CAS and DMZ network topology
John Thiltges
jthiltges2 at unl.edu
Sun Nov 12 02:01:00 EST 2006
Rickard Oberg wrote:
> ...
>
> And in this last step comes the problem: since B is on the DMZ with no
> access to the internal network where A resides, is this scenario
> possible? It would seem that B needs to have a way to validate the
> ticket without contacting A for this to work.
>
> ...
>
As you said, the DMZ service needs a way to verify the ticket without
any other information. That might be possible by modifying the ticket
generator. Instead of random text, make the ticket an encrypted message
that the CAS client can decrypt and verify without needing to contact
the server. But, this makes a whole new set of problems to solve.
I believe Pubcookie uses a method like that and has addressed most of
the problems. <http://www.pubcookie.org/docs/how-pubcookie-works.html>
John
More information about the cas
mailing list