Hello,
I'm facing the following requirements:
1. I have multiple systems who wants to expose functionality
as web services.
2. I will have multiple front-ends who wants to use these
services.
3. All of these front-ends must have single-sign-on and CAS is
an obvious choice for that.
4. I also have 3rd parties (customers) who wants to access
some of these services from the outside.
5. I want to use a standard way of putting authentication on
my web services; namely WS-Security.
6. The web services must also accept CAS tickets.
I have a plan on how to do it, but it seems I need some help from you guys (I
will return to that part in a minute).
Here's how I plan to do it:
1. All of my web services uses XFire + XFire-ws-security to
implement the WSS standard.
2. The web services MUST be accessed over HTTPS so clients can
send their password (and username) in 'clear text' without
worry.
3. External clients are each given their own username and
password, which they will send with every request.
4. My front-ends will authenticate with CAS tickets, by
specifying 'CAS-TICKET' as the username and the ticket as
the password.
5. XFire uses a WSS4JInHandler with CallbackHandlers to do its
authentication - I will write a CasWssAuthInHandler based on
this class to handle the CAS specific rules above.
6. My CasWssAuthInHandler will communicate with the CAS server
using the build-in CAS web service.
It is point 6 that is causing me the most trouble right now. I used XFire to
generate java stub classes from the CAS WSDL, but I have no idea how to use
them.
The Credentials class alone was useless, so I copied the
UsernamePasswordCredentials class from the CAS source, but I cannot get the XML
mapping right.
I have tried out all maners of XML layouts in SoapUI, but a
TicketException with the code
"error.authentication.credentials.unsupported"
Is the only response I have been able to provoke thus far.
If you would just give me a complete SOAP envelope example of
how to authorize a username & password, then that would make my
day.
Here's the SOAP envelope I send to the CAS server:
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:cas="http://cas.jasig.org";>
<soapenv:Body>
<cas:createTicketGrantingTicket>
<cas:in0
xmlns="http://principal.authentication.cas.jasig.org";>
<cas:usernamePasswordCredentials>
<cas:username>admin</cas:username>
<cas:password>admin</cas:password>
</cas:usernamePasswordCredentials>
</cas:in0>
</cas:createTicketGrantingTicket>
</soapenv:Body>
</soapenv:Envelope>
And here's the server's response:
<soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
<soap:Body>
<soap:Fault>
<faultcode>soap:Server</faultcode>
<faultstring>
error.authentication.credentials.unsupported
</faultstring>
<detail>
<TicketException xmlns="http://cas.jasig.org";>
<code xmlns="http://ticket.cas.jasig.org";>
error.authentication.credentials.unsupported
</code>
</TicketException>
</detail>
</soap:Fault>
</soap:Body>
</soap:Envelope>
Med venlig hilsen/Best regards
Christian Vest Hansen
Developer
Reception +45 3393 1434
Mobile +45 6130 4121
Web www.unwire.com
UNWIRE ApS
Masnedøgade 20, 3. sal
DK-2100 Copenhagen Ø.
Denmark
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
