What that page doesn't say is how to correctly secure CAS to prevent exploiting the trust. I think that /cas/login endpoint needs to be secured, but /cas/validate, /cas/serviceValidate, or /cas/proxyValidate should not.
Since I haven't actually worked with this type of deployment, I may be off on some of the details.
Adam rrakesh wrote:
Any help please in understanding this?Thanks RR rrakesh wrote:I came across a link from the CASUM (http://www.ja-sig.org/wiki/display/CASUM/Trusted). I did not the purpose of this. After reading thru this page, it does seems like the cassified web application can authentication the user and then forward the request to the CAS and then CAS generates the ticket for the user service requested. Is this right, if so on the client side (cassified web application side) what changes do we need to make. Please provide or point me to some pointers. Thanks RR
begin:vcard fn:Adam Rybicki n:Rybicki;Adam org:Unicon, Inc.;Professional Services adr:Suite 113;;3140 North Arizona Avenue;Chandler;AZ;85225;United States email;internet:[email protected] tel;work:+1-480-558-2400 tel;home:+1-310-265-8286 tel;cell:+1-310-980-2758 x-mozilla-html:FALSE url:http://www.unicon.net/ version:2.1 end:vcard
smime.p7s
Description: S/MIME Cryptographic Signature
