Hi, We have a setup where we have an "internal" apache server with mod_auth_cas that is fronted by an "external" apache server which handles the HTTPS. It looks like mod_auth_cas is not setting the service parameter the way we want it to, and I'm wondering if this is by design (I suspect it is).
Some details: We access the app with a browser with https://external.server/appName. Behind the scenes, the external proxy has some RewriteRule/ProxyPass directives such that HTTP traffic is routed to http://internal.server:9999/appName. When not CASified,all works well. But when we CASify it, mod_auth_cas tells the browser to redirect to: https://cas.server/cas/login?service=*http:*//external.server*:9999*/appName This is is causing our CAS sever to throw up the "Application Not Authorized" error, as our CAS server administrators have a policy of not accepting services that are not https. And I suspect even if we got past that there would still be an issue, as the external apache does not listen on port 9999. I'm pretty sure what's happening here is that mod_auth_cas is making some assumptions, wrong in this case, about what the service URL is based on the HOST header and the configuration of the internal apache server. We have many other apps that run with Tomcat in place of the "internal" apache server, and the CAS client gets around this by specifying a "serverName" parameter in the filter configuration that would force the service parameter in the redirect to at least start with https://external.server/. I took quick look at the documentation (but not the source) for mod_auth_cas and didn't see a similar option. Does one exist? If someone submitted a patch which implements such an option, is there any reason why it wouldn't be accepted? Thanks, Rich -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
