Re: [cas-user] Can application get TGT ticket?

[Yan Zhou]

Thanks for the suggestions.

Going with my scenario, first, user logins to A via CAS, then, AngularJS
calls B.  There is no session for B, so the REST call returns 401, however,
we should not be asking user to login again, since he already logged into
A.  A and B are SSO via CAS.

What we need to do is to get CAS login flow to work in Ajax just as it is
in browser.

The issue with redirect you provided is when B session expires. A won't
know, thus, there is not a way to repeat the redirect trick. Further, we
likely will have B, C, E all as REST services backend, that gets a little
hard to manage.

Thanks,
Yan

On Thu, Nov 3, 2016 at 12:02 PM, Pascal Rigaux  wrote:

> On 02/11/2016 21:12, Yan Zhou wrote:
>
> Can you elaborate on JSONP?
>>
> > Would app. B now have to know user's password?
>
> No need.
> JSONP is pre-CORS. It has some limitations compared to Ajax, but some
> useful possibilities, like auto CAS login.
> Here is an example of adding auto login in angularJS:
> https://github.com/prigaux/angular-seed/commit/4d51d23280eb9
> 59a3d1773b2fcc69c4cf50ccd88
>
> By the way, another simpler solution is to allow restricted redirect after
> login in app B.
> Make the user go to:
> - https://b/login?redirect=https://a/
>   which redirects to (normal CAS login)
> - https://cas/login?service= https://b/login?redirect=https://a/
>   which redirects to
> - https://b/login?redirect=https://a/&ticket=
>   => set-cookie of application b
>   which redirects to
> - https://a
>   this app can do AJAX request https://b/rest
>   => works since cookie of app B
>
> cu
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/M
> ailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> --- You received this message because you are subscribed to the Google
> Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/ap
> ereo.org/d/msgid/cas-user/9fb6de0f-4362-e621-cad3-ba50c19a22
> 77%40univ-paris1.fr.
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFSoZemQzePzJE861k%3DDN3VTOXF-BHg0Y2epCDsbJTVS5AJtTQ%40mail.gmail.com.

Re: [cas-user] Can application get TGT ticket?

[Pascal Rigaux]

On 02/11/2016 21:12, Yan Zhou wrote:


Can you elaborate on JSONP?

> Would app. B now have to know user's password?

No need.
JSONP is pre-CORS. It has some limitations compared to Ajax, but some useful 
possibilities, like auto CAS login.
Here is an example of adding auto login in angularJS:
https://github.com/prigaux/angular-seed/commit/4d51d23280eb959a3d1773b2fcc69c4cf50ccd88

By the way, another simpler solution is to allow restricted redirect after 
login in app B.
Make the user go to:
- https://b/login?redirect=https://a/
  which redirects to (normal CAS login)
- https://cas/login?service= https://b/login?redirect=https://a/
  which redirects to
- https://b/login?redirect=https://a/&ticket=
  => set-cookie of application b
  which redirects to
- https://a
  this app can do AJAX request https://b/rest
  => works since cookie of app B

cu

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9fb6de0f-4362-e621-cad3-ba50c19a2277%40univ-paris1.fr.

Re: [cas-user] Can application get TGT ticket?

[Dmitriy Kopylenko]

Just to be clear - CAS protocol was never designed to work with Ajax and REST 
resources (non-interactive service-to-service)

