Alrighty, thanks!

Now for a question that is probably asked a lot.. about HTTPS and SSL
certificates.

 

Right now I am running a server internally in my companies network with
the ip 10.47.8.12(provided if needed in any settings) and I have
followed every single guide I have found to make it work with tomcat and
ssl but no luck. Here is what I have done, hopefully there is some basic
error :-)

First of all, which one of these to folder should be set to be my
JRE_HOME folder? 

-          /usr/lib/jvm/java-1.5.0

-          /usr/lib/jvm/java-1.5.0-sun-1.5.0.11

 

I follow the guide
http://tomcat.apache.org/tomcat-4.0-doc/ssl-howto.html but my main issue
is with the server.xml file of which I am not really sure how to
configure. When I open my own server.xml it looks like this:

<!-- Define a SSL HTTP/1.1 Connector on port 8443

         This connector uses the JSSE configuration, when using APR, the

         connector should be using the OpenSSL style configuration

         described in the APR documentation -->

    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"

               maxThreads="150" scheme="https" secure="true"

               clientAuth="false" sslProtocol="TLS" />

 

I have for example no className and is unsure if this is something that
has to be added. Is there anything else in server.xml that has to be
changed when you don't change the keystore path when you create the
certificate?

 

When I perform the steps on the ssl-howto I don't get any error messages
but when I try to access https://10.47.8.12:8443
<https://10.47.8.12:8443/>  there is just nothing there. The port 8080
on http works like a charm both for the CAS page and the Tomcat page but
nothing on the https port 8443 attempt.

 

Thank you in advance!

 

Christian Haugen

________________________________

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Andrew Petro
Sent: 20. juni 2007 16:27
To: Yale CAS mailing list
Subject: On implementing per-service authorization rules within CAS

 

> Is this possible to do with CAS

Yes.

One way you could accomplish your requirements would be to add a new
flow action to the CAS login flow.  After the authentication bit, a flow
action would do the callback you describe, and shunt the flow to a
suitable "You are not worthy" user experience if the user isn't
authorized.


Traditionally, CAS is about authentication, not authorization.  Lack of
authorization to use service A shouldn't, to my way of thinking, prevent
a user from authenticating, establishing single sign on.  Application
A's unwillingness to service a given user is application A's problem,
and its user experience to provide, rather than CAS's.

Why arrest me during the CAS login workflow, interrupt my single sign on
experience, after I've already done all the work of presenting valid
credentials?

Instead, I would handle this requirement at application A, having it
validate the service ticket, complete the authentication step, and then
apply authorization  logic, supplying its own "You are not authorized"
user experience.  Details of that experience may differ significantly
from application to application. 

*Why* am I not authorized?  ("You are not permitted to register for
courses at this time as there is an immunization hold on your account.
Please click *here* to learn more about account holds and to learn steps
to resolve this issue.")  

*What* am I still authorized to do?  ("I'm sorry, you are not a
Cooperative Support subscriber at this time.  If you believe our records
are in error, please call us at 1-800-XXX-XXX.  In the meantime, you are
welcome to browse the public content of this site, including knowledge
base articles and a description of the premium support program.")

As application complexity increases, authorization grows beyond a
boolean to a matter of roles and privileges.  I'd look to Acegi, GAP, or
the like to help me implement authorization and authorization user
experiences within applications rather than within CAS.

But you can extend CAS to do this if you want to.

Andrew

Christian Haugen wrote: 

Hi!

 

I have a general question about CAS and was hoping to get an answer
before I invest too much time in something that may not work. I am
planning on using CAS as a server that authenticates its user to two
separate web services residing on different servers. Here is my
scenario:

 

I have two web applications, A and B that have different user databases.
I want to set up a CAS server that has the following functionality:

- When you go to A or B's log on page you immediately get redirected to
the CAS log on page. This log on page will be a simple page with just
the logon functionality. If Bob for example want to connect to A and
thus get redirected to the   

  CAS log on page I want the CAS server to send Bob's log on information
to server A for approval. If this information is correct then I want Bob
to be redirected to A but also gain access to B, and vice versa. 

 

I have seen the information on
http://www.ja-sig.org/wiki/display/CAS/Using+CAS+without+the+CAS+login+s
creen but as far as I can understand from the guide it still lets the
CAS server do the authorization. I have a loginsystem in place on server
A that I wish to use so that the CAS server simply sends the login info
to A and A replies with granted/not granted access. 

 

Is this possible to do with CAS and is there more information about such
a setup online?

 

Thank you in advance, my regards

 

Christian Haugen

 



________________________________



 
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
  

 

_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas

Reply via email to