CAS with Load balancer
Scott Battaglia
scott.battaglia at gmail.com
Tue Sep 5 08:28:14 EDT 2006
You only need to modify the HttpBasedServiceCredentialsAuthenticationHandler
configuration if you are using Proxying and your client application is over
HTTP (obviously, we don't recommend running them over HTTP). You would need
to set the requireSecure property to false (but again we don't recommend it
as there is nothing to confirm the validity of the server then).
For the CAS cookies, you would need to look in the cas-servlet.xml for
cookiegenerators and set their "secure" property to false.
-Scott
On 9/4/06, tom tom <j_lalith at yahoo.com> wrote:
>
>
> Can you let meknow which configuration are u talking about in item 1 which
> you have stated.
>
> What is meant by item 2 , does it mean we need to change the
> HttpBasedServiceCredentialsAuthenticationHandler in the core CAS, to
> facilitate the
> HTTP service validate URLs
>
> We allready changed the CAS client to get rid of the http check but need
> clarifications on above items.
>
> Thanks
>
>
>
> Scott Battaglia-2 wrote:
> >
> > The CAS Server never enforces HTTPS except in two scenarios:
> > 1. By default its cookiegenerators are designed to only send secure
> > cookies
> > (This can be changed in the configuration).
> >
> > 2. The Proxy callback authentication check is HTTPS (but that can be
> > swapped out).
> >
> > On the other hand, the Yale CAS Client enforces HTTPS in its retrieval
> of
> > web pages, so you'd have to modify the client to not use HTTPS.
> >
> > -Scott
> >
> > On 9/3/06, tom tom <j_lalith at yahoo.com> wrote:
> >>
> >>
> >> We are using CAS 3.03,
> >>
> >> When CAS is on production with a loadbalancer (like BigIP), is there a
> >> property setting in CAS, so that we can
> >> enforce HTTP request from the CAS virtual node on load balander to
> Actual
> >> CAS server (service validate url).
> >>
> >> Reason for the above question is...........
> >>
> >> our uPortal web.xml got the following entry, works ok when requests
> goes
> >> from the actual uPortal instance to virtual uPortal node on F5, but
> when
> >> F5
> >> rout to the Actual Cas server it is a HTTP hit (as our load balancer is
>
> >> set
> >> up as such),
> >>
> >> I know the service validate url should be HTTPs but when the CAS is
> >> running
> >> with loadbalancer with all of the hardware accelarators (also in a
> secure
> >> network) Cant we make the validate URL http.
> >>
> >>
> >> Is com.discursive.cas.extend.client.filter.serviceScheme which is in
> >> EXTENDED CAS CLIENT something to do with this?
> >>
> >> .......
> >>
> >> <param-name>
> >>
> >> edu.yale.its.tp.cas.client.filter.validateUrl
> >> </param-name>
> >> <param-value>
> >> https://<virutal cas node on load
> >> balancer>/cas/serviceValidate
> >> </param-value>
> >>
> >> ..............
> >>
> >>
> >>
> >> Is this something possible? Should this be done other way?
> >>
> >> Thanks
> >> --
> >> View this message in context:
> >> http://www.nabble.com/CAS-with-Load-balancer-tf2213048.html#a6129270
> >> Sent from the CAS Users forum at Nabble.com.
> >>
> >> _______________________________________________
> >> Yale CAS mailing list
> >> cas at tp.its.yale.edu
> >> http://tp.its.yale.edu/mailman/listinfo/cas
> >>
> >
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
> >
>
> --
> View this message in context: http://www.nabble.com/CAS-with-Load-balancer-tf2213048.html#a6144550
>
> Sent from the CAS Users forum at Nabble.com.
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20060905/119644c4/attachment.html
More information about the cas
mailing list