Best,
D.
--

> On Thursday, Nov 03, 2016 at 11:10 AM, Yan Zhou  (mailto:yanand...@gmail.com)> wrote:
> Hello,
>
> The basic problem is that CAS login flow works in browser. However, because 
> of the series of redirect involved, CAS login flow does not seem to work in 
> Ajax.
>
> This is my set-up: App A has UI with AngularJS and backend, App B has NO UI 
> and it offers REST services including Credit card services. Both are casified 
> and we have total control. We are trying to use CAS to protect REST services 
> in B.
>
> App B must be deployed in a PCI environment, but App A does not. If App A was 
> going to talk to or proxy App B, that is not allowed by PCI standards, 
> because A would see credit card info. passing along to B, but A is not 
> deployed in PCI environment.
>
> The idea is for UI (AngularJS) to talk to App B directly, so that there is 
> not anything else between user and PCI environment. I am making the point 
> that Proxy Authentication is not a solution here.
>
> Here is what I am trying to do: user from Internet first login to CAS and 
> goes to App A's UI. From there, javascript makes Ajax call to App B's REST 
> service. This results in a series of redirect before an application session 
> in B is established and REST call can proceed. In Ajax, it is failing.
>
> Thanks,
> Yan
>
>
> On Wed, Nov 2, 2016 at 5:42 PM, Ray Bon mailto:r...@uvic.ca)> 
> wrote:
> > Yan,
> >
> > If I understand correctly, you have deployed App A and App B. You are not 
> > able nor willing to change CAS config on App B because it breaches PCI 
> > compliance.
> > It seems odd that PCI compliance would allow any user access but not allow 
> > a proxy.
> > Did you create app A or are both apps from third party vendors?
> >
> > If app B needs to know the user that is sending the request, then you will 
> > have to use clearpass, 
> > https://apereo.github.io/cas/4.0.x/integration/ClearPass.html.
> > If app B only needs to have an authenticated user, then perhaps App A can 
> > perform the log in on behalf of all users. The Ajax calls would go from App 
> > A UI to App A service that makes the REST calls.
> >
> > What do the creators of App B suggest for authentication?
> >
> > Ray
> >
> >
> > On 2016-11-02 13:12, Yan Zhou wrote:
> > > thanks for the feedback.
> > >
> > > Unfortunately, we cannot use Proxy Authentication, due to PCI 
> > > implication. A non PCI-compliant App proxy a PCI (credit card) service, 
> > > that would not be allowed by PCI standards.
> > >
> > > The reason we run into problem with CAS protected REST services (App B, 
> > > no UI), is that Ajax somehow does not handle redirect (even after I 
> > > enable CORS). Browser does it fine, but fails when Ajax tries to access 
> > > the REST endpoint without an application session in place, thus triggers 
> > > CAS login flow with all the redirect.
> > >
> > > I do not see how OAuth solve that problem. Does that requires a Login 
> > > page UI to redirect to and back, would not that run into the same problem 
> > > with Ajax?
> > >
> > > Can you elaborate on JSONP? Would app. B now have to know user's 
> > > password? CAS is nice because the application does not see user's 
> > > password, only CAS server does.
> > >
> > > Thx,
> > > Yan
> > >
> > > On Wed, Nov 2, 2016 at 5:41 AM, Pascal Rigaux 
> > > mailto:pascal.rig...@univ-paris1.fr)> 
> > > wrote:
> > > > Hi,
> > > >
> > > > Solutions:
> > > > - proxy CAS: As the proxy ticket can only be validated once, you will 
> > > > need to cache the ticket, or create your own session
> > > > - JWT: create a JWT and check it on app B.
> > > > - oauth
> > > > - JSONP login on app B. We are using this quite a lot. Simple and works 
> > > > great.
> > > > Commits implementing this on angular-seed : 
> > > > https://github.com/prigaux/angular-seed/commits/master
> > > > and especially the first one: 
> > > > https://github.com/prigaux/angular-seed/commit/27eae718ff6fd3206f60926317c7a24ddfd79b68
> > > > I wrote some doc on this, alas in french: 
> > > > http://prigaux.github.io/presentation-web-widgets-cas-jsonp/index.html#/7
> > > >
> > > > Happy CAS,
> > > > cu
> > > >
> > > > On 01/11/2016 20:22, Yan Zhou wrote:
> > > > > Hello,
> > > > >
> > > > > CAS protocol does not let the apps (CAS client) get TGT ticket. We 
> > > > > have a need for that.
> > > > >
> > > > > We have two web apps, both are casified in CAS 4.1.X. One web app has 
> > > > > AngularJS (Javascript) front end, and, the other webapp is UI-Less, 
> > > > > it just offers REST services.
> > > > >
> > > > > Javascript code in App A wants to call REST API in App B. We run into 
> > > > > problem with CORS, etc. But, even after CORS are enabled, still run 
> > > > > into trouble.
> > > > >
> > > > > So, the thought is, if Javascript code can get hold of TGT after user 
> > > > > login to the app. A, then, JS cod

Re: [cas-user] Can application get TGT ticket?

