We are currently working with CAS 3.5 and there was a lot of change into the
version 4.
I won't be able to check this version for now, but I'll look towards it in the
future.
Being able to configure CORS from CAS configuration would be great.
For now I'm using Tomcat filter for that purpose :
<filter>
<filter-name>CorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
<!-- See configuration :
http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Filter -->
<init-param>
<param-name>cors.exposed.headers</param-name>
<param-value>Location</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.methods</param-name>
<param-value>POST,DELETE</param-value>
<!-- POST is needed for creating TGT and ST, DELETE is
needed for loging out -->
</init-param>
</filter>
<filter-mapping>
<filter-name>CorsFilter</filter-name>
<url-pattern>/v1/*</url-pattern>
</filter-mapping>
My use case is very simple but it is enough for our modest need.
__
Romain
Le 28 nov. 2014 à 14:30, Jérôme LELEU <[email protected]> a écrit :
> Hi,
>
> Thanks for following my advice on the PR. Indeed, it should target 4.x, but
> it's not a big deal even if we have a new REST API support in 4.1
> (https://github.com/Jasig/cas/tree/master/cas-server-support-rest).
>
> I'm copy/pasting our discussion on security to share with others:
> - me:
> I'm wondering if there is some security concern with such a system, like a
> malicious page I'm currently browsing and which would request some ST on my
> behalf and without letting me know.
>
> - you:
> So, for the security concern, malicious could ask for ST on behalf of user if
> nothing is configured conrrectly on CAS server. To enable the feature I'm
> exposing here, you'll need to enable CORS. CORS is something you'll have to
> configure on the CAS server, so that you can set it the way you want. To
> avoid malicious code, you can enable CORS only for certain domain (
> Access-Control-Allow-Origin:http://www.example-social-network.com) instead of
> all ( Access-Control-Allow-Origin: *).
>
>
> It's really an interesting proposal as more and more UI are built on
> Javascript (someone says AngularJS). Could we go a little further and propose
> a simple way to enable CORS in the CAS server at the same time (like with a
> property: cors.domain= , which may be blank not to enable CORS)?
>
> Thanks.
> Best regards,
>
>
>
>
> Jérôme LELEU
> Founder of CAS in the cloud: www.casinthecloud.com | Twitter: @leleuj
> Chairman of CAS: www.jasig.org/cas | Creator of pac4j: www.pac4j.org
>
> 2014-11-28 14:20 GMT+01:00 Romain <[email protected]>:
> Hi all,
>
> I have opened a pull request for 3.5.2.1 branch has it is the version we are
> working with right now :
> https://github.com/Jasig/cas/pull/780
> The feature should be easily adaptable to any other current branch.
>
> The idea is the following :
>
> - Application A is CASified (classic way with redirection to CAS server for
> user authentication)
> - Webservice W is CASified too (without any redirection, we get a 401 if not
> authenticated)
> - W is called from page of application A (front end workflow)
> - We'd like to re-use the TGCookie that is set by CAS after authentication
> - We don't wan't to manage credentials in Application A to send them to CAS
> rest API to get the needed ST to call W.
> - we're not talking about application A calling directly Webservice W, but
> web service W begging call through fronted AJAX call from a user
> authenticated with CAS.
>
> => the final idea is to have lot of micro-API like web service W, each of
> them protected by CAS
>
> So fee free to tell me if I'm going the wrong way with this matter =)
>
> Thanks in advance
> __
> Romain-first-time-poster-on-this-list
>
>
> --
> You are currently subscribed to [email protected] as: [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-dev
>
>
> --
> You are currently subscribed to
> [email protected]
> as: [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-dev
>
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-dev
