WS-Security + CAS

Scott Battaglia scott.battaglia at gmail.com
Wed May 23 08:46:51 EDT 2007 

If you're interested in exposing CAS as a web service using xFire, xFire has
certain limitations.  Though it will allow you to export an interface with
methods that accept interfaces as parameters (such as Credentials), it won't
do much with them.  You need to craft an interface for CAS that accepts that
types of Credentials you want to accept (i.e. UsernamePasswordCredentials)
and expose that interface (delegating to the internal instance of
CentralAuthenticationService).

Hope that helps.
-Scott

On 5/15/07, Christian Vest Hansen <cvh at unwire.dk> wrote:
>
> Hello,
>
> I'm facing the following requirements:
>
> 1. I have multiple systems who wants to expose functionality
>     as web services.
> 2. I will have multiple front-ends who wants to use these
>     services.
> 3. All of these front-ends must have single-sign-on and CAS is
>     an obvious choice for that.
> 4. I also have 3rd parties (customers) who wants to access
>     some of these services from the outside.
> 5. I want to use a standard way of putting authentication on
>     my web services; namely WS-Security.
> 6. The web services must also accept CAS tickets.
>
> I have a plan on how to do it, but it seems I need some help from you guys
> (I will return to that part in a minute).
> Here's how I plan to do it:
>
> 1. All of my web services uses XFire + XFire-ws-security to
>     implement the WSS standard.
> 2. The web services MUST be accessed over HTTPS so clients can
>     send their password (and username) in 'clear text' without
>     worry.
> 3. External clients are each given their own username and
>     password, which they will send with every request.
> 4. My front-ends will authenticate with CAS tickets, by
>     specifying 'CAS-TICKET' as the username and the ticket as
>     the password.
> 5. XFire uses a WSS4JInHandler with CallbackHandlers to do its
>     authentication - I will write a CasWssAuthInHandler based on
>     this class to handle the CAS specific rules above.
> 6. My CasWssAuthInHandler will communicate with the CAS server
>     using the build-in CAS web service.
>
> It is point 6 that is causing me the most trouble right now. I used XFire
> to generate java stub classes from the CAS WSDL, but I have no idea how to
> use them.
> The Credentials class alone was useless, so I copied the
> UsernamePasswordCredentials class from the CAS source, but I cannot get the
> XML mapping right.
> I have tried out all maners of XML layouts in SoapUI, but a
> TicketException with the code
>     "error.authentication.credentials.unsupported"
> Is the only response I have been able to provoke thus far.
>
> If you would just give me a complete SOAP envelope example of
> how to authorize a username & password, then that would make my
> day.
>
>
> Here's the SOAP envelope I send to the CAS server:
>
> <soapenv:Envelope
>   xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
>   xmlns:cas="http://cas.jasig.org">
>    <soapenv:Body>
>       <cas:createTicketGrantingTicket>
>          <cas:in0
>            xmlns="http://principal.authentication.cas.jasig.org">
>             <cas:usernamePasswordCredentials>
>                <cas:username>admin</cas:username>
>                <cas:password>admin</cas:password>
>            </cas:usernamePasswordCredentials>
>         </cas:in0>
>       </cas:createTicketGrantingTicket>
>    </soapenv:Body>
> </soapenv:Envelope>
>
>
> And here's the server's response:
>
> <soap:Envelope
>   xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
>   xmlns:xsd="http://www.w3.org/2001/XMLSchema"
>   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
>    <soap:Body>
>       <soap:Fault>
>          <faultcode>soap:Server</faultcode>
>          <faultstring>
>             error.authentication.credentials.unsupported
>          </faultstring>
>          <detail>
>             <TicketException xmlns="http://cas.jasig.org">
>                <code xmlns="http://ticket.cas.jasig.org">
>                   error.authentication.credentials.unsupported
>                </code>
>             </TicketException>
>          </detail>
>       </soap:Fault>
>    </soap:Body>
> </soap:Envelope>
>
>
>
>
>
>
> Med venlig hilsen/Best regards
> Christian Vest Hansen
> Developer
>
> Reception +45 3393 1434
> Mobile +45 6130 4121
> Web www.unwire.com
>
> UNWIRE ApS
> Masnedøgade 20, 3. sal
> DK-2100 Copenhagen Ø.
> Denmark
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>



-- 
-Scott Battaglia

LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070523/5bb3c974/attachment.html

More information about the cas mailing list