Alrighty, thanks! Now for a question that is probably asked a lot.. about HTTPS and SSL certificates.
Right now I am running a server internally in my companies network with the ip 10.47.8.12(provided if needed in any settings) and I have followed every single guide I have found to make it work with tomcat and ssl but no luck. Here is what I have done, hopefully there is some basic error :-) First of all, which one of these to folder should be set to be my JRE_HOME folder? - /usr/lib/jvm/java-1.5.0 - /usr/lib/jvm/java-1.5.0-sun-1.5.0.11 I follow the guide http://tomcat.apache.org/tomcat-4.0-doc/ssl-howto.html but my main issue is with the server.xml file of which I am not really sure how to configure. When I open my own server.xml it looks like this: <!-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the JSSE configuration, when using APR, the connector should be using the OpenSSL style configuration described in the APR documentation --> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" /> I have for example no className and is unsure if this is something that has to be added. Is there anything else in server.xml that has to be changed when you don't change the keystore path when you create the certificate? When I perform the steps on the ssl-howto I don't get any error messages but when I try to access https://10.47.8.12:8443 <https://10.47.8.12:8443/> there is just nothing there. The port 8080 on http works like a charm both for the CAS page and the Tomcat page but nothing on the https port 8443 attempt. Thank you in advance! Christian Haugen ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andrew Petro Sent: 20. juni 2007 16:27 To: Yale CAS mailing list Subject: On implementing per-service authorization rules within CAS > Is this possible to do with CAS Yes. One way you could accomplish your requirements would be to add a new flow action to the CAS login flow. After the authentication bit, a flow action would do the callback you describe, and shunt the flow to a suitable "You are not worthy" user experience if the user isn't authorized. Traditionally, CAS is about authentication, not authorization. Lack of authorization to use service A shouldn't, to my way of thinking, prevent a user from authenticating, establishing single sign on. Application A's unwillingness to service a given user is application A's problem, and its user experience to provide, rather than CAS's. Why arrest me during the CAS login workflow, interrupt my single sign on experience, after I've already done all the work of presenting valid credentials? Instead, I would handle this requirement at application A, having it validate the service ticket, complete the authentication step, and then apply authorization logic, supplying its own "You are not authorized" user experience. Details of that experience may differ significantly from application to application. *Why* am I not authorized? ("You are not permitted to register for courses at this time as there is an immunization hold on your account. Please click *here* to learn more about account holds and to learn steps to resolve this issue.") *What* am I still authorized to do? ("I'm sorry, you are not a Cooperative Support subscriber at this time. If you believe our records are in error, please call us at 1-800-XXX-XXX. In the meantime, you are welcome to browse the public content of this site, including knowledge base articles and a description of the premium support program.") As application complexity increases, authorization grows beyond a boolean to a matter of roles and privileges. I'd look to Acegi, GAP, or the like to help me implement authorization and authorization user experiences within applications rather than within CAS. But you can extend CAS to do this if you want to. Andrew Christian Haugen wrote: Hi! I have a general question about CAS and was hoping to get an answer before I invest too much time in something that may not work. I am planning on using CAS as a server that authenticates its user to two separate web services residing on different servers. Here is my scenario: I have two web applications, A and B that have different user databases. I want to set up a CAS server that has the following functionality: - When you go to A or B's log on page you immediately get redirected to the CAS log on page. This log on page will be a simple page with just the logon functionality. If Bob for example want to connect to A and thus get redirected to the CAS log on page I want the CAS server to send Bob's log on information to server A for approval. If this information is correct then I want Bob to be redirected to A but also gain access to B, and vice versa. I have seen the information on http://www.ja-sig.org/wiki/display/CAS/Using+CAS+without+the+CAS+login+s creen but as far as I can understand from the guide it still lets the CAS server do the authorization. I have a loginsystem in place on server A that I wish to use so that the CAS server simply sends the login info to A and A replies with granted/not granted access. Is this possible to do with CAS and is there more information about such a setup online? Thank you in advance, my regards Christian Haugen ________________________________ _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
