On 05/13/2014 07:23 PM, Eric Lauffenburger wrote:
Hi All,I recently wrote a small library for CAS impersonation -- meaning that a user could quickly authenticate and send a request+data through CAS as another user for the purposes of calling an API/Webservice that is secured by CAS. My question is this: should this even be done? Perhaps I'm really circumventing what CAS is meant for in the first place. To clarify, this is what I'm doing: - Alice logs into CASified webapp W - W needs to retrieve data from service S - W uses library to contact S as "imaginary" user Bob - S performs task UNRELATED to user Bob (GetAllUsers(...) or something like that) - W receives data back from S and uses it appropriately Again, Bob is not a true user (student/staff/faculty), but an account made solely for contacting this service. Anything look wrong here? Best, Eric Lauffenburger [email protected]
That doesn't seem consistent with how you would want the security model. Why would you want to impersonate a user that isn't a true user? Just have the service authorize the people you really want to have access.
Many security libraries support impersonation, and can in fact report on whether this is done. Apache Shiro is one such example. I would expect that impersonation should happen at that layer, rather than trying to force something through CAS.
-- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
