Dear CAS Experts, I was experimenting with restricting services that are allowed to get a PGT using the services manager. What I was intending to do was to restrict which service could act as a proxy (get a PGT) in CAS itself instead of in the CAS client. I wanted to do this so that I can set the policy on which services can proxy at a central location (CAS) rather than in each CAS client which validates the proxy chain.
Another way of putting this was that I wanted to put the restriction on the proxy chain into CAS rather than having each CAS client make its own decision. So rather than having each CAS client configure "allowedProxyChains=https://proxy.example.com";, I wanted to register https://proxy.example.com as a service in the service registry and mark it as "allowedToProxy = true" (and disable proxying on other services). Then even if the client doesn't check the proxy chain, our central policy applied in CAS still takes effect. However, I discovered that these are actually not equivalent restrictions. When CAS calls "isAllowedToProxy" on a service to determine whether or not it may get a PGT, it uses the URL of the service in the service ticket, rather than using the "callback URL" in pgtUrl. So if the ST was for https://proxy.example.com, but the pgtURL was https://notallowedtoproxy.example.com, then CAS would allow the PGT to be sent; however the "equivalently configured" CAS client would not accept PT's from this PGT if it was configured to take only "allowedProxyChains=https://proxy.example.com";. I wonder if it would make more sense for the "isAllowedToProxy" call to be made on the service matching the pgtUrl rather than (or in addition to) checking on the service that matches the ST's service. Then CAS and the CAS clients could apply similar restrictions, and CAS would be doing some validation of the identity of the proxy via it's https callback and basing policy decisions based on that authenticated identity. Any thoughts from the experts? David Ohsie EMC Corporation Office: 410-358-9554 Cell: 410-428-8035 -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
