Am 25.07.13 10:22, schrieb Michael Wechner:
Am 05.07.13 16:26, schrieb Marvin S. Addison:
Can you give an example of what you mean with "various policies"?
The CAS service manager ships with the ability to explicitly deny
proxy capability to registered services. We make healthy use of this
feature at Virginia Tech. I'm sure I could invent additional policies
if pressed.
IIUC you control CAS, but you don't control the implementation of the
registered services, right?
In practice you control both, since registered service components are
part of the CAS server. In order to implement additional proxy
authentication controls, one strategy would be to add additional
registered service metadata that is enforced by other CAS components.
are your refering to services as described in chapter 7 of
http://www.unicon.net/files/cas-server-3-4-11-snapshot-manual.pdf
?
I have started to implement the proxying according to
https://wiki.jasig.org/display/CAS/Proxy+CAS+Walkthrough
and I made it so far to step four, which means I am able to retrieve a
"pgt Id", but when asking for the proxy ticket, e.g.
https://127.0.0.1:7443/cas-server-webapp-3.5.2/proxy?pgt=TGT-19-3QQLN7TXfzsiqO21Gq47YtivVYEtJaqBytEqKMeTupyv3XbR4E-cas01.example.org&targetService=TODO
then I receive the following reply from CAS:
<?xml version="1.0" encoding="UTF-8"?><cas:serviceResponse
xmlns:cas="http://www.yale.edu/tp/cas";>
<cas:proxyFailure code="UNAUTHORIZED_SERVICE">
UNAUTHORIZED_SERVICE_PROXY
</cas:proxyFailure>
</cas:serviceResponse>
Is that because I need to register my service "TODO"?
I have replaced now "TODO" by "http://127.0.0.1:8888/another"; and now it
worked :-)
It seems to me that the error message inside the cas log file is a bit
misleading, e.g.
2013-07-25 11:20:51,760 WARN
[org.jasig.cas.CentralAuthenticationServiceImpl] - ServiceManagement:
Unauthorized Service Access. Service [TODO] not found in Service Registry.
2013-07-25 11:20:51,760 INFO
[com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -
Audit trail record BEGIN
=============================================================
WHO: https://localhost:8443/yanel/yanel-website/casProxyCallback
WHAT: TODO
ACTION: SERVICE_TICKET_NOT_CREATED
APPLICATION: CAS
WHEN: Thu Jul 25 11:20:51 CEST 2013
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=============================================================
Should I add an issue for this at
https://github.com/Jasig/cas/
?
Thanks
Michael
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
