+1 from me. In general, the default login page is a balance of demonstrating best practices and providing useful information to deployers. I'm not saying we always get the balance right, of course... ;-)
On Tue, Jun 21, 2011 at 12:56 PM, Andrew Petro <[email protected]> wrote: > No production CAS instance should be not running over https. Would > predicating a message on > > ! HttpServletRequest.isSecure() > > http://download.oracle.com/**javaee/6/api/javax/servlet/** > ServletRequest.html#isSecure()<http://download.oracle.com/javaee/6/api/javax/servlet/ServletRequest.html#isSecure()>< > http://download.oracle.com/**javaee/6/api/javax/servlet/** > ServletRequest.html#isSecure%**28%29<http://download.oracle.com/javaee/6/api/javax/servlet/ServletRequest.html#isSecure%28%29> > > > > work? In case where CAS running over insecure channel (http://), show the > SSO-won't-work-because-not-**https message, figuring this will > inconvenience zero production deployments, all of which will be running over > https. isSecure() should return the correct value even when SSL is being > offloaded to something fronting the servlet container (is this enough > universally true?) > > Andrew > > > > On 06/21/2011 12:38 PM, Marvin Addison wrote: > >> ... >> >> As a compromise, how about one-time messages driven by some kind of >> simple logic implemented in code. >> >> M >> >> > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/**display/JSG/cas-user<http://www.ja-sig.org/wiki/display/JSG/cas-user> > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