[Yan Zhou]

Hello,

The basic problem is that CAS login flow works in browser. However, because
of the series of redirect involved, CAS login flow does not seem to work in
Ajax.

This is my set-up:  App A has UI with AngularJS and backend,  App B has NO
UI and it offers REST services including Credit card services. Both are
casified and we have total control.  We are trying to use CAS to protect
REST services in B.

App B must be deployed in a PCI environment, but App A does not. If App A
was going to talk to or proxy App B, that is not allowed by PCI standards,
because A would see credit card info. passing along to B, but A is not
deployed in PCI environment.

The idea is for UI (AngularJS) to talk to App B directly, so that there is
not anything else between user and PCI environment. I am making the point
that Proxy Authentication is not a solution here.

Here is what I am trying to do: user from Internet first login to CAS and
goes to App A's UI.  From there, javascript makes Ajax call to App B's REST
service.  This results in a series of redirect before an application
session in B is established and REST call can proceed. In Ajax, it is
failing.

Thanks,
Yan


On Wed, Nov 2, 2016 at 5:42 PM, Ray Bon  wrote:

> Yan,
>
> If I understand correctly, you have deployed App A and App B. You are not
> able nor willing to change CAS config on App B because it breaches PCI
> compliance.
> It seems odd that PCI compliance would allow any user access but not allow
> a proxy.
> Did you create app A or are both apps from third party vendors?
>
> If app B needs to know the user that is sending the request, then you will
> have to use clearpass, https://apereo.github.io/cas/
> 4.0.x/integration/ClearPass.html.
> If app B only needs to have an authenticated user, then perhaps App A can
> perform the log in on behalf of all users. The Ajax calls would go from App
> A UI to App A service that makes the REST calls.
>
> What do the creators of App B suggest for authentication?
>
> Ray
>
>
> On 2016-11-02 13:12, Yan Zhou wrote:
>
> thanks for the feedback.
>
> Unfortunately, we cannot use Proxy Authentication, due to PCI implication.
> A non PCI-compliant App proxy a PCI (credit card) service, that would not
> be allowed by PCI standards.
>
> The reason we run into problem with CAS protected REST services (App B, no
> UI), is that Ajax somehow does not handle redirect (even after I enable
> CORS). Browser does it fine, but fails when Ajax tries to access the REST
> endpoint without an application session in place, thus triggers CAS login
> flow with all the redirect.
>
> I do not see how OAuth solve that problem. Does that requires a Login page
> UI to redirect to and back, would not that run into the same problem with
> Ajax?
>
> Can you elaborate on JSONP? Would app. B now have to know user's
> password?  CAS is nice because the application does not see user's
> password, only CAS server does.
>
> Thx,
> Yan
>
> On Wed, Nov 2, 2016 at 5:41 AM, Pascal Rigaux <
> pascal.rig...@univ-paris1.fr> wrote:
>
>> Hi,
>>
>> Solutions:
>> - proxy CAS: As the proxy ticket can only be validated once, you will
>> need to cache the ticket, or create your own session
>> - JWT: create a JWT and check it on app B.
>> - oauth
>> - JSONP login on app B. We are using this quite a lot. Simple and works
>> great.
>>   Commits implementing this on angular-seed :
>> https://github.com/prigaux/angular-seed/commits/master
>>   and especially the first one: https://github.com/prigaux/ang
>> ular-seed/commit/27eae718ff6fd3206f60926317c7a24ddfd79b68
>>   I wrote some doc on this, alas in french:
>> http://prigaux.github.io/presentation-web-widgets-cas-jsonp/index.html#/7
>>
>> Happy CAS,
>> cu
>>
>> On 01/11/2016 20:22, Yan Zhou wrote:
>>
>>> Hello,
>>>
>>> CAS protocol does not let the apps (CAS client) get TGT ticket. We have
>>> a need for that.
>>>
>>> We have two web apps, both are casified in CAS 4.1.X. One web app has
>>> AngularJS (Javascript) front end, and, the other webapp is UI-Less, it just
>>> offers REST services.
>>>
>>> Javascript code in App A wants to call REST API in App B.  We run into
>>> problem with CORS, etc. But, even after CORS are enabled, still run into
>>> trouble.
>>>
>>> So, the thought is, if Javascript code can get hold of TGT after user
>>> login to the app. A, then, JS code call use CAS REST API to authenticate
>>> against the 2nd app (the UI-less REST Services).
>>>
>>> Is that a bad idea, and how is that possible?
>>>
>>> Yan
>>>
>>> --
>>> - CAS gitter chatroom: https://gitter.im/apereo/cas
>>> - CAS mailing list guidelines: https://apereo.github.io/cas/M
>>> ailing-Lists.html
>>> - CAS documentation website: https://apereo.github.io/cas
>>> - CAS project website: https://github.com/apereo/cas
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+unsubscr...@apereo.org >

