Hi Andrew, I did try to setup CAS NTLM but failed to. So set Liferay with NTLM and then using CAS as trusted source for other Java applications.
Hi Marvin, I agree with you Marvin, We have to trust the headers. I can also add a validation code with the request and change the Trusted Authentication Handler to check the Validation code. Let me know if we can do that. Thanks On Fri, Jan 27, 2012 at 9:31 PM, Tillinghast, Andrew P. < [email protected]> wrote: > It seems to me the safer was to handle this is to either enable an NTLM > solution at the CAS side and then CAS enable Liferay, or to set up liferay > as an OpenID provider and enable OpenID at the CAS side. Other then that > you risk spoofing via the cookie data. > > -Andrew > > On Jan 25, 2012, at 4:18 PM, Vipin Jain wrote: > > Thanks Marvin. > > Is it required to have only REMOTE_USER header or any other header is fine. > > How would i configure the cookie for trust authentication. My plan is > have the NTLM authentication done on Liferay side and then create a cookie > which contains the user's name and then when anyone else accesses the CAS > protected JAVA apps then it will read the header variable and automatically > login. > > If it fails to parse the cookie then it will go to CAS Login Page. > > Please let me know > > On Wed, Jan 25, 2012 at 8:12 PM, Marvin Addison > <[email protected]>wrote: > >> > Is it possible to have a script which can automatically login to CAS >> Server >> > if we getting the userid in the header variable. >> >> Sure it's possible. This is typically called "remote user" or trust >> authentication; see https://wiki.jasig.org/display/CASUM/Trusted for >> more information. Warning: you MUST carefully consider the components >> providing the header such that the following criteria are met: >> - There is sufficient assurance that the authorized components are >> the origin of the information. >> - You trust the information itself. >> >> Failure to meet the requirements above would reduce the security >> provided by CAS to incidental at best. >> >> M >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> > > -- > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
