Hi Marvin
Thanks very much for your explanation.
Can you give an example of what you mean with "various policies"?
I understand the concerns that the proxy client must be able to trust
the proxy chain, but if I maintain or rather am responsible for both
applications (proxy requestor and consumer), then I wouldn't have to
worry about this.
Well, I guess I better get started implementing it as it is ;-)
Thanks
Michael
Am 05.07.13 14:25, schrieb Marvin S. Addison:
and start to slowly understand how proxying works, but I still don't
understand why it has to be so complicated?
Andrew Petro is our resident expert on proxying, so I'm sure he could
provide a thoughtful answer. I'll take a shot, though, for what it's
worth.
Why isn't it possible to forward the service ticket to another
application and allow this other application to validate this service
ticket a second (or third or ...) time?
Because we want CAS to broker the interaction between proxy requestor
and proxy consumer. With CAS in the middle we have the opportunity to
enforce various policies with regard to proxy chaining. In your
example there's no explicit control over who handles the proxy ticket
and no trusted authority to document the handlers. CAS acts a broker
to control and record those interactions so, if proxying is allowed by
policy, clients can trust the proxy chain and choose to accept or deny
it.
M
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
