps under same domainthey can use CAS without explicitly permission, it is sufficient to use a CAS client and set the service url correctly.

This problem is solved handling a white-list of authorized service urls.

Suppose your domain is mydomain.edu, CAS is configured on https://cas.mydomain.edu

Two apps are mapped on

• https://mydomain.edu/app1
• https://mydomain.edu/app2

You want only app1 can use the CAS but app2 receive an error if it tries to login using CAS, you simply need to add app1 url on ServiceUrlChecker.

The CAS server must be modified to use the filter

Modify the file cas.war\WEB-INF\web.xml and add the filter

<!--
    Configuration is read from the service_urls.properties file present on classpath
    Generally it is present on cas.war\WEB-INF\classes directory
-->
<filter>
	<filter-name>ServiceUrl Checker</filter-name>
	<filter-class>it.unipa.cuc.cas.filter.ServiceUrlCheckerFilter</filter-class>
</filter>

<filter-mapping>
	<filter-name>ServiceUrl Checker</filter-name>
	<url-pattern>/login</url-pattern>
</filter-mapping>

Add to end of cas.war/WEB-INF/classes/log4j.properties

log4j.logger.it.unipa.cuc.cas=DEBUG

Modify the file cas.war\WEB-INF\classes\service_urls.properties adding one url per file with the syntax

valid.service.url=https://localhost/mywebapp/home.seam valid.service.url=https://mywebsite/.*