[cas-dev] Proxy ticket validator uncertainty
Scott Battaglia
scott.battaglia at gmail.com
Thu Sep 11 09:56:00 EDT 2008
Dave,
The protocol documents should give a detailed description of how the
proxying works (independent of the client):
http://www.ja-sig.org/products/cas/overview/background/index.html
You'll also notice that in the latest Spring Security there is no option to
set a trustStore because its a JVM-wide property.
-Scott
-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia
On Thu, Sep 11, 2008 at 9:41 AM, David Whitehurst <dlwhitehurst at gmail.com>wrote:
> I originally required the following initially when first experimenting
> with CAS. The following snippet contains a configuration for a
> keystore that was not present in the documentation that I had. I'll
> share this snippet and then explain how CAS was implemented further
> and ask my specific question then.
>
> <bean id="casProxyTicketValidator"
>
> class="org.acegisecurity.providers.cas.ticketvalidator.CasProxyTicketValidator"
>
> p:casValidate="${cas.securityContext.casProxyTicketValidator.casValidate}"
> p:serviceProperties-ref="serviceProperties">
> <property name="proxyCallbackUrl"><null /></property>
> <property name="trustStore">
> <value>c:\\Servers\\jboss-4.2.2.GA
> \\server\\default\\conf\\mykeystore.jks</value>
> </property>
>
> I started to explain all the steps and implementations but I've
> decided to explain the present configuration. I am using Apache 2.2
> with an openSSL cert for HTTPS. Any client calls back to CAS server
> use HTTPS and the Apache trusted cert is added to cacerts
> (jre/lib/security). The Tomcat in JBoss still requires mykeystore.jks
> for store only, but the only piece that's used now is a secure LDAP
> certificate that's added to the store. I don't believe that the
> "tomcat" alias initially created (keystore entry) is even needed.
> And, now my question is "why" did I have to add the trustStore
> property when I initially started?
>
> I've created an Apache/JBoss/CAS serving environment here and I'm
> using my own authorization mechanisms for web apps and web services.
> I've lost the why for the trustStore I added early on. Can someone
> explain in detail how the proxyTicketValidator works and how HTTPS is
> involved?
>
> I'm digging voraciously through the code this morning, but a reply
> might speed things up for me.
>
> Thanks,
>
>
> David
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas-dev/attachments/20080911/7d0962a8/attachment.html
More information about the cas-dev
mailing list