Matching support for proxy urls is currently in development in form of a pending pull: https://github.com/Jasig/java-cas-client/pull/66
Hopefully, it will be available with a 3.4.0 release of the client. HTH. > -----Original Message----- > From: Carl Waldbieser [mailto:waldb...@lafayette.edu] > Sent: Monday, April 07, 2014 9:52 AM > To: cas-dev@lists.jasig.org > Subject: [cas-dev] Proxy Chain Validation - URL Matching - java > cas-client- > core > > At our institution, our web development team was having an issue getting a > Drupal site to use CAS's proxy ticket capabilities. The issue was that > the > Drupal CAS module (which I believe uses PHPCAS) uses the current URL as > the > basis for the pgtURL parameter sent to the CAS server during the > handshaking > used to obtain a PGT. The proxied service (Zimbra) is using the java cas- > client-core. The 'allowedProxyChains' setting in the cas-client-core > seems > to only accept exact string matches. The Drupal site could generate a > pgtURL > from *any* valid URL on the site, though, so it seemed as though we might > end > up having to add thousands of entries. > > In our development environment, I pulled the latest java-cas-client source > from github and changed the ProxyList `contains()` method so it parses the > URLs and matches on [protocol, host, port] and I provide a default port of > 443 if none is specified. This seems to be working with the URL matching > behavior we expect. > > I did have a couple concerns though: > 1) Is there some reason string matching was used rather than URL matching? > Was it just easier to implement, or is there something I am missing? E.g. > are opaque strings useful as proxy identifiers in some context of which I > am > not aware? > 2) Assuming URL matching is a good thing, is there some reason that the > remainder of the URL should be considered? I suppose it is possible you > could have 2 distinct services running on the same vhost, and one could be > allowed to proxy and the other not, but are real services deployed that > way > in practice? > > Any thoughts you had would be appreciated. > > Thanks, > Carl Waldbieser > ITS System Programmer > Lafayette College > -- > You are currently subscribed to cas-dev@lists.jasig.org as: > mmoay...@unicon.net To unsubscribe, change settings or access archives, > see > http://www.ja-sig.org/wiki/display/JSG/cas-dev -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
