From 603b4a8063c9086d83152a511d09f71cc64ae3ff Mon Sep 17 00:00:00 2001 From: Valentin Samir Date: Wed, 3 Jun 2015 18:32:15 +0200 Subject: [PATCH] Protect the auth view with a shared secret --- cas_server/default_settings.py | 2 ++ cas_server/views.py | 6 +++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/cas_server/default_settings.py b/cas_server/default_settings.py index a476214..4add92d 100644 --- a/cas_server/default_settings.py +++ b/cas_server/default_settings.py @@ -27,6 +27,8 @@ setting_default('CAS_TICKET_TIMEOUT', 24*3600) setting_default('CAS_PROXY_CA_CERTIFICATE_PATH', True) setting_default('CAS_REDIRECT_TO_LOGIN_AFTER_LOGOUT', False) +setting_default('CAS_AUTH_SHARED_SECRET', '') + setting_default('CAS_SERVICE_TICKET_PREFIX', 'ST') setting_default('CAS_PROXY_TICKET_PREFIX', 'PT') setting_default('CAS_PROXY_GRANTING_TICKET_PREFIX', 'PGT') diff --git a/cas_server/views.py b/cas_server/views.py index b154e11..7819992 100644 --- a/cas_server/views.py +++ b/cas_server/views.py @@ -294,9 +294,13 @@ class Auth(View): username = request.POST.get('username') password = request.POST.get('password') service = request.POST.get('service') + secret = request.POST.get('secret') + if not settings.CAS_AUTH_SHARED_SECRET: + return HttpResponse("no\nplease set CAS_AUTH_SHARED_SECRET", content_type="text/plain") + if secret != settings.CAS_AUTH_SHARED_SECRET: + return HttpResponse("no\n", content_type="text/plain") if not username or not password or not service: - print "not username or service or password" return HttpResponse("no\n", content_type="text/plain") form = forms.UserCredential( request.POST,