Https for validation again
Scott Battaglia
scott.battaglia at gmail.com
Tue Jan 9 11:33:34 EST 2007
CAS does not require SSL and will deploy and accept authentication requests
(though I did forget to mention a configuration change to enable it to send
non-secure cookies to enable SSO... in the cas-servlet.xml change the cookie
generator properties that say secure to false from true). Which server
classes did you have to over-ride to enable it to work without SSL? I
deploy it locally without SSL without issue.
As for the CAS client, the JA-SIG CAS Client for Java does not require SSL,
though the Yale Java Client does (which I mentioned before).
If you are not seeing SSO enabled its because you are running over non-SSL
ports without telling CAS that you are running over non-SSL ports (it by
default will only send cookies securely...see above). I should state again
that it is highly recommended to run CAS over SSL. Otherwise you are
transmitting passwords, cookies, etc. in plaintext for anyone to see.
The services.xml will not help with your SSO issue (its a matter of
configuring CAS to transmit insecure cookies which we disable by default for
security reasons). The services portion of CAS is an example of how to
enable service restrictions on the CAS server (i.e. only service X, Y, and Z
can use CAS but not service A). There is no need to bridge from a service
name to a service url as part of the configuration requires is the service
url (its the service id). Its easy to turn on (just uncomment the file name
in the web.xml).
Hope that helps.
-Scott
On 1/9/07, Obel.Volker.ext at deutsche-boerse.com <
Obel.Volker.ext at deutsche-boerse.com> wrote:
>
>
> Hello all, Hello Scott,
>
> thanks for your fast answer...
>
> I git it working without https, but be aware, even if HttpClient does
> both, CAS Server and Clients require SSL to work with. So I had to override
> some classes, or make new one with changed code. CAS requires SSL ! ! ! ! !
> ! , not HttpCLient...thats right.
>
>
> In the moment, two Web apps shall do a SSO, I have to log on on both
> applications. After that, it seems to me, that there are all needed tickets,
> but they are available twice, for both services.
> It looks more as 'NOT single sign on'...
>
> You told me, that I have not to use services.xml. Fine. I would like to
> know, for what the hell the file is good anyway, how it works, and how to
> make the bridge from the service name (contactcas) to the url of the service
> url and so on.
>
> Documentation says nothing about it. Perhaps it would solve my problem
> with the second login page...
>
> thank you for your help
>
> regards Volker
>
> ------------------------------
>
>
> *
> Diese E-Mail enthaelt vertrauliche oder rechtlich geschuetzte
> Informationen.
> Wenn Sie nicht der beabsichtigte Empfaenger sind, informieren Sie
> bitte
> sofort den Absender und loeschen Sie diese E-Mail. Das unbefugte
> Kopieren
> dieser E-Mail oder die unbefugte Weitergabe der enthaltenen
> Informationen
> ist nicht gestattet.
>
> The information contained in this message is confidential or
> protected by
> law. If you are not the intended recipient, please contact the
> sender and
> delete this message. Any unauthorised copying of this message or
> unauthorised distribution of the information contained herein is
> prohibited.
> *
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070109/c8506229/attachment.html
More information about the cas
mailing list