Eric, Can you explain your situation in a bit more detail? That is, how many and what kind of applications are we talking about? And how does CAS fit in?
The value that CAS provides is to prevent the user from needing to log in multiple times. But it still assumes that a user will log in at some point. How does a user log into your application(s)? Maybe a short workflow describing how would like to see it work? Bill -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Miles Sent: Tuesday, October 02, 2007 12:32 PM To: [email protected] Subject: Re: Headless CAS? Bill, I've looked over the proxy walkthrough, other proxy docs, etc and I an understanding of how the proxy mechanism works. However, I still do not see how the client can be authenticated without physically going to the CAS login page and getting a ticket. This is impossible as our clients do not have the ability to browse to a URL. Is it possible for the proxy server to make this ticket generating request on behalf of the client? It would seem as though CAS would have an RPC mechanism for authentication, ticket generation purposes, etc. Thanks again for any feedback. Eric Bill Bailey wrote: > Eric, > > I am currently using CAS with web services (Spring Web Services to be > exact but I think the concepts apply for other frameworks as well even > though you might need to do a bit more work). You can get a proxy ticket > that is used to authenticate with the web services, but application > obtaining the proxy has to have been authenticated by CAS and possess a > proxy granting ticket. > > You don't have to use a JSP, but you have to obtain credentials from the > user somehow, right? How do you obtain the credentials > (username/password) you will use to authenticate? If you are not > obtaining credentials from a user (e.g. a middle-tier application that > always logs in with some fixed username and password) then I question > the value of using CAS. > > In my case, my applications are rich (Flex) clients. When the end user > is authenticated in any of these applications, they request a proxy > granting ticket and then obtain a proxy ticket specifically for the web > services. > > The proxy ticket is embedded in a hidden field in the resulting web page > and the Flex client retrieves the proxy ticket from the hidden field and > uses it in calls to the web services (using WS-Security UsernameToken). > > The other issue you have to contend with is that CAS tickets are > one-time usage tickets. Since you don't want to authenticate all over > again for each web services call AND since web services are stateless, > you need to cache valid tickets and compare new tickets to the cache > first before going to CAS. Spring Web Services with ACEGI handles this > for you by allowing the username to be _cas_stateless_ in which case > ACEGI checks the cache for a matching ticket first and only validates it > against CAS if not found. For other web services frameworks, I suspect > you might have to implement this particular behavior yourself. > > Hope this helps some. > > Bill > > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Eric Miles > Sent: Thursday, September 27, 2007 3:23 PM > To: [email protected] > Subject: Headless CAS? > > Can CAS act as a headless authentication mechanism? I'd like to use CAS > > for authenticating web service calls (which are stateless and headless). > > I currently have CAS all wired up with my web application so I > understand how that works (it works great). However, I am failing to > see how I could CASify my web services. Is it possible to create a CAS > Ticket via an API as there is no way for these clients to go to a UI and > > "login"? I see numerous "Java Client" examples that show how to > validate a ticket once in hand, but I see no examples of how to get the > ticket itself(without logging in through a JSP page). > > Thanks, > Eric > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