Re: [cas-user] Can application get TGT ticket?

[Ray Bon]

Yan,

If I understand correctly, you have deployed App A and App B. You are
not able nor willing to change CAS config on App B because it breaches
PCI compliance.
It seems odd that PCI compliance would allow any user access but not
allow a proxy.
Did you create app A or are both apps from third party vendors?

If app B needs to know the user that is sending the request, then you
will have to use clearpass,
https://apereo.github.io/cas/4.0.x/integration/ClearPass.html.
If app B only needs to have an authenticated user, then perhaps App A
can perform the log in on behalf of all users. The Ajax calls would go
from App A UI to App A service that makes the REST calls.

What do the creators of App B suggest for authentication?

Ray

On 2016-11-02 13:12, Yan Zhou wrote:
> thanks for the feedback.
>
> Unfortunately, we cannot use Proxy Authentication, due to PCI
> implication. A non PCI-compliant App proxy a PCI (credit card)
> service, that would not be allowed by PCI standards.
>
> The reason we run into problem with CAS protected REST services (App
> B, no UI), is that Ajax somehow does not handle redirect (even after I
> enable CORS). Browser does it fine, but fails when Ajax tries to
> access the REST endpoint without an application session in place, thus
> triggers CAS login flow with all the redirect.
>
> I do not see how OAuth solve that problem. Does that requires a Login
> page UI to redirect to and back, would not that run into the same
> problem with Ajax?
>
> Can you elaborate on JSONP? Would app. B now have to know user's
> password?  CAS is nice because the application does not see user's
> password, only CAS server does.
>
> Thx,
> Yan
>
> On Wed, Nov 2, 2016 at 5:41 AM, Pascal Rigaux
> mailto:pascal.rig...@univ-paris1.fr>>
> wrote:
>
> Hi,
>
> Solutions:
> - proxy CAS: As the proxy ticket can only be validated once, you
> will need to cache the ticket, or create your own session
> - JWT: create a JWT and check it on app B.
> - oauth
> - JSONP login on app B. We are using this quite a lot. Simple and
> works great.
>   Commits implementing this on angular-seed :
> https://github.com/prigaux/angular-seed/commits/master
> 
>   and especially the first one:
> 
> https://github.com/prigaux/angular-seed/commit/27eae718ff6fd3206f60926317c7a24ddfd79b68
> 
> 
>   I wrote some doc on this, alas in french:
> http://prigaux.github.io/presentation-web-widgets-cas-jsonp/index.html#/7
> 
> 
>
> Happy CAS,
> cu
>
> On 01/11/2016 20:22, Yan Zhou wrote:
>
> Hello,
>
> CAS protocol does not let the apps (CAS client) get TGT
> ticket. We have a need for that.
>
> We have two web apps, both are casified in CAS 4.1.X. One web
> app has AngularJS (Javascript) front end, and, the other
> webapp is UI-Less, it just offers REST services.
>
> Javascript code in App A wants to call REST API in App B.  We
> run into problem with CORS, etc. But, even after CORS are
> enabled, still run into trouble.
>
> So, the thought is, if Javascript code can get hold of TGT
> after user login to the app. A, then, JS code call use CAS
> REST API to authenticate against the 2nd app (the UI-less REST
> Services).
>
> Is that a bad idea, and how is that possible?
>
> Yan
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines:
> https://apereo.github.io/cas/Mailing-Lists.html
> 
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the
> Google Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from
> it, send an email to cas-user+unsubscr...@apereo.org
> 
>  >.
> To view this discussion on the web visit
> 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/f60e5fea-2a9b-4515-8a92-a7c2c8769497%40apereo.org
> 
> 
> 
>  
> 

