cas proxy
john wu
j_wu_76 at yahoo.com
Tue Nov 18 11:17:06 EST 2008
Thanks David.
That all make sense now!
--- On Tue, 11/18/08, David Spencer <David.Spencer at bristol.ac.uk> wrote:
> From: David Spencer <David.Spencer at bristol.ac.uk>
> Subject: Re: cas proxy
> To: "Yale CAS mailing list" <cas at tp.its.yale.edu>
> Cc: j_wu_76 at yahoo.com
> Date: Tuesday, November 18, 2008, 9:53 AM
> --On 18 November 2008 06:58 -0800 john wu
> <j_wu_76 at yahoo.com> wrote:
>
> > Thanks a lot!
> >
> > Another question. In this example
> >
> https://foo.bar.com/is/cas/serviceValidate?ticket=ST-956-Lyg0BdLkgdrBO9W17bXS
> >
> &service=http://localhost/bling&pgtUrl=https://foo.bar.com/pgtCallback
> >
> > http://localhost/bling is the back-end service url and
> > https://foo.bar.com/pgtCallback is the url of the
> service that wishes to
> > proxy a client's authentication to a back-end
> service
> >
> > Is it correct?
> >
>
> I think the example you're quoting comes from here:
> <http://www.ja-sig.org/wiki/display/CAS/Proxy+CAS+Walkthrough>
> which is very much a pedestrian walk through of the steps
> involved in proxying and doesn't have all the pieces of
> the puzzle fully fleshed out.
>
> I can see using pgtUrl=https://foo.bar.com/pgtCallback
> could be confusing as it implies the pgt callback is to a
> different server to the one specified in 'service'
> (and actually implies it's the same as the CAS server,
> which it generally won't be). A more likely URL in a
> real-world situation would be:
>
> https://foo.bar.com/is/cas/serviceValidate?ticket=ST-956-Lyg0BdLkgdrBO9W17bXS&service=https://some.other.host/my_app/bling&pgtUrl=https://some.other.host/my_app/pgtCallback
>
> https://foo.bar.com/is/cas is where the CAS server is
> installed and
> https://some.other.host/my_app is where the application
> using CAS lives.
>
> The service URL is about the original user login and where
> the user is redirected to post-login. The ticket that gets
> generated is tied to that service which is why you need to
> supply the service when you validating a ticket. The pgtUrl
> is where CAS needs to send the Proxy Granting Ticket.
> Ordinarily, those two parameters would point to different
> URLs within the same application as the user will be
> returned to the service URL with a ticket, the ticket is
> exchanged for a username and a pgtIOU and the pgtIOU can be
> matched against what was sent to the pgtUrl with the PGT.
>
> Clear as mud?
> Dave
>
> ----------------------
> David Spencer
> Information Systems and Computing
> University of Bristol
More information about the cas
mailing list