Well, I am initially planning to try the VNC Viewer applet. Actually, it is not just about applets alone. I ve had this requirement for some desktop applications too!! Maybe be I am sounding ridiculous.
I think I like the proxying idea! It would greatly reduce the possibility of faking identity. I dont want to access the CAS cookie at all. I still havent got the idea of proxying CAS. Well I ll get back after doing my homework. Thank You. In case of issues, I ll get back with a useful usecase too. Regards, Abishek Goda On 6/18/06, Andrew Petro <[EMAIL PROTECTED]> wrote: > I don't know much about applets. Here's my stab at a reply anyway: > > As I understand it, a Java applet is strongly associated with some > authoritative website from which it is loaded. > > So make the user CAS authenticate to that website and then have that website > communicate the authenticated user (perhaps cryptographically signing this > assertion?) to the applet. This is pretty easy as a gateway to get the > applet in the first place (and then just deliver an > authentication-provisioned applet.) > > If you really want the user to start from the applet and "get > authenticated", then produce a URL in the applet to the website with an > identifying session key, and then the website can require CAS authentication > and provide a service that the applet call with the key to see who's > authenticated for that key. > > However, providing any authentication to a Java applet is a tough way to go. > The code is running on the end user's computer. He can do arbitrarily > clever things like replace the local JVM with a compromised JVM. So more or > less whatever you come up with, there will be some way for the end user to > fake out the applet once received to believe he is someone he is not. > > However, if the applet in turn uses CAS proxy tickets to proxy > authentication to access whatever it is that it accesses, then security can > be restored inasmuch as it will not be possible to get valid proxy tickets > in the name of anyone other than the user who received the ST from which the > PGT was derived. You'll have to solve interesting problems to use proxy > tickets including what the proxy callback URL is going to be -- presumably > also a service provided by the website hosting the applet. > > In any case, I would strongly recommend against the applet accessing the CAS > TGT cookie directly. That cookie is intended to be only available to the > CAS server. No CAS-using services should ever see or touch that cookie, and > widening the scope of that cookie or making it visible over non-SSL'ed > connections seriously compromises the security of the CAS protocol. > > > Use case? What will your applet do? > > Andrew > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > > Behalf Of Ingeneur > > Sent: Saturday, June 17, 2006 6:27 AM > > To: Yale CAS mailing list > > Subject: casify applets > > > > Hi All, > > > > I need some starter ideas on how to casify a java applet. Is this > > possible at all?? I can have the page casified. Can I then try a > > URLConnection to the cas server to get the User Logged In?? Will the > > applet need to read the CAS cookie information?? > > > > Am I talking sense at all???? > > > > Thank You > > -- > > Regards, > > > > Abishek Goda > > http://www.geocities.com/abi_gt > > _______________________________________________ > > Yale CAS mailing list > > [email protected] > > http://tp.its.yale.edu/mailman/listinfo/cas > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > -- Regards, Abishek Goda http://www.geocities.com/abi_gt _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
