Documentation Recommends https

[Jonathan Labin]

Could someone please help me understand the recommendation in the documentation to use Secure Transport?

During development, I've just used https for everything but I'd like to have a better understanding of which configuration items really require it.

The page specifically states that "all CAS urls must use HTTPS" and to me this means all of the applications should configure their clients with https urls to endpoints such as loginURL, serverUrlPrefix, ...

What about the URL provided as a service redirect argument to the /logout endpoint?  

I might guess this is O.K. to be http.

The documentation also sates https should be used "when the generated service ticket is sent back to the application on the 'service' url"

What is the practical implication of this?  Does it mean that all serviceId values for registered services must begin with https?

Does this also mean that the client callbackUrl must also be https?

If these must all be https, does this mean that the application will always return from authentication in https?

If the client was in http before authentication started, is there any way that they can end up in http after authentication?

Thanks

[Misagh Moayyed]

-          Nothing in CAS “requires” https. As such, there is no MUST. There is a very very strong SHOULD. Everything if not all is by default configured to assume https. You can turn all that off to use http only, or a combination. You should not do that.

-          We recommend you use https for everything. That includes the CAS deployment, and all applications registered with CAS, and every callback URL and serviceId and logout URL and everything else.  

-          Clients that initiate authentication with HTTP remain to be in HTTP as long as CAS allows HTTP access for that client. Same goes for HTTPS. You cannot change URL protocol in between.

 

--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.

[Aaron Burton]

"Very very strong should" noted.  If I still wanted to disable https on the service url callback what property do I set?  I don't see anything that looks like it in this https://apereo.github.io/cas/5.1.x/installation/Configuration-Properties.html#http-client

Thank you

[Petr Gašparík - AMI Praha a.s.]

Hi Aarton,

you can do it in service json file.

just find default one (HTTPSandIMAPS-10000001.json)

just change 

  "serviceId" : "^(https|imaps)://.*",

to

  "serviceId" : "^(http|https)://.*",

--

s pozdravem

Petr Gašparík solution architect gsm: [+420] 603 523 860 e-mail: petr.g...@ami.cz			AMI Praha a.s. Pláničkova 11 162 00 Praha 6 tel.: [+420] 274 783 239 web: www.ami.cz
Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s. jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---

You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f505541a-d123-4d51-a39f-cd83b0217a57%40apereo.org.