[cas-user] need some design inputs
Hi All, I am working on an application that runs on glassfish. There are some web services exposed on this application. These are accessed using basic HTTP authentication by external applications. Recently this app [that runs on glassfish] was casified. This meant that the external applications cannot access the application by providing the http basic auth as they used to do earlier. [They do not want to get CAS tokens and supply them while invoking the services]. The requirement is to retain previous auth model for external applications while having the CASification in place. We are using JSR-196 for the CASification. I wanted to know if this is really possible. JEE only allows us to have one active realm at any point in time. Is it possible to have a filter layer before JASPIC which based on the user agent header will determine if the request needs to be authenticated with http basic method? If so it will fire a request to CAS and get the token and redirect to the service being inviked. I can provide more details in case I was not able to explain the scenario properly. Regards Prasad -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] CAS for SAAS applications
Thanks. Can you please provide the link to the issue being tracked? Also this run time decision of whether I want to go to CAS A / CAS B, is done by the CAS client right? So if I read what you said correctly, release 4.2 clients will be built for such a scenario? Regards Prasad, From: Misagh Moayyed [mailto:mmoay...@unicon.net] Sent: Wednesday, September 30, 2015 11:30 AM To: cas-user@lists.jasig.org Subject: RE: [cas-user] CAS for SAAS applications If you are saying "Customer X needs to go to CAS A, while Customer Y needs to go to CAS B", that's something you have to take up with the SAAS application. However, there are no multi-tenant CAS deployments that I am aware of [1]. Sounds like a pretty good use case for docker. [1] There is an issue tracking this feature, and might get resolved for 4.2. From: Mahantesh Prasad Katti [mailto:mahantesh.ka...@indecomm.net] Sent: Tuesday, September 29, 2015 9:48 PM To: cas-user@lists.jasig.org Subject: [cas-user] CAS for SAAS applications Hi All, I am exploring the option of enabling CAS for SAAS applications. is there an option to specify multiple redirect urls [to cas servers ] in the SAAS application based on customer profiles. How do CAS/J2EE servers enable this? Have you solved this problem before? If so I would appreciate some pointers on the same. The customers are enterprise users that belong to a particular organization. Regards Prasad -- You are currently subscribed to cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: mmoay...@unicon.net<mailto:mmoay...@unicon.net> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: mahantesh.ka...@indecomm.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] need info on cas validate api response extraction
Hi All, I am writing an interceptor that essentially calls the validate api of CAS [https:///cas/serviceValidate?service=xys=ST-xyz]. I am able to successfully do this from POSTMAN. However, I need some sample code that will extract the result of this call most notably the ''user". The following is the validation response: XYZ Is there a quick and easy way to extract the CAS user programmatically ? [apart from me parsing the XML using SAX/DOM parsers]? Regards Prasad -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] need info on cas validate api response extraction
Yes. I am coding in java. I have the Java CAS client. Not sure which interfaces I need to use. -Prasad From: Misagh Moayyed [mailto:mmoay...@unicon.net] Sent: Tuesday, September 29, 2015 3:32 PM To: cas-user@lists.jasig.org Subject: RE: [cas-user] need info on cas validate api response extraction An "interceptor" in what programming language? If you are writing things in Java, there is the Java CAS client that is able to parse the response. Most other clients do as well. From: Mahantesh Prasad Katti [mailto:mahantesh.ka...@indecomm.net] Sent: Tuesday, September 29, 2015 2:57 AM To: cas-user@lists.jasig.org Subject: [cas-user] need info on cas validate api response extraction Hi All, I am writing an interceptor that essentially calls the validate api of CAS [https:///cas/serviceValidate?service=xys=ST-xyz]. I am able to successfully do this from POSTMAN. However, I need some sample code that will extract the result of this call most notably the ''user". The following is the validation response: XYZ Is there a quick and easy way to extract the CAS user programmatically ? [apart from me parsing the XML using SAX/DOM parsers]? Regards Prasad -- You are currently subscribed to cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: mmoay...@unicon.net<mailto:mmoay...@unicon.net> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: mahantesh.ka...@indecomm.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] CAS for SAAS applications