Re: [cas-user] Can application get TGT ticket?

[Yan Zhou]

thanks for the feedback.

Unfortunately, we cannot use Proxy Authentication, due to PCI implication.
A non PCI-compliant App proxy a PCI (credit card) service, that would not
be allowed by PCI standards.

The reason we run into problem with CAS protected REST services (App B, no
UI), is that Ajax somehow does not handle redirect (even after I enable
CORS). Browser does it fine, but fails when Ajax tries to access the REST
endpoint without an application session in place, thus triggers CAS login
flow with all the redirect.

I do not see how OAuth solve that problem. Does that requires a Login page
UI to redirect to and back, would not that run into the same problem with
Ajax?

Can you elaborate on JSONP? Would app. B now have to know user's password?
CAS is nice because the application does not see user's password, only CAS
server does.

Thx,
Yan

On Wed, Nov 2, 2016 at 5:41 AM, Pascal Rigaux 
wrote:

> Hi,
>
> Solutions:
> - proxy CAS: As the proxy ticket can only be validated once, you will need
> to cache the ticket, or create your own session
> - JWT: create a JWT and check it on app B.
> - oauth
> - JSONP login on app B. We are using this quite a lot. Simple and works
> great.
>   Commits implementing this on angular-seed :
> https://github.com/prigaux/angular-seed/commits/master
>   and especially the first one: https://github.com/prigaux/ang
> ular-seed/commit/27eae718ff6fd3206f60926317c7a24ddfd79b68
>   I wrote some doc on this, alas in french: http://prigaux.github.io/prese
> ntation-web-widgets-cas-jsonp/index.html#/7
>
> Happy CAS,
> cu
>
> On 01/11/2016 20:22, Yan Zhou wrote:
>
>> Hello,
>>
>> CAS protocol does not let the apps (CAS client) get TGT ticket. We have a
>> need for that.
>>
>> We have two web apps, both are casified in CAS 4.1.X. One web app has
>> AngularJS (Javascript) front end, and, the other webapp is UI-Less, it just
>> offers REST services.
>>
>> Javascript code in App A wants to call REST API in App B.  We run into
>> problem with CORS, etc. But, even after CORS are enabled, still run into
>> trouble.
>>
>> So, the thought is, if Javascript code can get hold of TGT after user
>> login to the app. A, then, JS code call use CAS REST API to authenticate
>> against the 2nd app (the UI-less REST Services).
>>
>> Is that a bad idea, and how is that possible?
>>
>> Yan
>>
>> --
>> - CAS gitter chatroom: https://gitter.im/apereo/cas
>> - CAS mailing list guidelines: https://apereo.github.io/cas/M
>> ailing-Lists.html
>> - CAS documentation website: https://apereo.github.io/cas
>> - CAS project website: https://github.com/apereo/cas
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org > pereo.org>.
>> To view this discussion on the web visit https://groups.google.com/a/ap
>> ereo.org/d/msgid/cas-user/f60e5fea-2a9b-4515-8a92-a7c2c87694
>> 97%40apereo.org > pereo.org/d/msgid/cas-user/f60e5fea-2a9b-4515-8a92-a7c2c8769
>> 497%40apereo.org?utm_medium=email&utm_source=footer>.
>>
>
>
> --
> Pascal Rigaux
>
> Expert en développement et déploiement d'applications
> DSIUN-SAS (service applications et services numériques)
> Université Paris 1 Panthéon-Sorbonne  -  Centre Pierre Mendès France (PMF)
> B 402 - 90, rue de Tolbiac -  75634 PARIS CEDEX 13 - FRANCE
> Tél : 01 44 07 86 59
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/M
> ailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> --- You received this message because you are subscribed to the Google
> Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/ap
> ereo.org/d/msgid/cas-user/ea50cbeb-3a79-ddc2-5865-f1aa0bfdd0
> 40%40univ-paris1.fr.
>

