[Firstly, any chance list admins could add the actual list posting
address in the welcome email when you subscribe? I subscribed through
the web, and no-where does it say what the actual list address is. The
list seems to have moved several times in the past year, so I've taken
a guess at the list address... hopefully it is right]
I'm trying to get CAS to work in a reverse proxy configuration. The
setup is:
1) A cas-ified application running on host: app.example.com
2) A reverse proxy (and xslt transform) server running on
external.example.com
3) I don't have control over app.example.com and can't really change
anything on there
4) I have full control of the reverse proxy
5) I have admin login to the CAS server
The reverse proxy (at the moment) has no involvement with CAS itself,
just rewrites requests going back and forth (incl 301 locations).
The situation I have is that when the app sends the 301 redirect back
to direct the browser to the CAS login server, the proxy rewrites the
URL so that the service listed is external.example.com. The user then
authenticates to the CAS server fine and is redirected back to
external.example.com with the ticket.
The problem then occurs that the app in the backend (which is fairly
unaware of the proxy in front) then tries to contact the cas validate
url with the ticket issued to external.example.com but with the
service app.example.com. And of course CAS then fails the
authentication:
2009-08-11 15:51:21,685 ERROR
[org.jasig.cas.CentralAuthenticationServiceImpl] \
- ServiceTicket [ST-37-W1ekgiXQW0UpwmZ5azMq-cas] with service [http://external.example.com/secure/WebPortal.aspx?module=117AD0B4-063B-4f05-AAE9-B78104ADD
\
FDF&coll=aa09s202d02j022m0s0odbanana0asd0 does not match supplied
service [http\
://app.example.com/WebPortal.aspx?module=117AD0B4-063B-4f05-AAE9-B7\
8104ADDFDF&coll=aa09s202d02j022m0s0odbanana0asd0]
Which of course makes sense ;)
The question is: Is there anything I can do to get this to work
(without changing app.example.com)? I've read up on the proxy
authentication stuff for CAS and wondering if I can use that in some
way... but not quite sure how exactly (and getting my head in a twist
as its talking about proxying authentication, not necessarily proxying
http requests)
Another workaround I thought of... although I'm aware it could raise
some security issues.... if a *single* entry in the CAS server matched
both app.example.com and external.example.com would that make CAS
happy and accept a ticket from one for the other?
-Matt
--
Matt Hamilton [email protected]
Netsight Internet Solutions, Ltd. Understand. Develop. Deliver
http://www.netsight.co.uk +44 (0)117 9090901
Web Design | Zope/Plone Development & Consulting | Co-location | Hosting
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
