CAS and applications with their own authentication system

Scott Battaglia scott.battaglia at gmail.com
Wed Sep 26 23:20:48 EDT 2007 

Dale,

At a quick glance your logic looks sane.  You could merely implement a
filter in front of the application that sets the cookie if its not there but
a NetId is and then redirects to the same page (without the ticket in the
URL).

-Scott

On 9/20/07, Dale Ogilvie <Dale.Ogilvie at trimble.co.nz> wrote:
>
>
> Hello,
>
> I am thinking through CAS and how it might be implemented on top of our
> current stable of applications. Can anyone advise me how to CASify a 3rd
> party application which currently has its own authentication system,
> without modifying (extending might be ok) the application code?
>
> For example. We have an application that is fronted by Apache, but runs
> in a JSP container and has it's own login url. Currently when the user
> logs in they receive a application specific authentication cookie, which
> the client presents on each request to the application, giving them
> personalized access. We cannot modify the application code itself, as it
> is a 3rd party application.
>
> What would be a best practice approach to using CAS for an application
> such as this? The issue is that authenticated access to the application
> *requires* the 3rd party cookie. mod_cas or a jsp filter could secure
> the application to the point of providing a net_id to the application,
> but that net id needs to generate an application specific cookie
> somehow.
>
> I'm thinking the conversation would need to go something like this:
>
> 1. Client browses to /app
> 2. mod_cas redirects to /cas/login?service=http://host/app, the user
> logs in
> 3. cas redirects back to http://host/app?ST=GOOD
> 4. mod_cas validates ST and passes net_id through on request to /app
>
> /app minus the 3rd party cookie would normally present the application
> specific login screen at this point, but we have a valid net_id. How to
> get that cookie?
>
> 5. There is a net_id but no app specific cookie, redirect client to
> /getappcookie?service=/app
> 6. serverside call posting net_id and looked up password to "/app/login"
> 7. parse out the 3rd party auth cookie from the response
> 8. return to client with a redirect back to /app and setcookie for the
> app specific authentication cookie
>
> 9. client requests /app with app cookie
> 10. mod_cas redirects to /cas/login?service=/app again, the TGC is
> passed from the client this time
> 11. cas redirects back to http://host/app?ST=GOOD
> 12. mod_cas validates ST and passes net_id through on request to /app
> 13. There is a net_id and an app specific cookie, user gets
> authenticated access to /app
>
> Is the above architecture sane? Is there any support in existing CAS
> clients for a system like this?
>
> Thanks
>
> --
> Dale Ogilvie
> Senior Software Engineer
> Trimble Navigation NZ Ltd
> P O Box 8729
> Riccarton
> Christchurch
> Ph:       +64 3 9635344
> Fax:     +64 3 9635317
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>



-- 
-Scott Battaglia

LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070926/b6a4a0f4/attachment.html

More information about the cas mailing list