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFSoZekksrQ%2BSMuPcRfVRJ14iJe4sYP29rx%3D3fK49AT-6SH-CQ%40mail.gmail.com.

Re: [cas-user] Can application get TGT ticket?

[Pascal Rigaux]

Hi,

Solutions:
- proxy CAS: As the proxy ticket can only be validated once, you will need to 
cache the ticket, or create your own session
- JWT: create a JWT and check it on app B.
- oauth
- JSONP login on app B. We are using this quite a lot. Simple and works great.
  Commits implementing this on angular-seed : 
https://github.com/prigaux/angular-seed/commits/master
  and especially the first one: 
https://github.com/prigaux/angular-seed/commit/27eae718ff6fd3206f60926317c7a24ddfd79b68
  I wrote some doc on this, alas in french: 
http://prigaux.github.io/presentation-web-widgets-cas-jsonp/index.html#/7

Happy CAS,
cu

On 01/11/2016 20:22, Yan Zhou wrote:

Hello,

CAS protocol does not let the apps (CAS client) get TGT ticket. We have a need 
for that.

We have two web apps, both are casified in CAS 4.1.X. One web app has AngularJS 
(Javascript) front end, and, the other webapp is UI-Less, it just offers REST 
services.

Javascript code in App A wants to call REST API in App B.  We run into problem 
with CORS, etc. But, even after CORS are enabled, still run into trouble.

So, the thought is, if Javascript code can get hold of TGT after user login to 
the app. A, then, JS code call use CAS REST API to authenticate against the 2nd 
app (the UI-less REST Services).

Is that a bad idea, and how is that possible?

Yan

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to 
cas-user+unsubscr...@apereo.org .
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f60e5fea-2a9b-4515-8a92-a7c2c8769497%40apereo.org
 
.



--
Pascal Rigaux

Expert en développement et déploiement d'applications
DSIUN-SAS (service applications et services numériques)
Université Paris 1 Panthéon-Sorbonne  -  Centre Pierre Mendès France (PMF)
B 402 - 90, rue de Tolbiac -  75634 PARIS CEDEX 13 - FRANCE
Tél : 01 44 07 86 59

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ea50cbeb-3a79-ddc2-5865-f1aa0bfdd040%40univ-paris1.fr.

Re: [cas-user] Can application get TGT ticket?

[William G. Thompson, Jr.]

