Dear CAS Experts,

I was experimenting with restricting services that are allowed to get a PGT 
using the services manager.   What I was intending to do was to restrict which 
service could act as a proxy (get a PGT) in CAS itself instead of in the CAS 
client.   I wanted to do this so that I can set the policy on which services 
can proxy at a central location (CAS) rather than in each CAS client which 
validates the proxy chain.  

Another way of putting this was that I wanted to put the restriction on the 
proxy chain into CAS rather than having each CAS client make its own decision.

So rather than having each CAS client configure 
"allowedProxyChains=https://proxy.example.com";, I wanted to register 
https://proxy.example.com as a service in the service registry and mark it as 
"allowedToProxy = true" (and disable proxying on other services).  Then even if 
the client doesn't check the proxy chain, our central policy applied in CAS 
still takes effect.

However, I discovered that these are actually not equivalent restrictions.   
When CAS calls "isAllowedToProxy" on a service to determine whether or not it 
may get a PGT, it uses the URL of the service in the service ticket, rather 
than using the "callback URL" in pgtUrl.   So if the ST was for 
https://proxy.example.com, but the pgtURL was 
https://notallowedtoproxy.example.com, then CAS would allow the PGT to be sent; 
however the "equivalently configured" CAS client would not accept PT's from 
this PGT if it was configured to take only 
"allowedProxyChains=https://proxy.example.com";. 

I wonder if it would make more sense for the "isAllowedToProxy" call to be made 
on the service matching the pgtUrl rather than (or in addition to) checking on 
the service that matches the ST's service.  Then CAS and the CAS clients could 
apply similar restrictions, and CAS would be doing some validation of the 
identity of the proxy via it's https callback and basing policy decisions based 
on that authenticated identity.

Any thoughts from the experts?

David Ohsie
EMC Corporation
Office:   410-358-9554 
Cell:     410-428-8035 



-- 
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Reply via email to