Overlooking my unnatural situation below, the user did this: Logged into CAS sucessfully and received a popup informing him that he was about to leave a secure site. He answered no, returning to the CAS login. He erased the password and changed the username, pressed enter again. He received the dialog again, and accepted that he was leaving HTTPS for HTTP. He saw his app and wondered why?
I don't see this as a real problem. "HE" truly authenticated and CAS knows that he is the principal in this situation. thoughts? David On 10/23/08, David Whitehurst <[EMAIL PROTECTED]> wrote: > I started a CAS implementation for various Java apps and the Java side > was directed to move to a split (presentation/business/data layer) > application architecture. CAS was hosted on the same JBoss as the > presentation server at first. Next, Apache was added and > mod_proxy_ajp with JBoss. Some time later it was determined that CAS > should be isolated from the application (presentation and business) > servers altogether. The CAS machine registers services that appear to > be on the same server because Apache reverse proxy is used to hide the > true application URLs. > > Certificates are used 1) for Apache to host HTTPS and 2) for JBoss and > CAS to talk to an Active Directory (LDAPS) server. I was not given > the requirement to host HTTPS with the applications themselves, but > it's unnatural to just hide users and passwords within CAS and then > answer a popup that you are being redirected to an unsecure site. > Even though I have no present requirement, I've added a certificate to > a Tomcat keystore for the application JBoss (no Apache there) and > things didn't work. I expect that I can resolve the problem but I > wanted to ask if anyone has encountered these problems? And, would you > recommend that reverse proxy not be used? > > David > _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