You should take a look at Proxy Granting Tickets, which allow an
application to securely call another app on behalf of a user.

http://stackoverflow.com/questions/6368358/restful-cas-client-and-proxy-granting-tickets
https://wiki.jasig.org/display/CAS/Proxy+CAS+Walkthrough

Best,
Bill


On Tue, Nov 1, 2016 at 3:22 PM, Yan Zhou  wrote:
> Hello,
>
> CAS protocol does not let the apps (CAS client) get TGT ticket. We have a
> need for that.
>
> We have two web apps, both are casified in CAS 4.1.X. One web app has
> AngularJS (Javascript) front end, and, the other webapp is UI-Less, it just
> offers REST services.
>
> Javascript code in App A wants to call REST API in App B.  We run into
> problem with CORS, etc. But, even after CORS are enabled, still run into
> trouble.
>
> So, the thought is, if Javascript code can get hold of TGT after user login
> to the app. A, then, JS code call use CAS REST API to authenticate against
> the 2nd app (the UI-less REST Services).
>
> Is that a bad idea, and how is that possible?
>
> Yan
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines:
> https://apereo.github.io/cas/Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/f60e5fea-2a9b-4515-8a92-a7c2c8769497%40apereo.org.

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAPpkTuGP3z3M7uQGRsOqni%2BSG0AeZHRwHrM9CY8XJWcVeTUQwQ%40mail.gmail.com.

RE: [cas-user] Can application get TGT ticket?

[Carlos M. Fernández]

The application should never have the TGT – that opens up a big security 
vulnerability.



Instead you should look into using Proxy CAS, with which a service can 
transmit identity to another service.



https://wiki.jasig.org/display/CAS/Proxy+CAS+Walkthrough



Best regards,

-- 

Carlos.

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Yan Zhou
Sent: Tuesday, 01 November, 2016 15:22
To: CAS Community
Subject: [cas-user] Can application get TGT ticket?



Hello,



CAS protocol does not let the apps (CAS client) get TGT ticket. We have a 
need for that.



We have two web apps, both are casified in CAS 4.1.X. One web app has 
AngularJS (Javascript) front end, and, the other webapp is UI-Less, it just 
offers REST services.



Javascript code in App A wants to call REST API in App B.  We run into 
problem with CORS, etc. But, even after CORS are enabled, still run into 
trouble.



So, the thought is, if Javascript code can get hold of TGT after user login 
to the app. A, then, JS code call use CAS REST API to authenticate against 
the 2nd app (the UI-less REST Services).



Is that a bad idea, and how is that possible?



Yan

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: 
https://apereo.github.io/cas/Mailing-Lists.html 
<http://spamburger.sju.edu/canit/urlproxy.php?_q=aHR0cHM6Ly9hcGVyZW8uZ2l0aHViLmlvL2Nhcy9NYWlsaW5nLUxpc3RzLmh0bWw%3D>
- CAS documentation website: https://apereo.github.io/cas 
<http://spamburger.sju.edu/canit/urlproxy.php?_q=aHR0cHM6Ly9hcGVyZW8uZ2l0aHViLmlvL2Nhcw%3D%3D>
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups 
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f60e5fea-2a9b-4515-8a92-a7c2c8769497%40apereo.org
 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/f60e5fea-2a9b-4515-8a92-a7c2c8769497%40apereo.org?utm_medium=email&utm_source=footer>
 
.

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/015e01d23478%2478465200%2468d2f600%24%40sju.edu.

[cas-user] Can application get TGT ticket?

[Yan Zhou]

Hello, 

CAS protocol does not let the apps (CAS client) get TGT ticket. We have a 
need for that.

We have two web apps, both are casified in CAS 4.1.X. One web app has 
AngularJS (Javascript) front end, and, the other webapp is UI-Less, it just 
offers REST services. 

Javascript code in App A wants to call REST API in App B.  We run into 
problem with CORS, etc. But, even after CORS are enabled, still run into 
trouble.

So, the thought is, if Javascript code can get hold of TGT after user login 
to the app. A, then, JS code call use CAS REST API to authenticate against 
the 2nd app (the UI-less REST Services). 

Is that a bad idea, and how is that possible?

Yan

-- 
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f60e5fea-2a9b-4515-8a92-a7c2c8769497%40apereo.org.