Usual apologies if this is documented somewhere, I have exhausted the usual channels trying to find a solution. We have CAS as part of a web-app running inside of an AWS subnet along with all the services that need to speak to the CAS server (all using the shiro-cas realm), none of which have public facing IP addresses, instead there is a NAT box on the subnet which provides external access and load balancers which provide incoming access.
The issue was first that the shiro-cas services try to validate the ticket (after the user has logged in and been redirected to the original service) using the public facing address, e.g. user logs in to domain.com/shiro-cas redirects and logs in to domain.com/cas which redirects to domain.com/shiro-cas which then tries to contact domain.com/cas to validate the ticket. Most of this is fine, however the last step has what is only an internal connection, going through a NAT box and coming back in through a loadbalancer. I was able to alter this so that the final validation step happens on 10.0.0.1/cas (an internal IP) by modifying a value in the CasRealm as part of the shiro code. However this leaves me with the issue where, whenever the CAS server tries to speak to the original service e.g. to notify a removed ticket on logout, it has the service registered as domain.com/shiro-cas. So I guess my question is their some configuration (or alternative setup) inside CAS that I can use to have two different addresses, one public facing for redirecting users and one internal network for service communications? This is obviously not a typical case but I would rather not open up the various firewalls, and AWS security groups if I can avoid it. Cheers Mike -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
