Hello,
Perhaps we should add a special page in the wiki to show how to
configure cas with apache + mod_jk ?
IMHO, the issue is due to misconfiguration of apache front-end (which
should *always* redirect http to https when a client is accessing CAS)
In my organization, we're using two apache front-end with one CAS
server, only https is allowed to access CAS services, http access is
always redirected to https and it works fine for a while :-)
Rgds.
Le 08/12/2011 20:41, Marvin Addison a écrit :
Should I file a bug in JIRA on this ?
I agree this behavior is unhelpful, but all evidence suggests it's an
edge case configuration that would even allow access to /logout over
http. We strongly recommend deploying CAS on SSL. If anything I
would favor adding a security constraint to the default web.xml to
require a secure connection and add a comment to that effect so that
deployers have to work against best practice to experience this
behavior.
Other opinions on how to address this?
M
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
