I agree. The bug is on the mod_auth_cas apache module not the the CAS server.
Use case similar to our setup : ------------------------------------------ Let's say different departments in a company have their own custom portal as follows: - marketing.company.com - engr.company.com - finance.company.com - intranet.company.com ... And the SSO implementation allows login using the corporate ldap portal. Is there a problem or using both subdomains and domains with CAS? Am I missing something related to best practices around domain/subdomains and CAS? Stan On Mon, Jun 13, 2011 at 11:17 AM, Scott Battaglia <[email protected]> wrote: > There's no bug with the CAS server with respect for subdomains. All CAS > clients are required to read their host names from configuration and not > from Host headers, as using host headers introduces a security risk since > its controlled by users. > I know that info doesn't actually help you :-) Can you describe your use > case a bit more on why you're using a CAS client to work with both a domain > and subdomain? I admit its probably a use case we haven't encountered > before. > Cheers, > Scott > > > > On Mon, Jun 13, 2011 at 11:11 AM, stan santiago <[email protected]> wrote: >> >> Greetings Folks, >> >> I'm unable to get CAS working with subdomains. I see there is a bug >> filed for this issue: >> https://issues.jasig.org/browse/CAS-980 >> >> Anyone else run into this and find any workarounds for this issue? >> >> My environment: >> ----------------------- >> - OS: CenOS 5.5 64 bit >> - Apache Module: Mod_auth_cas 1.0.9.1 setup on Apache 2 >> - CAS Server 3.4.7 >> >> TEST URLs: >> ------------------ >> 1. Accessing http://test.com redirects to >> >> https://my.casserver.com:8443/cas-server-webapp-3.4.7/login?service=http://platformsystems.com/ >> 2. Accessing http://host1.test.com redirects to exactly the same URL >> above. The "host1" subdomain is stripped off during redirection to CAS >> server. >> >> Apache httpd.conf >> -------------------------- >> >> # Use name-based virtual hosting. >> NameVirtualHost *:80 >> >> <VirtualHost *:80> >> >> DocumentRoot /var/www/html >> ServerName test.com >> ServerAlias *.test.com >> >> LoadModule auth_cas_module modules/mod_auth_cas.so >> >> # Cookie path must be given as an absolute path with a trailing slash >> CASCookiePath /var/run/mod_auth_cas/ >> >> # Certificate path may be a file or a directory of certificates >> symlinked by >> # their hashed names >> CASCertificatePath /etc/ssl/certs >> CASValidateServer Off >> CASDebug On >> >> # The URL to the CAS server >> CASLoginURL https://my.casserver.com:8443/cas-server-webapp-3.4.7/login >> CASValidateURL >> https://my.casserver.com:8443/cas-server-webapp-3.4.7/serviceValidate >> CASProxyValidateURL >> https://my.casserver.com:8443/cas-server-webapp-3.4.7/proxyValidate >> >> </VirtualHost> >> >> ... >> >> <Directory "/var/www/html"> >> >> Options Indexes FollowSymLinks >> >> AuthType CAS >> AuthName "MY CAS" >> require valid-user >> >> Order allow,deny >> Allow from all >> >> </Directory> >> >> ... >> >> Thanks, >> Stan >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
