+1 Am 13.08.2013 um 23:47 schrieb "Ohsie, David" <[email protected]>:
> Whenever I try to explain how CAS works to colleagues in EMC, generally or in > specific use cases, I present sequence diagrams. In the past, I’ve drawn > these using Visio, which makes nice-looking diagrams, but the result is > tedious to maintain and also hard to share or integrating into a build > process. Recently, I started to experiment with text->UML tools and I drew > this diagram using plantUML (http://plantuml.sourceforge.net/). Starting > from text, means that you can keep this documentation easily in git, and you > can use maven or many other processes to generate the docs automatically > (much like you do with Markdown). I wondering if the developers feel that > these diagrams would be useful to include with the documentation. I’m > attaching a link, the original “source” and the resulting picture. (the link > is really long; I think that it is a lossless compression of the plantuml > source). I’m thinking a proxy ticketing diagram might also be useful: > > Ridiculously long link: > > http://www.plantuml.com:80/plantuml/img/jLPjJ-D64Fvi_ufHgciFYOJhqZT5X5CIZlGgA15sgclB2Mti3Td3yRgxwr3-VMVN6ySEpij9L4A0xTdPcMUUcMU-KuyyXK6IisiHCvdwlkOwOLqOzWCOIF6ac8I0fmy9QmVy8HKf1EoVdAKHWmjE7oHT-3wDj92G6rEgOE9dL6eUyOoc6bhEISjy6jG_cJi29fVkwx3-TIo5Pf5cCVIpp1gCTnZ0DwIm8RxlztfmoQNIq8yYfXJqUhu_WVOv3A0x4bf0Yw9BlnzflgIQOLm3ytKCNHXz266kTQQw9oTer67_qaMMi4ua5YScqUB060-SjTlsnEax0bSYefgBj5kUZQYgdSNdaqGyyFJzNOfmB7d4UcVyt9g_EUs_8PVuit4XlZaxuUT-Ydc2v0zpxNik8wuWJsckvon5GAW1GGdmlPcGJrJ6W3aQTF4HAbOOOSVtMkx-5c0XvJCWg7J1D9E-jpLp3o-St5u15Xvv4liiZS64vNcU7xCABWMImpgGhma6NHUj_7VekteC2-9U6TzmAUIYXjt4C3GMJ9dGOKwN32ZoERX15Yg5u1GOPf8f10niX0R2HPbkDTSXKkgi3OCkDeBA4lfihhvBAtUNfXF3FaE_BWJvTC7r2zEAtqa9uVWc2FztGfcsJR7-nyW3fPw4Z8yHbTXbZxHvP6X59RFX8C_Cspc3gOYVQpIe03Dq2VGh1BNpOLscWEdsK8X7NioQS3JiXQEmJKv_-F6ddt-vIvkxQfENc7iHOIy8sz-xmozhZkHzqIkHP2OgDzjKCTlU8XcEG1LiyBqYC8XidFWdrPIdogOVscjX974KeOlLyrjCuiZtGcCn2it5njWvX4VsR5lIl3DmA4k-rNND9Aiy35ntZNUFgVSDa5GwT7n0Wpf2_K4J7kEfhwFOjqr5US6xzVH63x1qDoah27WHOkWG3S8ZeBPZG5cn065-sIZMc5KG6wyuHjwzWxy_NL_142k7nVzS192mcRQr1SbqBh6WE0MCMIoYV64w_sdEepaIFKhoc2baVueFiPkW86QWSZk6ZsqbwzJoFPLFls1cHHk9p9oXIVACIMZ9fpackQNKJbFgpV5Ry248Fjxy_l6YrnyC7Po7zaSDSVHQOwEZjObo9Hk-PrlRwVwKHez6IMoIMPQi07ZYUkvC7ItSd0256MOPeY1cCzC5oFyL0FYDPO2pTObO5MsnkWS1ZcDfP6rA9SoaM41SZ5JJMSOo21iX6vVzi1EjWqLzxBojUBy1rRf0bbcELOOFsvn_haSxiUShYb7i8VKMxtGwTeC960wSUBN2X082dD9crIdhODUQGbPkpLA62m-YA78PiQfCbhlD7ahjGgdqMoTKWKxXrmmxevjOpKHWtInBJF5a4LkpM1mCEiRVih3Vkb3AhcurWWnhbClWcu6khOe6PmVy9jAR2oHfs239onMIRACRMQL6NdsB94sgNqM9h1UrNIhy6aiSENoBM-qD9HKmcFNAq3ZkoFPze64RC4D_BJNQgJHk0wbm2m-IsF2LoygIkr-GoPwgxvPauYC5NbkKoS6gN9LEibqxcwIArBNg-kRYlZy9Vxr7dE-3tgS__zglLnljKITfYUxU6xwYwyQaVMvyxXauPEUO9plcF6aUz6HZqly7 > > Image (source comes after the image): > > <image001.png> > > @startuml > > 'skin BlueModern > > title: CAS Browser Single-Signon Sequence Diagram > > actor user as U > participant "Browser" as B > participant "CAS Server" as C > participant "Protected App" as P > participant "Protected App #2" as P2 > > > == First Access == > > U -> B :Goto "app" > Activate B > B -> P : GET https://app.example.com/ > activate P > B <-- P : 302 Location: > https://cas.example.com/cas/login?\nservice=<i>https%3A%2F%2Fapp.example.com%2F</i> > note right > Access is unauthenticated so > forward to CAS for authentication. > "service" query parameter > https://app.example.com/ > is URL encoded > end note > deactivate P > > B -> C: GET > https://cas.example.com/cas/login?