Hi All, I am exploring the option of enabling CAS for SAAS applications. is there an option to specify multiple redirect urls [to cas servers ] in the SAAS application based on customer profiles. How do CAS/J2EE servers enable this? Have you solved this problem before? If so I would appreciate some pointers on the same. The customers are enterprise users that belong to a particular organization. Regards Prasad -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: RE:[cas-user] problem with POST requests
Thanks. I will try to list the steps in our case. The following steps work fine for GET since it does not contain any “body”; 1.In our case, we are making a call to the CAS server to get a ST as the first step. 2.Attach the ST to the URL of the actual POST service. So essentially avoids the redirect 302 step. 3. Call the POST. 4.the SAM module of JASPIC validates the ST with CAS server. 5.The validation is successful. However, when the SAM module now tries to call the actual service, the POST data is lost. 6. The call fails. The trick is to save and restore the POST payload. I am not a JASPIC expert. I am thinking it could probably help to have a session and associate the POST data with that session before the validation call. Post validation, re-associate the post data with the actual request. Hope I am making sense here. Any input is appreciated. Regards Prasad From: Carl Waldbieser [mailto:cwaldbie...@gmail.com] Sent: Saturday, August 22, 2015 4:13 AM To: cas-user@lists.jasig.org Subject: RE:[cas-user] problem with POST requests In that email thread, the issue is that the browser initially has no session with the proxy protecting the resouce. When the proxy redirects the user to the CAS service using a GET, the initial POST data is lost. If this is analogous to what is happening in the original poster's case, the way to get around it is to make 2 requests. The first to a GETable resource. This establishes an authenticated session with the service by doing the CAS dance. The second request would need to use the session cookie from the first request when it made the POST and CAS would get out of the way. Strictly speaking, that is not a RESTful API. It would make more sense for a RESTful API to hand out an access token in response to a GET for a valid CAS service ticket. The access token could then be used to authenticate to the rest of the API without having to monkey around with cookies and sessions. Thanks, Carl Waldbieser On Aug 21, 2015 6:03 PM, Andrew Morgan mor...@orst.edumailto:mor...@orst.edu wrote: Have a look at this email thread: https://groups.google.com/forum/#!topic/jasig-cas-user/if0SQ0gUbp8 It's an old problem. I'm not sure how CAS JASPIC works, but I've seen the Java cas client in action. It seems to consume the ST, validate the ST, then redirect the client to the original resource. Like this: GET /foo?ST=12345 (processing happens to validate the ST) RESPONSE: 302 REDIRECT /foo GET /foo When the redirect happens, the POST data is lost. It might work if you switched from POST to GET. You can read about some options and recommendations in the email thread above. Andy On Fri, 21 Aug 2015, Mahantesh Prasad Katti wrote: Has anybody run into this problem? Do you think i need to explain this problem better or provide additional info? Regards Prasad From: Mahantesh Prasad Katti Sent: Friday, August 21, 2015 2:39 PM To: cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org Subject: [cas-user] problem with POST requests Hi , We have a casified java application. This application exposes a bunch of REST apis. When accessing POST APIs from another application by explicitly obtaining the service ticket and appending it to the target URL, the calls are failing. Apparently, the after the ticket validation happens successfully, the POST body data gets lost and the service call fails because of that. Do we need to modify the server auth module to handle this scenario? Note that this happens for POST calls only. The get calls work just fine. We are using the CAS JASPIC jar available from google groups. Any help is appreciated. Regards Prasad -- You are currently subscribed to cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org as: mahantesh.ka...@indecomm.netmailto:mahantesh.ka...@indecomm.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org as: mor...@orst.edumailto:mor...@orst.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org as: cwaldbie...@gmail.commailto:cwaldbie...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: mahantesh.ka...@indecomm.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] problem with POST requests
