[cas-dev] RESTful CAS API

Smith, Matt matt.smith at uconn.edu
Wed Apr 23 10:52:22 EDT 2008 

Scott -

<hat type="security">

  If a service is trying to authenticate to CAS as itself, is
ID/Password the right kind of credential?  Seems like a stronger
mechanism could be encouraged by default.  Perhaps X.509 or similar?

  I also worry that this API makes it too "easy" for a service to pop-up
a dialog box asking for a user's credentials, and perform validation,
bypassing the whole WebISO thing without the CAS admin being aware.
Yeah, it is possible today by screen-scraping the 'LT' param from the
login script and submitting it with the ID/Password, but this API makes
it much easier.  Defaulting this API to use a mechanism like X.509,
GSSAPI/SPNEGO, etc eliminates this undesired use.

</hat>

<hat type="developer">
 Yeah -- those point do make the problem space *much* more complicated.
But, they are important to consider anyway.
</hat>

HTH,
-Matt

On Wed, 2008-04-23 at 09:32 -0400, Scott Battaglia wrote:
> All,
> 
> We have need of a way of programmatically obtaining tickets for
> purposes of service to service authentication.  We've previously used
> a SOAP-based web service (which we've kept internal).  We're planning
> on moving to a much lighter approach, to make it easier for our
> non-Java clients (SOAP isn't necessarily fun to parse/construct), but
> we're most likely going to contribute it back as a module in the CAS
> project, as it seems like something other people could use (and I
> believe some people have hinted at needing something).
> 
> To that end, we've posted a suggested API for obtaining TGTs and
> Service Tickets:
> http://www.ja-sig.org/wiki/display/CASUM/RESTful+API
> 
> Please let us know if you have any feedback, additional ideas, etc.
> 
> Thanks
> -Scott
> 
> -- 
> -Scott Battaglia
> PGP Public Key Id: 0x383733AA
> LinkedIn: http://www.linkedin.com/in/scottbattaglia 
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
-- 
Matt Smith
matt.smith at uconn.edu
University Information Technology Services (UITS)
University of Connecticut
PGP Key ID: 0xE9C5244E
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://tp.its.yale.edu/pipermail/cas-dev/attachments/20080423/35fdc751/attachment.bin

More information about the cas-dev mailing list