Well... I have read those docs several times but it has not sunk in yet...<SIGH>
So... If I'm starting to understand correctly... I can put aside for the moment questions about the cookie that CAS server generates for SSO support since I don't need to support SSO (yet) and the cookie does not come in to play for a single client app authenticating against CAS. In the CAS 1 arch doc it discusses setting up a jsp to accept the "ticket" attribute on the request from from CAS, and then I need to invoke the call to validate the ticket and inspect the response. Looking at the example given at http://www.ja-sig.org/wiki/display/CASC/Configuring+the+JA-SIG+CAS+Client+for+Java+in+the+web.xml for integrating a client app with the CAS server, it seems to imply that the validation filter provided in the CAS client jar will handle this for me. Does the validation filter do what I assume it does or do I need to validate the ticket in my client code as described in the CAS 1 doc? Finally..., After validation the service ticket is removed from the ticket registry. When the authenticated user tries to navigate from page A to page B CAS client authentication filter sends a new request to CAS server, CAS server verifies that the service and netid are ones that it recognizes as current and that the user has been authenticated (if yes, how does CAS check this?), CAS server generates a new service ticket, CAS sends the new ticket back to the app service, CAS client validation filter validates the new ticket, if all is good the user is redirected to page B. Is this correct? -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
