Bill, Thanks for such a fantastic response. This certainly pushes me in the right direction. Currently, clients are providing credentials (WS-Security, UsernameToken) and we use Acegi to authenticate and authorize. Our applications are pseudo rich clients, however we do not implement a 2 phase authentication mechanism so I'm not sure if/how we can implement passing the ticket back to the client for re-presenting it upon subsequent service calls. However, that is not an issue I'll concern you with :)
I'll try to read up on the proxy mechanism and I'll most likely be asking some more questions afterwards. Thanks again, Eric Bill Bailey wrote: > Eric, > > I am currently using CAS with web services (Spring Web Services to be > exact but I think the concepts apply for other frameworks as well even > though you might need to do a bit more work). You can get a proxy ticket > that is used to authenticate with the web services, but application > obtaining the proxy has to have been authenticated by CAS and possess a > proxy granting ticket. > > You don't have to use a JSP, but you have to obtain credentials from the > user somehow, right? How do you obtain the credentials > (username/password) you will use to authenticate? If you are not > obtaining credentials from a user (e.g. a middle-tier application that > always logs in with some fixed username and password) then I question > the value of using CAS. > > In my case, my applications are rich (Flex) clients. When the end user > is authenticated in any of these applications, they request a proxy > granting ticket and then obtain a proxy ticket specifically for the web > services. > > The proxy ticket is embedded in a hidden field in the resulting web page > and the Flex client retrieves the proxy ticket from the hidden field and > uses it in calls to the web services (using WS-Security UsernameToken). > > The other issue you have to contend with is that CAS tickets are > one-time usage tickets. Since you don't want to authenticate all over > again for each web services call AND since web services are stateless, > you need to cache valid tickets and compare new tickets to the cache > first before going to CAS. Spring Web Services with ACEGI handles this > for you by allowing the username to be _cas_stateless_ in which case > ACEGI checks the cache for a matching ticket first and only validates it > against CAS if not found. For other web services frameworks, I suspect > you might have to implement this particular behavior yourself. > > Hope this helps some. > > Bill > > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Eric Miles > Sent: Thursday, September 27, 2007 3:23 PM > To: [email protected] > Subject: Headless CAS? > > Can CAS act as a headless authentication mechanism? I'd like to use CAS > > for authenticating web service calls (which are stateless and headless). > > I currently have CAS all wired up with my web application so I > understand how that works (it works great). However, I am failing to > see how I could CASify my web services. Is it possible to create a CAS > Ticket via an API as there is no way for these clients to go to a UI and > > "login"? I see numerous "Java Client" examples that show how to > validate a ticket once in hand, but I see no examples of how to get the > ticket itself(without logging in through a JSP page). > > Thanks, > Eric > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
