Ok, but checking the cert is in reality done before any request, regardless of parameters, and whether there is something responding at that URL regardless of parameters. I can't really see any additional value given by the request without parameters in this regard.
In fact, as far as I can see there is absolutely nothing in section 2.5.4 of http://www.jasig.org/cas/protocol either indicating that there is an additional request without parameters to which I have to respond. It only states that the certificate and host is validated before any PGT is issued, which could be done in a single request with parameters, since the TLS negotiation is done before the actual request is made. Neither can I find any indication that I'm able to replace it with other form of authentication without breaking the protocol. This does not really matter, but the behavior should most definitely be documented, especially if it has any deeper meaning as you suggest. Best regards, /Fredrik On Fri, 2010-05-07 at 18:54 +0200, Scott Battaglia wrote: > I explained why it occurs. Its an authentication request. *You* can > choose to replace it with some other form of authentication if you'd > like. > > > On Fri, May 7, 2010 at 12:40 PM, Fredrik Norrström <[email protected]> wrote: > I think the point is that the undocumented request without any > parameters at all, to which we are required to respond with > 200 OK for > the server to actually make the documented request with the > PGT, is > pointless and therefore slightly inefficient. > > I happen to agree with this, unless there is some reason for > this > additional, undocumented, request which escapes me. > > Best regards, > /Fredrik Jönsson Norrström > > On Fri, 2010-05-07 at 16:56 +0200, Scott Battaglia wrote: > > On Fri, May 7, 2010 at 9:46 AM, Nathan Kopp > <[email protected]> > > wrote: > > <snip /> > > > > > > > > > > Note also that I think this call is unnecessary and > therefore > > slightly inefficient. > > > > It authenticates the PGT request. Its another set of > authentication > > credentials. You could easily replace it with some other > method of > > authentication (i.e. passing a username/password). The > point is that > > a request for a proxy granting ticket is the same process as > > requesting a TGT. The default authentication method happens > to be > > checking the cert and that the end point is responding. Its > easily > > sawappable with something else. > > > > Cheers, > > Scott > > > > > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev > > > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
