CAS, acegi security and SSL issues

??? javaee at open-v.com
Fri Jan 5 08:02:52 EST 2007 

CAS 3.0.6 should be able to run perfectly fine without any modifications in a non-secure environment (though we don't recommend transmitting passwords over non-SSL connections since they are passed in plaintext).

hi, Scott Battaglia 


Above: if not using ssl, can web sso session ok? as far as i know, the TGC(CASTGC Cookie) will not transfer to cas server. if i still want using web sso, and not using ssl,the following CookieGenerators's cookieSecure should be false?

 <bean id="warnCookieGenerator" class="org.springframework.web.util.CookieGenerator">
  <property name="cookieSecure" value="true" />
  <property name="cookieMaxAge" value="-1" />
  <property name="cookieName" value="CASPRIVACY" />
  <property name="cookiePath" value="/cas" />
 </bean>
 
 <bean id="ticketGrantingTicketCookieGenerator" 

  class="org.springframework.web.util.CookieGenerator">
  <property name="cookieSecure" value="true" />
  <property name="cookieMaxAge" value="-1" />
  <property name="cookieName" value="CASTGC" />
  <property name="cookiePath" value="/cas" />
 </bean>

Thanks a lot.


???

??Java EE??

http://www.open-v.com

???Java EE????????Open Source????

????,????
Open View, Victory Open

E_mail: j2eebeans at yahoo.com.cn ? javaee at open-v.com

????:(0)13710186446

  ----- Original Message ----- 
  From: Scott Battaglia 
  To: Yale CAS mailing list 
  Sent: Friday, January 05, 2007 8:42 PM
  Subject: Re: CAS, acegi security and SSL issues


  CAS 3.0.6 should be able to run perfectly fine without any modifications in a non-secure environment (though we don't recommend transmitting passwords over non-SSL connections since they are passed in plaintext).

  However, the most recent versions of Acegi use the Yale Java Client (not the newer JA-SIG Client) which hardcodes a requirement for SSL within the SecureURL.java file.  This would need to be modified and then re-compiled. 

  -Scott


  On 1/5/07, Obel.Volker.ext at deutsche-boerse.com < Obel.Volker.ext at deutsche-boerse.com> wrote:

    Hello all, 

    I just deal with the integration of an actually acegi secured web application and CAS 3.06. 

    No Proxyvalidation is needed. 

    No SSL should be used in any traffic between web application and CAS server, because both servers are located in a dmz and are not visible ouside. Network admins don't allow ssl there. 

    Has anybody ideas ore configurations out of the box or at least some hints or documentation? 

    Many thanks 

    Volker 



----------------------------------------------------------------------------





    Diese E-Mail enthaelt vertrauliche oder rechtlich geschuetzte
    Informationen.
    Wenn Sie nicht der beabsichtigte Empfaenger sind, informieren Sie
    bitte
    sofort den Absender und loeschen Sie diese E-Mail. Das unbefugte
    Kopieren
    dieser E-Mail oder die unbefugte Weitergabe der enthaltenen
    Informationen
    ist nicht gestattet.

    The information contained in this message is confidential or
    protected by
    law. If you are not the intended recipient, please contact the
    sender and
    delete this message. Any unauthorised copying of this message or 
    unauthorised distribution of the information contained herein is
    prohibited.



    _______________________________________________
    Yale CAS mailing list
    cas at tp.its.yale.edu
    http://tp.its.yale.edu/mailman/listinfo/cas







------------------------------------------------------------------------------


  _______________________________________________
  Yale CAS mailing list
  cas at tp.its.yale.edu
  http://tp.its.yale.edu/mailman/listinfo/cas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070105/11628ffa/attachment-0001.html

More information about the cas mailing list