> But both applications /share and /bonita are not https. > Must they?
Not strictly, no, but we _strongly_ recommend that at least the application entry points are accessible over SSL. If you must overcome the default behavior of requiring SSL for transmitting the CASTGC cookie (and thereby enabling SSO over HTTP), do the following: Set secure property of CookieRetrievingCookieGenerator to false. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
