Olivier, Is it possible not to ask for a PGT on a proxied service?
Yes. Very much so. Asking for a PGT is the infrequent rather than the common configuration. You shouldn't set acceptAnyProxy unless something else other than the CAS20ProxyReceivingTicketValidationFilter is validating the proxy chain. Accepting any proxy chain without validating that chain anywhere is a way to accidentally allow illicit delegated access to your service, e.g., by any other service using CAS that is able to obtain a PGT. Actually accepting any proxy chain is seldom appropriate -- the acceptAnyProxy feature is more there so that this specific filter will accept any proxy chain, allowing something downstream to (presumably, dynamically rather than statically) scrutinize the chain. Instead of accepting any proxy, you can use allowedProxyChains to specify explicitly the proxy chains characterizing proxy tickets you mean to be accepting. If the service running the filter doesn't need to itself obtain and use proxy tickets, then it doesn't need (and shouldn't have) a proxyCallbackUrl and a proxyReceptorUrl. Without a proxyCallbackUrl, the filter won't request a PGT on ticket validation and so your application won't have to cope with receiving one. Without a proxyReceptorUrl, the filter won't be watching to intercept those CAS PGTIO/PGTID callbacks that aren't going to come because without the proxyCallbackUrl they're not requested. In the case where you don't need proxy granting tickets, you don't need a proxyGrantingTicketStorageClass either. That's odd that you're seeing log entries when you're trying not to use PGTs. Could you post your web.xml that configures the filter where you're seeing these log entries, sanitized of any passwords or other private information of course? And precisely what version of the Java CAS Client are you seeing this in? Kind regards, Andrew On Jan 6, 2012, at 11:32 AM, Olivier Daroux wrote: > Hi, > > I've got a question about proxy system. Is it possible to not ask for a PGT > on a proxied service ? > > I've got an app, protected by java cas filter, using > CAS20ProxyReceivingTicketValidationFilter, with according params > (acceptAnyProxy, proxyReceptorUrl and proxyCallbackUrl (never found if the > two are needed)). > This app call a webservice, also protected by cas, accepting a proxy ticket. > So I set acceptAnyProxy to true. > > What I don't know is, if it's possible to not set proxyReceptorUrl and > proxyCallbackUrl, so that my webservice can't do proxying (cause it don't > need it) ? When I don't set this params, cas client log shows "Proxy ticket > not found for []" (from proxygrantingticketStorageImpl). > > The goal is to have better performance (no more call from CAS server to WS to > give PGT), and lesser configuration (no more need of WS server certificate > into CAS server keystore). > > I don't know if I'm understandable :-P > > Really appreciate some help. > > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
