Is it possible to return SSO cookie using ticket generated usingRestful Api?

Scott Battaglia scott.battaglia at gmail.com
Mon Jan 12 21:22:48 EST 2009 

>From a security perspective, I wouldn't recommend an application accessing a
users credentials and then create a TGT for them.  The TGT should only be
between the user and CAS (in this case, the browser and CAS).

-Scott

-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia


On Mon, Jan 12, 2009 at 5:12 PM, Keith Garry Boyce <garry at consultsure.com>wrote:

> Ok then does it then make sense what I have proposed from a security
> perspective? That instead of /login generating cas ticket that a redirect of
> browser to a cas url with service ticket could then cause cookie to be
> generated from a pre existing service ticket passed to redirect with query
> parameter?
>
> ------------------------------
> From: Scott Battaglia <scott.battaglia at gmail.com>
> Sent: Monday, January 12, 2009 1:34 PM
> To: Yale CAS mailing list <cas at tp.its.yale.edu>
> Subject: Re: Is it possible to return SSO cookie using ticket generated
> usingRestful Api?
>
> The only way you can do anything is if the browser handles the the url
> (which is why /login generates a CAS ticket).
>
> -Scott
>
> -Scott Battaglia
> PGP Public Key Id: 0x383733AA
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
>
>
> On Fri, Jan 9, 2009 at 11:56 AM, Keith Garry Boyce <garry at consultsure.com>wrote:
>
>> What CAS implementation classes would I have to change to allow this?
>> Basically I suppose it would be a url like /cas/issueCookie?ticket=xyz
>>
>> Also what would be the security risks involved in allowing this to be
>> possible?
>>
>> ------------------------------
>> *From:* cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu]
>> *On Behalf Of *Scott Battaglia
>> *Sent:* Friday, January 09, 2009 12:38 PM
>> *To:* Yale CAS mailing list
>> *Subject:* Re: Is it possible to return SSO cookie using ticket generated
>> usingRestful Api?
>>
>> You can't.  They are mutually exclusive.
>>
>> -Scott
>>
>> -Scott Battaglia
>> PGP Public Key Id: 0x383733AA
>> LinkedIn: <http://www.linkedin.com/in/scottbattaglia>
>>
>>
>
> [The entire original message is not included]
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20090112/760b8a96/attachment.html

More information about the cas mailing list