-
Notifications
You must be signed in to change notification settings - Fork 396
/
Upgrading
145 lines (108 loc) · 6.16 KB
/
Upgrading
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
################################
### Upgrading 1.5.0 -> 1.6.0 ###
################################
phpCAS now requires an additional service base URL argument when constructing
the client class, similar to other CAS client's serverName config. It accepts
any argument of:
1. A service base URL string. The service URL discovery will always use this
server name (protocol, hostname and port number) without using any external
host names.
2. An array of service base URL strings. The service URL discovery will check
against this list before using the auto discovered base URL. If there is no
match, the first base URL in the array will be used as the default. This
option is helpful if your PHP website is accessible through multiple domains
without a canonical name, or through both HTTP and HTTPS.
3. A class that implements CAS_ServiceBaseUrl_Interface. If you need to
customize the base URL discovery behavior, you can pass in a class that
implements the interface.
For option 1 and 2, protocol, hostname and port should all appear without a
trailing slash, e.g. http://example.org:8080. You can omit the default port for
the protocol, which means use https://example.org instead of
https://example.org:443 (if you use HTTPS).
For security reasons, we no longer allow service base URL discovery without an
allowed list check by default. For more information, refer to the security
advisory.
This version also changed the CURL User Agent string that phpCAS uses when
sending validation requests to the CAS server. It will appear as phpCAS/1.6.0
with the version number reflecting the library version.
################################
### Upgrading 1.3.3 -> 1.3.4 ###
################################
For security hardening purposes the verbose error messages to the web browsers
are now masked. If you want to have the verbose messages you need to use:
phpCAS::setVerbose(true);
This will set the configuration to the old verbose mode that helps during
development and debugging.
################################
### Upgrading 1.3.1 -> 1.3.2 ###
################################
Due to the missing validation of the CN of the SSL certifcate it may be that
phpcas fails validation of CAS server certicates that do not match the IP/DNS
name you use in the phpcas client() or proxy() setup.
If this happens a quick workaround to change the setup to the old but unsecure
behaviour. This can be seen in the no_ssl_cn_validation example.
This is not a recommended setting and is no a secure setup!
################################
### Upgrading 1.2.x -> 1.3.0 ###
################################
------------------------------------------------------------------
1. Changing of the default debug.log permissions:
------------------------------------------------------------------
The default debug log is now created with 0600 permissions to be only readable
by the webserver
-------------------------------------------------------
2. Changing of the behaviour of proxied applications:
-------------------------------------------------------
If your application is being proxied (Another casified application is using
proxy tickets to access your service you need to change your configuration. The
new default configuration is now to deny any proxied use of your service unless
it is exlicitly allowed:
If you want your service to be proxied you have to enable it (default disabled)
and define an accepable list of proxies that are allowed to proxy your service.
Add each allowed proxy definition object. For the normal CAS_ProxyChain
class, the constructor takes an array of proxies to match. The list is in
reverse just as seen from the service. Proxies have to be defined in reverse
from the service to the user. If a user hits service A and gets proxied via
B to service C the list of acceptable on C would be array(B,A). The definition
of an individual proxy can be either a string or a regexp (preg_match is used)
that will be matched against the proxy list supplied by the cas server
when validating the proxy tickets. The strings are compared starting from
the beginning and must fully match with the proxies in the list.
Examples:
phpCAS::allowProxyChain(new CAS_ProxyChain(array(
'https://app.example.com/'
)));
or
phpCAS::allowProxyChain(new CAS_ProxyChain(array(
'/^https:\/\/app[0-9]\.example\.com\/rest\//',
'http://client.example.com/'
)));
For quick testing or in certain production screnarios you might want to
allow allow any other valid service to proxy your service. To do so, add
the "Any" chain:
phpCAS::allowProxyChain(new CAS_ProxyChain_Any);
THIS SETTING IS HOWEVER NOT RECOMMENDED FOR PRODUCTION AND HAS SECURITY
IMPLICATIONS: YOU ARE ALLOWING ANY SERVICE TO ACT ON BEHALF OF A USER
ON THIS SERVICE.
----------------------------------------------------------------
3. Changing of the default PGT file storage location in proxy mode:
----------------------------------------------------------------
The default storage of the sensitive PGT session files is the
session_save_path() now. This is a php environment dependent dir which is also
used for storing your php session data. The default permissions are also changed
to 0600 to be only readable by the webserver.
------------------------------------------------------------------
4. The setPGTStorageFile() function has changed it parameters.
------------------------------------------------------------------
The setPGTStorageFile() function no longer needs an storage "format" argument.
Since the format functionality was never implemented it has now been dropped
and only the path argument is necessary.
------------------------------------------------------------------
5. The startSession boolean in the constructor has been changed to
changeSessionID
------------------------------------------------------------------
The last parameter of the constructor for has been changed from "start session"
to "change session ID". This has no negative effects on existion integrations
but will allow integration with other frameworks to take advantage of single
sign-out if they switch to "true". phpCAS will then rename the session id
(keeping all vars) and be able to single sign-out users.