We have our CAS server set to respond on http but automatically redirect the
user to https.
The one case I've seen of CAS redirecting to http is an issue with the
serviceTicket that I've seen commented on in the past. If a user accesses the
CAS login url and fails to complete the login process before the service ticket
expires (failed logins or just going to get a coffee after the login page has
loaded) then the login will redirect the user to:
http://<cas host>/cas/login/ without a service.
-Andrew
On Sep 30, 2011, at 1:47 PM, Kirk, Matt wrote:
> Hi Andrew,
>
> I think it will be why you are seeing that error. There is a check in the
> default JSP which displays that message if the connection isn't secure:
>
> <c:if test="${not pageContext.request.secure}">
> <div class="errors">
> <p>You are currently accessing CAS over a non-secure connection. Single Sign
> on WILL NOT WORK. In order to have single sign on work, you MUST log in over
> HTTPS.</p>
> </div>
> </c:if>
>
> I have a question for you re the SSL offload though. We're deploying the
> same architecture you describe and I'm having problems today where-by CAS
> (for some reason I've yet to get to the bottom of) is performing a redirect
> back to the login page. The redirect is over HTTP which our load balancers
> are not configured to support and we get and error. So I wanted to ask how
> your architecture would manage a 302 redirect response from CAS back to
> itself which would have a Location header URL starting http:// and not
> https://.
>
> Thanks,
> Matt
>
>
> From: Tillinghast, Andrew P. [[email protected]]
> Sent: 30 September 2011 17:55
> To: [email protected]
> Subject: [cas-user] SSL offload and HTTPS warning?
>
>
> We've updated our CAS to 3.4.10, now in the default login view we get a
> warning "You are currently accessing CAS over a non-secure connection. Single
> Sign on WILL NOT WORK. In order to have single sign on work, you MUST log in
> over HTTPS." But in fact from the client we are connecting via HTTPS, but we
> have the SSL offloaded by the load balancer so the connection from the load
> balancer to CAS isn't HTTPS.
>
> Is this the cause of the error? We don't have that warning in the JSP of our
> custom views and we have no problems with them.
>
>
>
> <image.png>
> Andrew Tillinghast
> Sr. Web Developer
> [email protected]
> 270 Mohegan Avenue
> New London, CT 06320-4196
> Ph:860 439-5265 Fax: 860 439-2871
> P Think before you print
> CONFIDENTIALITY: This email (including any attachments) may contain
> confidential, proprietary and privileged information, and unauthorized
> disclosure or use is prohibited. If you received this email in error, please
> notify the sender and delete this email from your system.
>
>
>
>
> --
> You are currently subscribed to [email protected] as:
> [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
> Information in this email including any attachments may be privileged,
> confidential and is intended exclusively for the addressee. The views
> expressed may not be official policy, but the personal views of the
> originator. If you have received it in error, please notify the sender by
> return e-mail and delete it from your system. You should not reproduce,
> distribute, store, retransmit, use or disclose its contents to anyone. Please
> note we reserve the right to monitor all e-mail communication through our
> internal and external networks. SKY and the SKY marks are trade marks of
> British Sky Broadcasting Group plc and are used under licence. British Sky
> Broadcasting Limited (Registration No. 2906991), Sky Interactive Limited
> (Registration No. 3554332), Sky-In-Home Service Limited (Registration No.
> 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are
> direct or indirect subsidiaries of British Sky Broadcasting Group plc
> (Registration No. 2247735). All of the companies mentioned in this paragraph
> are incorporated in England and Wales and share the same registered office at
> Grant Way, Isleworth, Middlesex TW7 5QD.
> --
> You are currently subscribed to [email protected] as:
> [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
