At our institution, our web development team was having an issue getting a Drupal site to use CAS's proxy ticket capabilities. The issue was that the Drupal CAS module (which I believe uses PHPCAS) uses the current URL as the basis for the pgtURL parameter sent to the CAS server during the handshaking used to obtain a PGT. The proxied service (Zimbra) is using the java cas-client-core. The 'allowedProxyChains' setting in the cas-client-core seems to only accept exact string matches. The Drupal site could generate a pgtURL from *any* valid URL on the site, though, so it seemed as though we might end up having to add thousands of entries.
In our development environment, I pulled the latest java-cas-client source from github and changed the ProxyList `contains()` method so it parses the URLs and matches on [protocol, host, port] and I provide a default port of 443 if none is specified. This seems to be working with the URL matching behavior we expect. I did have a couple concerns though: 1) Is there some reason string matching was used rather than URL matching? Was it just easier to implement, or is there something I am missing? E.g. are opaque strings useful as proxy identifiers in some context of which I am not aware? 2) Assuming URL matching is a good thing, is there some reason that the remainder of the URL should be considered? I suppose it is possible you could have 2 distinct services running on the same vhost, and one could be allowed to proxy and the other not, but are real services deployed that way in practice? Any thoughts you had would be appreciated. Thanks, Carl Waldbieser ITS System Programmer Lafayette College -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
