Oddity with mod_cas and redirects to https
Phillip Ames
phillip.ames at uconn.edu
Tue Aug 14 16:39:11 EDT 2007
Hi Dallas,
Mod_auth_cas actually constructs the service URL based on what the current
request is, so it should safely preserve HTTP/HTTPS. If it doesn't, let me
know and I will take a look.
-Phil
On 8/14/07 11:49 AM, "Dallas Wisehaupt" <dallas.wisehaupt at scranton.edu>
wrote:
> Heh.... Of course right after I posted this, I dug into the code and
> found out that this appears to be "by design". We had the config setting
> CASLocalCacheInsecure set to OFF, which apparently redirects all
> requests to the CAS server with the service=https://. If we set it to
> ON, it will send all requests as http://.
>
> That will fix the problem that we are seeing since it allows the http
> requests through, but it creates an additional bother for those sites
> that are https. Now we will get (as far as I can tell):
> https request
> CAS picks up and sends to CAS server as http
> back to CAS client with CAS Ticket and http
> CAS validate on the http
> Apache sees http so rewrites to https
> CAS validate on the rewrite to https
>
> This isn't ideal, but works for our scheme. If only there was a way to
> have the best of both worlds. Perhaps I'll check out the new
> mod_auth_cas
>
> Dallas
>
More information about the cas
mailing list