[cas-dev] Proxy ticket validator uncertainty
David Whitehurst
dlwhitehurst at gmail.com
Thu Sep 11 09:41:13 EDT 2008
I originally required the following initially when first experimenting
with CAS. The following snippet contains a configuration for a
keystore that was not present in the documentation that I had. I'll
share this snippet and then explain how CAS was implemented further
and ask my specific question then.
<bean id="casProxyTicketValidator"
class="org.acegisecurity.providers.cas.ticketvalidator.CasProxyTicketValidator"
p:casValidate="${cas.securityContext.casProxyTicketValidator.casValidate}"
p:serviceProperties-ref="serviceProperties">
<property name="proxyCallbackUrl"><null /></property>
<property name="trustStore">
<value>c:\\Servers\\jboss-4.2.2.GA\\server\\default\\conf\\mykeystore.jks</value>
</property>
I started to explain all the steps and implementations but I've
decided to explain the present configuration. I am using Apache 2.2
with an openSSL cert for HTTPS. Any client calls back to CAS server
use HTTPS and the Apache trusted cert is added to cacerts
(jre/lib/security). The Tomcat in JBoss still requires mykeystore.jks
for store only, but the only piece that's used now is a secure LDAP
certificate that's added to the store. I don't believe that the
"tomcat" alias initially created (keystore entry) is even needed.
And, now my question is "why" did I have to add the trustStore
property when I initially started?
I've created an Apache/JBoss/CAS serving environment here and I'm
using my own authorization mechanisms for web apps and web services.
I've lost the why for the trustStore I added early on. Can someone
explain in detail how the proxyTicketValidator works and how HTTPS is
involved?
I'm digging voraciously through the code this morning, but a reply
might speed things up for me.
Thanks,
David
More information about the cas-dev
mailing list