cas proxy

David Spencer David.Spencer at bristol.ac.uk
Tue Nov 18 10:53:36 EST 2008 


--On 18 November 2008 06:58 -0800 john wu <j_wu_76 at yahoo.com> wrote:

> Thanks a lot!
>
> Another question. In this example
> https://foo.bar.com/is/cas/serviceValidate?ticket=ST-956-Lyg0BdLkgdrBO9W17bXS
> &service=http://localhost/bling&pgtUrl=https://foo.bar.com/pgtCallback
>
> http://localhost/bling is the back-end service url and
> https://foo.bar.com/pgtCallback is the url of the service that wishes to
> proxy a client's authentication to a back-end service
>
> Is it correct?
>

I think the example you're quoting comes from here:
<http://www.ja-sig.org/wiki/display/CAS/Proxy+CAS+Walkthrough>
which is very much a pedestrian walk through of the steps involved in proxying 
and doesn't have all the pieces of the puzzle fully fleshed out.

I can see using pgtUrl=https://foo.bar.com/pgtCallback could be confusing as it 
implies the pgt callback is to a different server to the one specified in 
'service' (and actually implies it's the same as the CAS server, which it 
generally won't be). A more likely URL in a real-world situation would be:

https://foo.bar.com/is/cas/serviceValidate?ticket=ST-956-Lyg0BdLkgdrBO9W17bXS&service=https://some.other.host/my_app/bling&pgtUrl=https://some.other.host/my_app/pgtCallback

https://foo.bar.com/is/cas is where the CAS server is installed and
https://some.other.host/my_app is where the application using CAS lives.

The service URL is about the original user login and where the user is 
redirected to post-login. The ticket that gets generated is tied to that 
service which is why you need to supply the service when you validating a 
ticket. The pgtUrl is where CAS needs to send the Proxy Granting Ticket. 
Ordinarily, those two parameters would point to different URLs within the same 
application as the user will be returned to the service URL with a ticket, the 
ticket is exchanged for a username and a pgtIOU and the pgtIOU can be matched 
against what was sent to the pgtUrl with the PGT.

Clear as mud?
Dave

----------------------
David Spencer
Information Systems and Computing
University of Bristol

More information about the cas mailing list