[cas-dev] Request for modification of online installation guide re TGT session cookie and SSL

[Andrew William Petro]

Konrad,

I agree that SSL is not usefully optional in CAS, in any environment.

I think this documentation should be modified to make using SSL the 
expected case.  Instead of "if you wish to use SSL with CAS", "SSL is 
required for the full CAS featureset.  CAS leverages SSL to place secure 
SSO session cookies and to authenticate applications via callbacks.  CAS 
clients typically require that the CAS server validate tickets over 
SSL.  SSL is a reality of CAS environments.  You are recommended to use 
SSL (whether established via self-signed certificates or commercial 
certificates) in all of your CAS environments."

And then treat *not* using SSL as the special case:

"However, it is possible to deploy CAS into a non-SSL environment and 
get the basic idea of CAS with a degraded featureset.  As you'd expect, 
*CAS deployments not using SSL are insecure*."

Andrew

Wulf, Konrad wrote:
> Dear Scott, dear others of the CAS development team,
>  
> We have made the following observation that the mechanism for picking up
> a new service ticket when already logged into CAS while switching to
> another service will _only_ work when SSL is enabled, since the TGT
> session cookie is a secure one, requiring an active SSL connection.
>  
> In your guide "installing CAS" in section "Working with CAS" and section
> "Demo-ing CAS"
> (http://www.ja-sig.org/products/cas/server/installing/index.html), you
> are giving the impression that SSL is optional for development systems.
> But it is _not_ if you want a fully functional system. Perhaps you can
> rewrite that section of the installation guide accordingly?
>  
> cheers,
> Konrad
>
> P.S.: Thanks for providing with CAS such a handy and useful software ;-)
>
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>