Thanks for the pointers. Finally what we did was invoke a GET service [which does not do any heavy duty work]. This sends back the session cookie in the response. The POST call is then called by setting the JSESSIONID cookie in the request. This seems to work fine for now. Regards, Prasad From: Dmitriy Kopylenko [mailto:dkopyle...@unicon.net] Sent: Saturday, August 22, 2015 4:13 PM To: cas-user@lists.jasig.org Subject: Re: [cas-user] problem with POST requests What CAS really needs is the true, stateless JWT implementation - that would solve the problem of authentication for RESTful resources once and for all, but that's a discussion for another day :-) Cheers, D. Sent from my iPhone On Aug 21, 2015, at 18:42, Carl Waldbieser cwaldbie...@gmail.commailto:cwaldbie...@gmail.com wrote: In that email thread, the issue is that the browser initially has no session with the proxy protecting the resouce. When the proxy redirects the user to the CAS service using a GET, the initial POST data is lost. If this is analogous to what is happening in the original poster's case, the way to get around it is to make 2 requests. The first to a GETable resource. This establishes an authenticated session with the service by doing the CAS dance. The second request would need to use the session cookie from the first request when it made the POST and CAS would get out of the way. Strictly speaking, that is not a RESTful API. It would make more sense for a RESTful API to hand out an access token in response to a GET for a valid CAS service ticket. The access token could then be used to authenticate to the rest of the API without having to monkey around with cookies and sessions. Thanks, Carl Waldbieser On Aug 21, 2015 6:03 PM, Andrew Morgan mor...@orst.edumailto:mor...@orst.edu wrote: Have a look at this email thread: https://groups.google.com/forum/#!topic/jasig-cas-user/if0SQ0gUbp8 It's an old problem. I'm not sure how CAS JASPIC works, but I've seen the Java cas client in action. It seems to consume the ST, validate the ST, then redirect the client to the original resource. Like this: GET /foo?ST=12345 (processing happens to validate the ST) RESPONSE: 302 REDIRECT /foo GET /foo When the redirect happens, the POST data is lost. It might work if you switched from POST to GET. You can read about some options and recommendations in the email thread above. Andy On Fri, 21 Aug 2015, Mahantesh Prasad Katti wrote: Has anybody run into this problem? Do you think i need to explain this problem better or provide additional info? Regards Prasad From: Mahantesh Prasad Katti Sent: Friday, August 21, 2015 2:39 PM To: cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org Subject: [cas-user] problem with POST requests Hi , We have a casified java application. This application exposes a bunch of REST apis. When accessing POST APIs from another application by explicitly obtaining the service ticket and appending it to the target URL, the calls are failing. Apparently, the after the ticket validation happens successfully, the POST body data gets lost and the service call fails because of that. Do we need to modify the server auth module to handle this scenario? Note that this happens for POST calls only. The get calls work just fine. We are using the CAS JASPIC jar available from google groups. Any help is appreciated. Regards Prasad -- You are currently subscribed to cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org as: mahantesh.ka...@indecomm.netmailto:mahantesh.ka...@indecomm.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org as: mor...@orst.edumailto:mor...@orst.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org as: cwaldbie...@gmail.commailto:cwaldbie...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org as: dkopyle...@unicon.netmailto:dkopyle...@unicon.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: mahantesh.ka...@indecomm.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE:[cas-user] problem with POST requests
Has anybody run into this problem? Do you think i need to explain this problem better or provide additional info? Regards Prasad From: Mahantesh Prasad Katti Sent: Friday, August 21, 2015 2:39 PM To: cas-user@lists.jasig.org Subject: [cas-user] problem with POST requests Hi , We have a casified java application. This application exposes a bunch of REST apis. When accessing POST APIs from another application by explicitly obtaining the service ticket and appending it to the target URL, the calls are failing. Apparently, the after the ticket validation happens successfully, the POST body data gets lost and the service call fails because of that. Do we need to modify the server auth module to handle this scenario? Note that this happens for POST calls only. The get calls work just fine. We are using the CAS JASPIC jar available from google groups. Any help is appreciated. Regards Prasad -- You are currently subscribed to cas-user@lists.jasig.org as: mahantesh.ka...@indecomm.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] problem with POST requests
Hi , We have a casified java application. This application exposes a bunch of REST apis. When accessing POST APIs from another application by explicitly obtaining the service ticket and appending it to the target URL, the calls are failing. Apparently, the after the ticket validation happens successfully, the POST body data gets lost and the service call fails because of that. Do we need to modify the server auth module to handle this scenario? Note that this happens for POST calls only. The get calls work just fine. We are using the CAS JASPIC jar available from google groups. Any help is appreciated. Regards Prasad -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] need CAS clients for Microsoft Platform
