I think I see. So CAS Proxying is like aliasing. User authenticates against CAS and with CAS proxy the client thinks the use is someone else. Important for database access kind of things, but not preferred behavior with most web applications where you want the user who authenticated to be used for authorizations.
-perry -----Original Message----- From: Marvin Addison [mailto:[email protected]] Sent: Friday, March 20, 2009 8:21 AM To: [email protected] Subject: Re: [cas-user] Configure CAS and SSL > Oh interesting. When is it appropriate/not necessary to use the > proxyCallbackUrl? It's necessary and appropriate only in the case where you want your CAS client to authenticate other services on the user's behalf -- this is the CAS proxy feature. > I thought that was how your client apps knew the ticket is valid. The client knows the ticket is valid by sending a message to the server. In the proxy case, the server additionally sends a message to the client at the callback URL. There are few requirements for the proxy URL to validate correctly: - Must be https scheme - The cert on the client must be trusted by the server - Client must return a 200 HTTP response It is entirely possible for a proxying CAS client to authenticate properly (validate its service ticket) and fail proxy ticket validation (fail to get PGTIOU). M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
