On Fri, May 7, 2010 at 9:46 AM, Nathan Kopp <[email protected]> wrote: <snip />
> > Note also that I think this call is unnecessary and therefore slightly > inefficient. > > It authenticates the PGT request. Its another set of authentication credentials. You could easily replace it with some other method of authentication (i.e. passing a username/password). The point is that a request for a proxy granting ticket is the same process as requesting a TGT. The default authentication method happens to be checking the cert and that the end point is responding. Its easily sawappable with something else. Cheers, Scott > > > -Nathan > > > > *From:* [email protected] [mailto:[email protected]] > *Sent:* Friday, May 07, 2010 8:08 AM > > *To:* [email protected] > *Subject:* Re: [cas-dev] Incomplete Proxy CAS Walkthrough > > > > Whether it makes one or two calls is irrelevant. The fact is it can't call > back if the chain is invalid and the endpoint isn't up. > > Cheers > Scott > > Sent from my Verizon Wireless BlackBerry > ------------------------------ > > *From: *Jonathan Markow <[email protected]> > > *Date: *Fri, 07 May 2010 07:30:46 -0400 > > *To: *<[email protected]> > > *Subject: *Re: [cas-dev] Incomplete Proxy CAS Walkthrough > > > > I took the liberty of adding Fredrik's observation as a comment on the page > he cites below. > -Jonathan > > On Fri, May 7, 2010 at 5:12 AM, Fredrik Norrstrm <[email protected]> wrote: > > Hi, > > The otherwise excellent document, > http://www.ja-sig.org/wiki/display/CAS/Proxy+CAS+Walkthrough > could do with a completion. Before the request made by the CAS server to > deliver a proxy granting ticket (i.e, with the parameters pgtIou and > pgtId) the server makes an addtional request without any parameters at > all to which it exepects a 200 Ok success answer. Otherwise the GET > request with parameters is never attempted. I've been bitten by this > when implementing CAS proxy ticket support in django-cas. > > It would probably also be good to emphasize that the request to the > proxy callback URL is only made if it is protected by SSL with a valid > certificate that the server can verify, including any necessary > certificate chain. If the server cannot verify the certificate the call > to the proxy callback url is never attempted and this can only be > noticed in the CAS server log files. > > I hope someone with update privileges to this document reads this. > > Best regards, > /Fredrik > > -- > Fredrik Jnsson Norrstrm, M.Sc. Email: [email protected] > > System architect Phone: +46 8 790 66 03 > Kungliga tekniska hgskolan (KTH) Mobile: +46 73 595 66 03 > KTH/UF/ITA/Infosys > > > > > -- > > You are currently subscribed to [email protected] as: > [email protected] > > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