Thanks Misgah. I have downloaded the libraries. In case I need additional information, I will post the same on the forum. Regards Prasad From: Misagh Moayyed [mailto:mmoay...@unicon.net] Sent: Monday, July 27, 2015 4:15 PM To: cas-user@lists.jasig.org Subject: RE: [cas-user] need CAS clients for Microsoft Platform See https://wiki.jasig.org/display/CASC/ISAPI+Filter From: Mahantesh Prasad Katti [mailto:mahantesh.ka...@indecomm.net] Sent: Monday, July 27, 2015 2:08 AM To: cas-user@lists.jasig.org Subject: [cas-user] need CAS clients for Microsoft Platform Hi All, I am in the process of enabling CAS authentication for cognos. As part of this planning to write some ISAPI filter that invoke CAS ticket validation logic. Need some info on this. 1. Where can I download the CAS clients for windows platform that I can embed in ISAPI filter [is this correct http://downloads.jasig.org/cas-clients/dotnet/ ] ? 2. Is there some sample implementation that I can reference? Regards Prasad -- You are currently subscribed to cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org as: mmoay...@unicon.netmailto:mmoay...@unicon.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: mahantesh.ka...@indecomm.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] need CAS clients for Microsoft Platform
Hi All, I am in the process of enabling CAS authentication for cognos. As part of this planning to write some ISAPI filter that invoke CAS ticket validation logic. Need some info on this. 1. Where can I download the CAS clients for windows platform that I can embed in ISAPI filter [is this correct http://downloads.jasig.org/cas-clients/dotnet/ ] ? 2. Is there some sample implementation that I can reference? Regards Prasad -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] designing a fallback authentication scheme
Thanks Stephan and Jerome. The requirement is something like this. We have a product used by multiple customers. It is likely some of them have a CAS in their ecosystem and others may not. So we wanted to provide both modes of authentication. One way that i know we can accomplish is to define a parameter in the web.xml indicating if CAS is enabled or not. And present the appropriate login form. Do you think there is an better alternative? Regards, Prasad From: Stephan Arts [mailto:sa...@cosmos.esa.int] Sent: 06 February 2015 13:37 To: cas-user@lists.jasig.org Subject: Re: [cas-user] designing a fallback authentication scheme Hi, I agree with Jérôme, the simplest and most robust solution is to have 2 (or in our case 4) CAS servers running in a cluster with a multi-master LDAP backend. Put a load-balancer in front of your CAS servers and you're done. Okay, on second thought... Maybe not the simplest, but it is very reliable. Regards, Stephan On 06/02/15 08:04, Jérôme LELEU wrote: Hi, I would not recommend to implement such a fallback mechanism on client side: it would be pretty complicated and you would lose all the benefits of a centralized authentication server (security, one link to the authentication source). Why not a failover with two CAS servers? It can be achieved pretty easily with a Virtual IP (http://linux-ha.org/wiki/Main_Page). In all cases, you must careful of your SPOF (Single Point Of Failure): is your LDAP resilient? Best regards, Jérôme LELEU Founder of CAS in the cloud: www.casinthecloud.comhttp://www.casinthecloud.com | Twitter: @leleuj Chairman of CAS: www.jasig.org/cashttp://www.jasig.org/cas | Creator of pac4j: www.pac4j.orghttp://www.pac4j.org 2015-02-06 6:28 GMT+01:00 Prasad Katti mahantesh.ka...@indecomm.netmailto:mahantesh.ka...@indecomm.net: Hi All, we are using CAS authentication to implement SSO model. we are using the JSR 196 for the extending the JAAS authorization. As part of this we are also implementing a fall back mechanism in situations where CAS is not available. in situations where CAS is not available, we want to present a custom login form and authenticate the user against a pre-defined ldap realm. here's where we are having a problem. when the application redirects to cas application login, if ÇAS is not available, how to capture the same on redirection failure? one option is to check the connectivity by sending an HTTP Connect method to the server. we can then use the HTTP status code to determine if we have to invoke the fallback strategy. is there a built in way in cas that will accomplish the same? I am just trying to weigh different options. -- You are currently subscribed to cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org as: lel...@gmail.commailto:lel...@gmail.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.orgmailto:cas-user@lists.jasig.org as: sa...@cosmos.esa.intmailto:sa...@cosmos.esa.int To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: mahantesh.ka...@indecomm.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user