If managing API ACL - perhaps OAuth/Open ID Connect? Or as another poster replied, manage via session, upon initial CAS validate.
Averaging 300K CAS validations/day at term time - no performance issues with 5 load balanced VMs. ________________________________ From: Ajay Madhavan [ajayma...@gmail.com] Sent: Monday, June 29, 2015 15:10 To: cas-user@lists.jasig.org Subject: Re: [cas-user] Embedding username info in Service ticket Hi Carl, I do have a distributed system where I have multiple services. Imaging each service to be a host by itself. I use cas for authenticating access to all services. I am expecting api scale to increase enormously over close to say 1000 api per second or so. I was trying to understand if I could avoid network calls if each of these services were inside a host by themselves. I do understand the CAS protocol, just wanted to see if there was a secure way of scaling horizontally. Regards Ajay On Mon, Jun 29, 2015 at 1:33 PM, Waldbieser, Carl <waldb...@lafayette.edu<mailto:waldb...@lafayette.edu>> wrote: Service ticket validation is more or less integral to how CAS works. Maybe if you could explain a bit more in depth what you are trying to accomplish, it might make more sense to the members of the community, and you could receive better advice. Also, why do you believe there would be some kind of bottleneck validating service tickets? What kind of volume have you measured or are you expecting in terms of validations per unit of time? Thanks, Carl Waldbieser ITS Systems Programmer Lafayette College ----- Original Message ----- From: "Ajay Madhavan" <ajayma...@gmail.com<mailto:ajayma...@gmail.com>> To: cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> Sent: Monday, June 29, 2015 4:20:49 PM Subject: Re: [cas-user] Embedding username info in Service ticket I do have a secure mechanism to encrypt my service ticket with the public key and then decrypt it later using the private-key. Also there are multiple webapps which are being protected by the CAS service and I dont want the service validate to be a bottle neck for each of those webapps. I know service ticket generation does do that. But I want to see if I can skip service validation at least. Thanks Ajay On Mon, Jun 29, 2015 at 1:04 PM, Dmitriy Kopylenko <dkopyle...@unicon.net<mailto:dkopyle...@unicon.net>> wrote: > I second what Andy says, and just want to add that service ticket > validation is the necessary step in a secure CAS protocol, and the simple > answer is - “no, you cannot skip the ST validation step”. > > Best, > Dmitriy. > > > On Jun 29, 2015, at 3:55 PM, Andrew Morgan > > <mor...@orst.edu<mailto:mor...@orst.edu>> wrote: > > > > On Mon, 29 Jun 2015, Ajay Madhavan wrote: > > > >> I want to skip service validation. I want to distribute the validation > >> among all my webapps where i can obtain the username from the service > >> ticket. > >> > >> I still want to use CAS for service ticket generation. > > > > If you don't validate the ST over a back-channel connection, then how do > you prevent someone from spoofing the username? An attacker could put > whatever they want in the ST value to become any other user. > > > > Validating the ST is a necessary step for security. > > > > I don't understand what you mean by "distribute the validation among all > my webapps". > > > > Andy > > > > -- > > You are currently subscribed to > > cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: > dkopyle...@unicon.net<mailto:dkopyle...@unicon.net> > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > -- > You are currently subscribed to > cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: > ajayma...@gmail.com<mailto:ajayma...@gmail.com> > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: waldb...@lafayette.edu<mailto:waldb...@lafayette.edu> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: ajayma...@gmail.com<mailto:ajayma...@gmail.com> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: hari.mailvaga...@ubc.ca To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user