CAS and applications with their own authentication system

Dale Ogilvie Dale.Ogilvie at trimble.co.nz
Thu Sep 20 18:13:22 EDT 2007 

Hello,

I am thinking through CAS and how it might be implemented on top of our
current stable of applications. Can anyone advise me how to CASify a 3rd
party application which currently has its own authentication system,
without modifying (extending might be ok) the application code?

For example. We have an application that is fronted by Apache, but runs
in a JSP container and has it's own login url. Currently when the user
logs in they receive a application specific authentication cookie, which
the client presents on each request to the application, giving them
personalized access. We cannot modify the application code itself, as it
is a 3rd party application.

What would be a best practice approach to using CAS for an application
such as this? The issue is that authenticated access to the application
*requires* the 3rd party cookie. mod_cas or a jsp filter could secure
the application to the point of providing a net_id to the application,
but that net id needs to generate an application specific cookie
somehow.

I'm thinking the conversation would need to go something like this:

1. Client browses to /app
2. mod_cas redirects to /cas/login?service=http://host/app, the user
logs in
3. cas redirects back to http://host/app?ST=GOOD
4. mod_cas validates ST and passes net_id through on request to /app

/app minus the 3rd party cookie would normally present the application
specific login screen at this point, but we have a valid net_id. How to
get that cookie?

5. There is a net_id but no app specific cookie, redirect client to
/getappcookie?service=/app
6. serverside call posting net_id and looked up password to "/app/login"
7. parse out the 3rd party auth cookie from the response
8. return to client with a redirect back to /app and setcookie for the
app specific authentication cookie

9. client requests /app with app cookie 
10. mod_cas redirects to /cas/login?service=/app again, the TGC is
passed from the client this time
11. cas redirects back to http://host/app?ST=GOOD
12. mod_cas validates ST and passes net_id through on request to /app
13. There is a net_id and an app specific cookie, user gets
authenticated access to /app

Is the above architecture sane? Is there any support in existing CAS
clients for a system like this?

Thanks

--
Dale Ogilvie
Senior Software Engineer
Trimble Navigation NZ Ltd
P O Box 8729
Riccarton
Christchurch
Ph:       +64 3 9635344
Fax:     +64 3 9635317

More information about the cas mailing list