I disagree about this being irrelevant. I wrote a CAS client that only
responded with a success if the required parameters were included, and
instead responded with something in the 400 range ("client error") if
the required parameters were not included. This worked perfectly well
with CAS 2.x, but when we upgraded to 3.x (which added the extra, and
IMHO unnecessary, HTTP call) it quit working, since my client didn't
return the required but undocumented 200 success.
To me (and apparently also to other developers), it makes perfect sense
to return something other than 200 if the required parameters are not
included. Therefore, I agree with Fredrik that it should be documented
that 200 OK is required for accessing the proxy callback URL without
parameters.
Note also that I think this call is unnecessary and therefore slightly
inefficient.
-Nathan
From: [email protected] [mailto:[email protected]]
Sent: Friday, May 07, 2010 8:08 AM
To: [email protected]
Subject: Re: [cas-dev] Incomplete Proxy CAS Walkthrough
Whether it makes one or two calls is irrelevant. The fact is it can't
call back if the chain is invalid and the endpoint isn't up.
Cheers
Scott
Sent from my Verizon Wireless BlackBerry
________________________________
From: Jonathan Markow <[email protected]>
Date: Fri, 07 May 2010 07:30:46 -0400
To: <[email protected]>
Subject: Re: [cas-dev] Incomplete Proxy CAS Walkthrough
I took the liberty of adding Fredrik's observation as a comment on the
page he cites below.
-Jonathan
On Fri, May 7, 2010 at 5:12 AM, Fredrik Norrstrm <[email protected]> wrote:
Hi,
The otherwise excellent document,
http://www.ja-sig.org/wiki/display/CAS/Proxy+CAS+Walkthrough
could do with a completion. Before the request made by the CAS server to
deliver a proxy granting ticket (i.e, with the parameters pgtIou and
pgtId) the server makes an addtional request without any parameters at
all to which it exepects a 200 Ok success answer. Otherwise the GET
request with parameters is never attempted. I've been bitten by this
when implementing CAS proxy ticket support in django-cas.
It would probably also be good to emphasize that the request to the
proxy callback URL is only made if it is protected by SSL with a valid
certificate that the server can verify, including any necessary
certificate chain. If the server cannot verify the certificate the call
to the proxy callback url is never attempted and this can only be
noticed in the CAS server log files.
I hope someone with update privileges to this document reads this.
Best regards,
/Fredrik
--
Fredrik Jnsson Norrstrm, M.Sc. Email: [email protected]
System architect Phone: +46 8 790 66 03
Kungliga tekniska hgskolan (KTH) Mobile: +46 73 595 66 03
KTH/UF/ITA/Infosys
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-dev
