Rework CAS service URL matching
Summary
With #2321 (closed) we modified the way CAS service URLs are matched.
In the interest of compatibility, we kept the previous behavior or matching on hostname only, but added the possibility of specifying a URL prefix (for people who have all their apps behind the same host)
This behavior is complex, and somewhat insecure (because of the host-only fallback). We need to fix this in 3.0 by breaking compatibility with the hostname-only match and enforcing a stricter match on CAS service URLs.
Design proposition
- Maybe keeping the current prefix-matching system
- Maybe using regexps like Apereo, to allow more control