Re: [cas-user] document https-requiring-ness of single sign-on right in the login JSP UI?

Andrew Petro Tue, 21 Jun 2011 09:57:09 -0700

No production CAS instance should be not running over https. Wouldpredicating a message on


! HttpServletRequest.isSecure()

http://download.oracle.com/javaee/6/api/javax/servlet/ServletRequest.html#isSecure()<http://download.oracle.com/javaee/6/api/javax/servlet/ServletRequest.html#isSecure%28%29>

work? In case where CAS running over insecure channel (http://), showthe SSO-won't-work-because-not-https message, figuring this willinconvenience zero production deployments, all of which will be runningover https. isSecure() should return the correct value even when SSL isbeing offloaded to something fronting the servlet container (is thisenough universally true?)


Andrew



On 06/21/2011 12:38 PM, Marvin Addison wrote:

...
As a compromise, how about one-time messages driven by some kind of
simple logic implemented in code.

M



--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] document https-requiring-ness of single sign-on right in the login JSP UI?

Reply via email to