Anyone have ideas?--Re: Authenticating web service calls via CAS..

tedzo tedzo2003 at yahoo.com
Wed Oct 17 15:43:06 EDT 2007 

Ok, that makes sense. Let me try that.
Thanks again for your time.


----- Original Message ----
From: Scott Battaglia <scott.battaglia at gmail.com>
To: Yale CAS mailing list <cas at tp.its.yale.edu>
Sent: Wednesday, October 17, 2007 6:35:43 AM
Subject: Re: Anyone have ideas?--Re: Authenticating web service calls via CAS..

You'll want to use CAS's proxying capabilities.  It would allow application A to obtain a ticket on behalf of the logged in user.

-Scott


On 10/17/07, tedzo <tedzo2003 at yahoo.com> wrote:
Scott,
Thank you for taking the time to respond.
 
I looked around and Acegi seemed to support what I am attempting (atleast the Acegi user guide suggested that its doable) and so I began integrating with Acegi. So, I am glad to see you mention it in your response. Hopefully I am on the right track. So, I now have CAS+Acegi+XFire :( 
 
Acegi with CAS is working fine for non-web service access (ie, via a browser).
 
Here is what has confused me- WHen the user tries to access the webapp (say Webapp A), he is directed to CAS and he presents the password and logs in. Webapp A doesn't know what the password is (ofcourse). Now, all the mthods in CentralAuthenticationService interface that allow for a ticket to be obtained ( getServiceTicket(), getTicketGrantingTicket() ), require credentials to be presented (directly or indirectly). However, I don't have access to the credentials within Webapp A! (In my previous message, I actually forgot that Webapp A doesn't have the credentials...). So, I appear to be stuck. What am I missing? 
 
FYI, if it is not clear, this is what I am trying- User logs into WebappA via CAS. He performs an action that requires a webservice in WebappB to be invoked. WebappB is also protected by CAS. I am looking to somehow invoke webservice in WebappB from WebappA without having to re-authenticate. At present, WebappA is *not* protected by acegi (only CAS) while WebappB has Acegi with CAS behind it. I suspect I need to get WebappA also to be protected by Acegi and thats fine. 
 
Your thoughts are much appreciated.
 
Thanks.


----- Original Message ----
From: Scott Battaglia < scott.battaglia at gmail.com>
To: Yale CAS mailing list <cas at tp.its.yale.edu>

Sent: Monday, October 15, 2007 6:49:55 AM
Subject: Re: Anyone have ideas?--Re: Authenticating web service calls via CAS..

Comments in-line.


On 10/10/07, tedzo <tedzo2003 at yahoo.com > wrote: 
I need to figure out a way to pass the session info to CAS when I make a remote method call using xFire. Someone has to have needed to do this...Anyone? 


----- Original Message ----
From: tedzo < tedzo2003 at yahoo.com>
To: Yale CAS mailing list <cas at tp.its.yale.edu>
Sent: Monday, October 8, 2007 3:03:52 PM 
Subject: Re: Authenticating web service calls via CAS..


Ok, a bit of digging around-
I found the remoteCentralAuthenticationService and xFireCentralAuthenticationService beans defined and commented. The comment asked for the bean to be uncommented in order to allow access as a web service (using xFire, which is good). Here is what I was thinking- 
1. From client stub (of my web service that is to be exposed), pass credentials and query remoteCAS for a ticket.
2. Pass the ticket to my web service.
3. Validate the ticket from my web service (the actual implementation of the service to be exposed). If the ticket validates, then go ahead with the service. ELse fail. 
 
Does this seem to make sense?

Yes, this makes sense.  Though if your user has already authenticated to your application I recommend you just obtain a proxy ticket. 



Questions-
1. Once a ticket is used/validated, it is no longer recognized by CAS. So, this essentially means my web service stub needs to validate everytime the client accesses the web service. So, how do I obtain a ticket that lasts longer than 1 call? 

There are no service tickets  that last longer than one call.  You either need to get a new service ticket each time, or use a framework such as Acegi to secure the application.  Acegi utilizes the existing ticket to maintain a session locally for a defined period of time. 


-Scott




__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

_______________________________________________
Yale CAS mailing list 
cas at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas





-- 
-Scott Battaglia

LinkedIn: http://www.linkedin.com/in/scottbattaglia

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20071017/6a1b105c/attachment.html

More information about the cas mailing list