After a few bobbles I finally have it all up and running. The one problem I encountered I will mention here just in case someone else stumbles in the same place.
In the Acegi configuration, there are a number of places where you must provide URL's ... CAS login, proxy validate, service names, proxy retrieval, etc. On my first pass, I went a bit overboard and changed all of the URL's to go through Apache HTTPD (i.e. removed the port 8443). I am using self signed certificates and apparently there are some problems with certificate chains getting propagated properly when you go to Tomcat through mod_jk so I started seeing errors when validating tickets and or trying to deliver proxy tickets (which are very picky about SSL trust issues). Once I changed my configuration to have all 'client visible' URL's go through Apache HTTPD and all the 'behind the scenes' URL's go directly to Tomcat, things started working OK. I'm curious if anyone else has encountered any issues with this. I'm thinking this MIGHT NOT be a problem if I wasn't using self-signed certificates, but I can't be sure. Bill ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Battaglia Sent: Tuesday, August 21, 2007 12:26 AM To: Yale CAS mailing list Subject: Re: CAS Behind Apache HTTPD We run CAS and all of our applications behind Apache and have not had any issues. Acegi should be fine as its underlying client is the Yale CAS client. -Scott On 8/17/07, Bill Bailey <[EMAIL PROTECTED]> wrote: Thanks, Matt. That is encouraging since I will probably start setting things up today. I'll hit the list again if I run into more specific questions. Bill -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Matt Sent: Thursday, August 16, 2007 5:02 PM To: Yale CAS mailing list; Yale CAS mailing list Subject: RE: CAS Behind Apache HTTPD Bill- Most of my CAS protected apps are tucked away behind Apache. I've been using the stock Yale Java client for a while, and have recently tried out the JA-SIG client, both with success in this configuration. I have not (yet) tried the Acegi client. Essentially, the mod_jk or mod_proxy_ajp that you are using to forward the requests from Apache to Tomcat's AJP port (generally 8009) just does the *Right Thing* for you as far as URL mapping goes. HTH, -Matt -----Original Message----- From: [EMAIL PROTECTED] on behalf of Bill Bailey Sent: Thu 2007-08-16 16:06 To: Yale CAS mailing list Subject: CAS Behind Apache HTTPD Hi, I have CAS configured and running under Tomcat and so far all is well. However, in production we will be introducing Apache HTTPD in between the users and Tomcat. All requests will come in on port 80 or 443 to Apache HTTPD which will forward the requests to Tomcat where necessary. I should also note that we are using ACEGI security as well. In theory, this doesn't seem like it should cause any problems, but since CAS is heavily reliant on HTTPS and ACEGI requires URL's to be configured in numerous places, I sense at least the potential for problems in getting the setup right. Is anyone else running in a similar configuration? Does anyone have any experiences to report or warnings or suggestions? Thanks. Bill Bailey Senior Developer / DBA Northland, A Church Distributed _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas -- -Scott Battaglia LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