\nservice=<i>https%3A%2F%2Fapp.example.com%2F</i> > activate B > activate C > > B <-- C: CAS Login Form > note right > User does not have an SSO Session so > present login form > end note > deactivate C > U <- B: Display CAS\nLogin Form > activate U > U --> B: Submit CAS\nLogin Form > deactivate U > B -> C: POST > https://cas.example.com/cas/login?\nservice=<i>https%3A%2F%2Fapp.example.com%2F</i> > note right > username, password, and login ticket > are POSTed in the body > end note > activate C > C -> C: Authenticate user > B <-- C: Set-Cookie: CASTGC=TGT-2345678\n302 Location: > https://app.example.com/?\nticket=ST-12345678 > note right > User is authenticated so create Single-signon (SSO) session > CASTGC cookie contains the Ticket Granting Ticket (TGT) > The TGT is the session key for the users SSO session > end note > deactivate C > deactivate B > > B -> P: GET https://app.example.com/?ticket=ST-12345678 > activate P > P -> C: GET > https://cas.example.com/serviceValidate?\nservice=<i>https%3A%2F%2Fapp.example.com%2F&\nticket=ST-12345678</i> > note right > Protected app validates Service > Ticket (ST) at CAS server over https > end note > activate C > P <-- C: 200 [XML Content] > note left > CAS returns an XML document which includes > an indication of success, the authenticated > subject, and optionally attributes > end note > deactivate C > B <-- P: Set-Cookie: JSESSIONID=ABC1234567\n302 Location: > https://app.example.com/ > note right > Set the session cookie and forward > the browser back to the application with > the service ticket stripped off > This optional step prevents the browser > address bar from displaying the ST > end note > deactivate P > B -> P: Cookie: JSESSIONID=ABC1234567 GET https://app.example.com/ > activate P > P -> P: Validate session cookie > B <-- P: 200 [Content of https://app.example.com/] > deactivate P > U <-- B: Display "app" > deactivate B > > ... > > == Second Access To Same Application == > > U-> B: Request resource > activate B > B -> P : Cookie: JSESSIONID=ABC1234567\nGET https://app.example.com/resource > note right > Session Cookie is sent > along with the request > end note > activate P > P -> P: Validate session cookie > B <-- P : "200 [Resource Content]" > deactivate P > U <-- B : Display resource > deactivate B > > ... > > == First Access To Second Application == > > U -> B :Goto "app2" > Activate B > B -> P2 : GET https://app2.example.com/ > activate P2 > B <-- P2 : 302 Location: > https://cas.example.com/cas/login?\nservice=<i>https%3A%2F%2Fapp2.example.com%2F</i> > deactivate P2 > > B -> C: Cookie: CASTGC=TGT-2345678\nGET > https://cas.example.com/cas/login?\nservice=<i>https%3A%2F%2Fapp2.example.com%2F</i> > activate B > activate C > C -> C: Validate TGT > B <-- C: Location: https://app2.example.com/?\nticket=ST-345678 > note right > CAS validates the TGT so no login is required > end note > deactivate C > deactivate B > > B -> P2: GET https://app2.example.com/?ticket=ST-12345678 > activate P2 > P2 -> C: GET > https://cas.example.com/serviceValidate?\nservice=<i>https%3A%2F%2Fapp2.example.com%2F&\nticket=ST-12345678</i> > activate C > P2 <-- C: 200 [XML Content] > deactivate C > B <-- P2: Set-Cookie: MOD_AUTH_CAS_S=XYZ1234567\n302 Location: > https://app2.example.com/ > deactivate P2 > B -> P2: Cookie: MOD_AUTH_CAS_S=XYZ1234567 GET https://app2.example.com/ > activate P2 > P2->P2: Validate session cookie > B <-- P2: 200 [Content of https://app2.example.com/] > deactivate P2 > U <-- B: Display "app2" > deactivate B > > @enduml > > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
