-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Does anyone know if any of these mod_cas issues were addressed in the > mod_auth_cas implementation?
All of these concerns still hold. > > Anyone have any idea if it is even possible to address this issues given > the CAS architecture and hence why there was a cautionary note on MOD_CAS? This is the great question. Given the redirect required for CAS authentication, content where the browser is not expecting a redirect (CSS, images, scripts, etc), protecting this data with m-a-c is difficult. But, if you can ensure that authentication happens first, then access to this data will not need further redirection for authentication. This is a fairly common setup anyway -- you protect a directory containing your app and all content, and the first call to the directory triggers the authentication. Only upon the return from the CAS server are the CSS, JS, images, etc loaded, without need for further redirection. The real problem comes from deep-linking or deep-bookmarking. If CSS/JS/images/frame-content are protected by m-a-c, and called into before authentication occurs (linked from a non-protected page, or bookmarked directly), funky things can happen. HTH, - -Matt Thung, Peter C CIV SPAWAR SSC PAC, 56340 wrote: > In regards to the following: > mod_auth_cas > http://www.ja-sig.org/wiki/display/CASC/mod_auth_cas > > mod_cas > http://www.ja-sig.org/wiki/display/CASC/MOD_CAS > > After reading the description of the two I came across this in regards > to teh mod_cas client. > When not to use MOD_CAS > (Per Scott Lundgren's email). > > mod_cas not should not be used with pages that use frames > directories of images files should be moved out from under mod_cas > protection because browsers (IE 6 & Firefox 1.06) do not know how to > handle the redirects for the requests for images embedded in an HTML page > directories of CSS files should be moved out from under mod_cas > protection for the same reasons > mod_cas cannot be used with server generated images where scripts return > an image stream > > In our particular website, it does use frames and does have embedded > images in HTML pages. > Apparently it does not have any issues using regular Basic > Authentication using the built in mod_auth directive. > > Does anyone know if any of these mod_cas issues were addressed in the > mod_auth_cas implementation? > > Anyone have any idea if it is even possible to address this issues given > the CAS architecture and hence why there was a cautionary note on MOD_CAS? > > Thanks. > > -Peter > > > ****************************************************************** > > Peter Thung > > SPAWAR Systems Center PACIFIC (Code 56340) > > Netcentric ISR Development > > Software Developer > > Primary: (619) 553-6513 > > Secondary:(619) 553-0777 > > ****************************************************************** > > > > - -- Matthew J. Smith University of Connecticut ITS [email protected] PGP KeyID: 0xE9C5244E -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJo/IMGP63pOnFJE4RArbOAJ4uBkmZEnX1aXZ2HetFeCxuCqhyAQCgrvWR ar5l6eiGcaulE0jB32rjRtU= =ZCC4 -----END PGP SIGNATURE----- -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
