Yan, If I understand correctly, you have deployed App A and App B. You are not able nor willing to change CAS config on App B because it breaches PCI compliance. It seems odd that PCI compliance would allow any user access but not allow a proxy. Did you create app A or are both apps from third party vendors?
If app B needs to know the user that is sending the request, then you will have to use clearpass, https://apereo.github.io/cas/4.0.x/integration/ClearPass.html. If app B only needs to have an authenticated user, then perhaps App A can perform the log in on behalf of all users. The Ajax calls would go from App A UI to App A service that makes the REST calls. What do the creators of App B suggest for authentication? Ray On 2016-11-02 13:12, Yan Zhou wrote: > thanks for the feedback. > > Unfortunately, we cannot use Proxy Authentication, due to PCI > implication. A non PCI-compliant App proxy a PCI (credit card) > service, that would not be allowed by PCI standards. > > The reason we run into problem with CAS protected REST services (App > B, no UI), is that Ajax somehow does not handle redirect (even after I > enable CORS). Browser does it fine, but fails when Ajax tries to > access the REST endpoint without an application session in place, thus > triggers CAS login flow with all the redirect. > > I do not see how OAuth solve that problem. Does that requires a Login > page UI to redirect to and back, would not that run into the same > problem with Ajax? > > Can you elaborate on JSONP? Would app. B now have to know user's > password? CAS is nice because the application does not see user's > password, only CAS server does. > > Thx, > Yan > > On Wed, Nov 2, 2016 at 5:41 AM, Pascal Rigaux > <pascal.rig...@univ-paris1.fr <mailto:pascal.rig...@univ-paris1.fr>> > wrote: > > Hi, > > Solutions: > - proxy CAS: As the proxy ticket can only be validated once, you > will need to cache the ticket, or create your own session > - JWT: create a JWT and check it on app B. > - oauth > - JSONP login on app B. We are using this quite a lot. Simple and > works great. > Commits implementing this on angular-seed : > https://github.com/prigaux/angular-seed/commits/master > <https://github.com/prigaux/angular-seed/commits/master> > and especially the first one: > > https://github.com/prigaux/angular-seed/commit/27eae718ff6fd3206f60926317c7a24ddfd79b68 > > <https://github.com/prigaux/angular-seed/commit/27eae718ff6fd3206f60926317c7a24ddfd79b68> > I wrote some doc on this, alas in french: > http://prigaux.github.io/presentation-web-widgets-cas-jsonp/index.html#/7 > > <http://prigaux.github.io/presentation-web-widgets-cas-jsonp/index.html#/7> > > Happy CAS, > cu > > On 01/11/2016 20:22, Yan Zhou wrote: > > Hello, > > CAS protocol does not let the apps (CAS client) get TGT > ticket. We have a need for that. > > We have two web apps, both are casified in CAS 4.1.X. One web > app has AngularJS (Javascript) front end, and, the other > webapp is UI-Less, it just offers REST services. > > Javascript code in App A wants to call REST API in App B. We > run into problem with CORS, etc. But, even after CORS are > enabled, still run into trouble. > > So, the thought is, if Javascript code can get hold of TGT > after user login to the app. A, then, JS code call use CAS > REST API to authenticate against the 2nd app (the UI-less REST > Services). > > Is that a bad idea, and how is that possible? > > Yan > > -- > - CAS gitter chatroom: https://gitter.im/apereo/cas > - CAS mailing list guidelines: > https://apereo.github.io/cas/Mailing-Lists.html > <https://apereo.github.io/cas/Mailing-Lists.html> > - CAS documentation website: https://apereo.github.io/cas > - CAS project website: https://github.com/apereo/cas > --- > You received this message because you are subscribed to the > Google Groups "CAS Community" group. > To unsubscribe from this group and stop receiving emails from > it, send an email to cas-user+unsubscr...@apereo.org > <mailto:cas-user%2bunsubscr...@apereo.org> > <mailto:cas-user+unsubscr...@apereo.org > <mailto:cas-user%2bunsubscr...@apereo.org>>. > To view this discussion on the web visit > > https://groups.google.com/a/apereo.org/d/msgid/cas-user/f60e5fea-2a9b-4515-8a92-a7c2c8769497%40apereo.org > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/f60e5fea-2a9b-4515-8a92-a7c2c8769497%40apereo.org> > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/f60e5fea-2a9b-4515-8a92-a7c2c8769497%40apereo.org?utm_medium=email&utm_source=footer > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/f60e5fea-2a9b-4515-8a92-a7c2c8769497%40apereo.org?utm_medium=email&utm_source=footer>>. > > > > -- > Pascal Rigaux > > Expert en développement et déploiement d'applications > DSIUN-SAS (service applications et services numériques) > Université Paris 1 Panthéon-Sorbonne - Centre Pierre Mendès > France (PMF) > B 402 - 90, rue de Tolbiac - 75634 PARIS CEDEX 13 - FRANCE > Tél : 01 44 07 86 59 > > -- > - CAS gitter chatroom: https://gitter.im/apereo/cas > - CAS mailing list guidelines: > https://apereo.github.io/cas/Mailing-Lists.html > <https://apereo.github.io/cas/Mailing-Lists.html> > - CAS documentation website: https://apereo.github.io/cas > - CAS project website: https://github.com/apereo/cas > --- You received this message because you are subscribed to the > Google Groups "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, > send an email to cas-user+unsubscr...@apereo.org > <mailto:cas-user%2bunsubscr...@apereo.org>. > To view this discussion on the web visit > > https://groups.google.com/a/apereo.org/d/msgid/cas-user/ea50cbeb-3a79-ddc2-5865-f1aa0bfdd040%40univ-paris1.fr > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/ea50cbeb-3a79-ddc2-5865-f1aa0bfdd040%40univ-paris1.fr>. > > > -- > - CAS gitter chatroom: https://gitter.im/apereo/cas > - CAS mailing list guidelines: > https://apereo.github.io/cas/Mailing-Lists.html > - CAS documentation website: https://apereo.github.io/cas > - CAS project website: https://github.com/apereo/cas > --- > You received this message because you are subscribed to the Google > Groups "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to cas-user+unsubscr...@apereo.org > <mailto:cas-user+unsubscr...@apereo.org>. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFSoZekksrQ%2BSMuPcRfVRJ14iJe4sYP29rx%3D3fK49AT-6SH-CQ%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFSoZekksrQ%2BSMuPcRfVRJ14iJe4sYP29rx%3D3fK49AT-6SH-CQ%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 | CLE C023 | r...@uvic.ca -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/bf8f3d53-4936-889b-90e9-65e36bcb25c6%40uvic.ca.
