Headless CAS?
Bill Bailey
Bill.Bailey at northlandchurch.net
Thu Sep 27 16:51:53 EDT 2007
Eric,
I am currently using CAS with web services (Spring Web Services to be
exact but I think the concepts apply for other frameworks as well even
though you might need to do a bit more work). You can get a proxy ticket
that is used to authenticate with the web services, but application
obtaining the proxy has to have been authenticated by CAS and possess a
proxy granting ticket.
You don't have to use a JSP, but you have to obtain credentials from the
user somehow, right? How do you obtain the credentials
(username/password) you will use to authenticate? If you are not
obtaining credentials from a user (e.g. a middle-tier application that
always logs in with some fixed username and password) then I question
the value of using CAS.
In my case, my applications are rich (Flex) clients. When the end user
is authenticated in any of these applications, they request a proxy
granting ticket and then obtain a proxy ticket specifically for the web
services.
The proxy ticket is embedded in a hidden field in the resulting web page
and the Flex client retrieves the proxy ticket from the hidden field and
uses it in calls to the web services (using WS-Security UsernameToken).
The other issue you have to contend with is that CAS tickets are
one-time usage tickets. Since you don't want to authenticate all over
again for each web services call AND since web services are stateless,
you need to cache valid tickets and compare new tickets to the cache
first before going to CAS. Spring Web Services with ACEGI handles this
for you by allowing the username to be _cas_stateless_ in which case
ACEGI checks the cache for a matching ticket first and only validates it
against CAS if not found. For other web services frameworks, I suspect
you might have to implement this particular behavior yourself.
Hope this helps some.
Bill
-----Original Message-----
From: cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu]
On Behalf Of Eric Miles
Sent: Thursday, September 27, 2007 3:23 PM
To: cas at tp.its.yale.edu
Subject: Headless CAS?
Can CAS act as a headless authentication mechanism? I'd like to use CAS
for authenticating web service calls (which are stateless and headless).
I currently have CAS all wired up with my web application so I
understand how that works (it works great). However, I am failing to
see how I could CASify my web services. Is it possible to create a CAS
Ticket via an API as there is no way for these clients to go to a UI and
"login"? I see numerous "Java Client" examples that show how to
validate a ticket once in hand, but I see no examples of how to get the
ticket itself(without logging in through a JSP page).
Thanks,
Eric
_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas
More information about the cas
mailing list