 |
 |
> Then the original ZTN needs things like the subject attribute which was not required to be there originally. I'm not quite following. There's a subject in the token (among many other things, some of which may or may not be useful for authorization). I assume the semantics should be, if the token was not presented with a request, then the token from the session can be used as if it was presented with the request. > We are compelled to force TLS on the pools to protect the token sent with the opaque data I think TLS should be forced on the pools regardless, token or no token, unless you differentiate between trusted LAN and WAN transfers. Redirection is another case where using the session token is probably useful - the client doesn't have to keep track as to whether the `authz` CGI header should be sent or dropped. -- Reply to this email directly or view it on GitHub: https://github.com/xrootd/xrootd/issues/1584#issuecomment-1035134325 You are receiving this because you commented. Message ID: <[log in to unmask]> ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1