This is a post about one of the quickest and most important things to check in reviewing CAS configuration: ensure that the demo password handler has been turned off. This post is one of a series on reviewing CAS configuration.
One of the details I’m always looking for in reviewing CAS configuration is that the default authenticates-where-username-is-password demo authentication handler (
SimpleTestUsernamePasswordAuthenticationHandler) has been removed from the set of valid authentication handlers in
It’s easy to add another authentication handler, neglect to remove the demo one, test and discover that the newly added (e.g., LDAP-backed) handler works, and not notice that username-and-username-is-password pair still logs users in. Ouch!
<property name="authenticationHandlers"> <list> <!-- | This is the authentication handler that authenticates services by means of callback via SSL, | thereby validating a server side SSL certificate. +--> <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" p:httpClient-ref="httpClient" /> <!-- | Must remove the following bean before CAS is put into production, | replacing with however you really want to validate passwords! +--> <bean class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" /> </list> </property>