CAS REST身份验证API接受text/*，但不接受application/*内容类型 [英] CAS REST authentication API accepts text/* but not application/* content type

问题描述

根据

I have configured my CAS server to activate REST authentication, as per these instructions. However, in order for it to work, I must submit my credentials in plain text (content type text/html or xml) and not application/x-www-form-urlencoded as per the instructions. The credentials are lost when sent in the latter format.

我不愿意以纯文本格式发送登录凭据.这是CAS中的错误，如何解决?我假设以文本内容类型与应用程序的形式发送登录凭据的安全性较低，因为后者(我认为)会散列(或以其他方式混淆)发送的内容.

I am uncomfortable sending my login credentials in plain text. Is this a bug in CAS and how can it be fixed? I am assuming it is less secure to send login credentials as text content type vs application, as the latter (I assume) does hash (or somehow else obfuscates) the content sent.

我还应该提到，我必须通过实现

I should also mention that I had to make a fix to a bug in CAS due to which credentials were being lost regardless of the content type, by implementing this solution in my maven overlay. After that, only text-based content types worked and CAS does authenticate (albeit I find it annoying that the service returns HTML and not XML/JSON or even plain text, for the ease of programmatic processing).

相关: REST API端点/v1/门票似乎丢失了凭证请求参数

推荐答案

内容类型对请求中数据的机密性没有影响.在请求中与 application/x-www-form-urlencoded 一起发送时，与 text/html 或 text/xml 相比，安全性更高(也更少).如果只考虑机密性，则请选择代码".在请求中使用其中任何一个都没有附加的安全性值，有权访问原始请求源的人(MitM攻击者)将以两种方式看到请求内容.对于节点之间的网络上的MitM攻击者，HTTPS有效地减轻了这种风险，但对于终止SSL的端点(源计算机和目标计算机，以及中间终止SSL的任何节点，例如具有受信任的根的公司代理)而言，HTTPS均不可以客户端上的证书-一种相当常见的设置).

Content-type has no effect on the confidentiality of data in the request. Sending it with application/x-www-form-urlencoded in a request is not more (nor less) secure than text/html or text/xml if only confidentiality is considered. There is no additional security value in using any of those in a request, somebody having access to the raw request source (a MitM attacker) will see request contents either way. HTTPS effectively mitigates this risk with regard to MitM attackers on the network inbetween nodes, but not on endpoints where SSL is terminated (the source and target computers, and also any node inbetween that terminates SSL, like for example a company proxy with a trusted root certificate on clients - a fairly common setup).

关于使用 text/plain 代替 application/x-www-form-urlencoded 的可能的安全性 ，请参阅我对其他问题的回答.简而言之，使用 text/plain 可以防止某些CSRF攻击.

As for the possible security benefit of using text/plain instead of application/x-www-form-urlencoded, please see my answer to your other question. In short, using text/plain may prevent some CSRF attacks.

这篇关于CAS REST身份验证API接受text/*，但不接受application/*内容类型的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！