Hi Filip,
Did you watch on what is possible with spring security ? there are
several possibilities to secure your REST API, and in my mind jwt is a
good option.
I developped an angular app and used spring-security, I didn't used the
jwp protocol as it was not well documented when I developped my app but
I think I would you use it now.
My app can be found here : https://github.com/EsupPortail/esup-publisher
Or if you prefer you can find a POC of the auth mecanism here :
https://github.com/jgribonvald/demo-spring-cas-angular or someone made a
documented and more advanced example here :
https://github.com/rohajda/casdemo (he used my POC).
For jwt example you can rely on Pascal's explanations, or maybe on web
you can find easily somes well explaned documentations (search on
"spring security jwt").
Thanks
Julien
Le 10/07/2017 à 13:35, Pascal Rigaux a écrit :
Hi,
With CAS protocol, your API MUST create its own token/session:
CAS ticket is a one time token, no way to rely on it.
Another solution is to use OpenID Connect, it should work with CAS >=
5.1 :
- enable OpenID Connect
- use implicit flow to obtain CAS generated JWT
- send JWT to your API
- REST API checks JWT signature against jwks_uri
Example : https://area51.univ-paris1.fr/prigaux/test-oidc.html (you
must logged on google first)
Drawbacks:
- no easy single logout (major pb for us)
French presentation on this: https://prigaux.frama.io/JwtProxyService/
cu
Filip Majernik <filip.majer...@gmail.com> a écrit :
Hi Pascal,
the reason why I need this is, that the REST API calls can also be
performed only by an authorized user. This means that the AngularJS app
must send some token alongside with the request to my REST API and
the REST
API must be able to validate that token.
So the main problem for me is not to login (this can be done with a
redirect, or with posting the username/password, I do not really
mind), but
to validate the token in my REST API. Because I do not want to create
another http request to the CAS server everytime the Angular app makes a
request.
Bye,
Filip
On Saturday, July 8, 2017 at 6:39:57 PM UTC+2, Pascal Rigaux wrote:
Hi,
Do you really need the handle username/password? Most CAS applications
avoid this since it breaks SSO.
A simple solution for AngularJS application is to do as many other
apps: require a valid session an all html pages [*]
Example : https://github.com/fedon/spring-cas-auth .
SPA allows relogging without loosing "browser" activity (eg: textarea
content). Here is a tutorial application with phpCAS that shows
various ways to handle CAS relog in a SPA :
https://github.com/prigaux/angular-seed
* forked from "angular-seed" (an old version)
added some php pages
kept index.html, but the app really is index.php
* every commits shows a different functionality. To understand them,
start from the first one, then have a look at the more advanced
features:
- CAS example : minimal casification
- CAS example using http-auth-interceptor : same but using a module
intercepting every $http calls
- use ngRoute "resolve" : avoid displaying page "view1" until the user
is authenticated
- replace alert with modal window from angular UI Bootstrap : prepares
the next commit
- add transparent relog using jsonp + CAS gateway : if app session is
expired, try transparent login on CAS using JSONP
- add relog using window.open+postMessage : if transparent relog
failed, instead of restarting application, use window.open+postMessage
* to make it work:
git clone --depth 4 https://github.com/prigaux/angular-seed.git
angular-seed-phpCAS
cd angular-seed-phpCAS
bower install
You need phpCAS :
https://wiki.jasig.org/display/CASC/phpCAS+installation+guide
Happy CAS,
cu
[*] if your first page is static AND CAS protected, you must ensure it
is not browser cached
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2da6723a-a2b1-3af8-685b-2041638286d7%40recia.fr.
