Hi, Just to be sure of my understanding: the CORS just need to be enabled for this new specific operation, right?
I think it could be done with a few lines of code as it's just a couple of headers. Thanks. Best regards, Jérôme LELEU Founder of CAS in the cloud: www.casinthecloud.com | Twitter: @leleuj Chairman of CAS: www.jasig.org/cas | Creator of pac4j: www.pac4j.org 2014-11-28 14:43 GMT+01:00 Romain <romain.gonord.opensou...@neteyes.org>: > We are currently working with CAS 3.5 and there was a lot of change into > the version 4. > I won't be able to check this version for now, but I'll look towards it in > the future. > > Being able to configure CORS from CAS configuration would be great. > For now I'm using Tomcat filter for that purpose : > > <filter> > <filter-name>CorsFilter</filter-name> > > <filter-class>org.apache.catalina.filters.CorsFilter</filter-class> > <!-- See configuration : > http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Filter --> > <init-param> > <param-name>cors.exposed.headers</param-name> > <param-value>Location</param-value> > </init-param> > <init-param> > <param-name>cors.allowed.methods</param-name> > <param-value>POST,DELETE</param-value> > <!-- POST is needed for creating TGT and ST, > DELETE is needed for loging out --> > </init-param> > </filter> > <filter-mapping> > <filter-name>CorsFilter</filter-name> > <url-pattern>/v1/*</url-pattern> > </filter-mapping> > > My use case is very simple but it is enough for our modest need. > __ > Romain > > > Le 28 nov. 2014 à 14:30, Jérôme LELEU <lel...@gmail.com> a écrit : > > > Hi, > > > > Thanks for following my advice on the PR. Indeed, it should target 4.x, > but it's not a big deal even if we have a new REST API support in 4.1 ( > https://github.com/Jasig/cas/tree/master/cas-server-support-rest). > > > > I'm copy/pasting our discussion on security to share with others: > > - me: > > I'm wondering if there is some security concern with such a system, like > a malicious page I'm currently browsing and which would request some ST on > my behalf and without letting me know. > > > > - you: > > So, for the security concern, malicious could ask for ST on behalf of > user if nothing is configured conrrectly on CAS server. To enable the > feature I'm exposing here, you'll need to enable CORS. CORS is something > you'll have to configure on the CAS server, so that you can set it the way > you want. To avoid malicious code, you can enable CORS only for certain > domain ( Access-Control-Allow-Origin:http://www.example-social-network.com) > instead of all ( Access-Control-Allow-Origin: *). > > > > > > It's really an interesting proposal as more and more UI are built on > Javascript (someone says AngularJS). Could we go a little further and > propose a simple way to enable CORS in the CAS server at the same time > (like with a property: cors.domain= , which may be blank not to enable > CORS)? > > > > Thanks. > > Best regards, > > > > > > > > > > Jérôme LELEU > > Founder of CAS in the cloud: www.casinthecloud.com | Twitter: @leleuj > > Chairman of CAS: www.jasig.org/cas | Creator of pac4j: www.pac4j.org > > > > 2014-11-28 14:20 GMT+01:00 Romain <romain.gonord.opensou...@neteyes.org > >: > > Hi all, > > > > I have opened a pull request for 3.5.2.1 branch has it is the version we > are working with right now : > > https://github.com/Jasig/cas/pull/780 > > The feature should be easily adaptable to any other current branch. > > > > The idea is the following : > > > > - Application A is CASified (classic way with redirection to CAS server > for user authentication) > > - Webservice W is CASified too (without any redirection, we get a 401 if > not authenticated) > > - W is called from page of application A (front end workflow) > > - We'd like to re-use the TGCookie that is set by CAS after > authentication > > - We don't wan't to manage credentials in Application A to send them to > CAS rest API to get the needed ST to call W. > > - we're not talking about application A calling directly Webservice W, > but web service W begging call through fronted AJAX call from a user > authenticated with CAS. > > > > => the final idea is to have lot of micro-API like web service W, each > of them protected by CAS > > > > So fee free to tell me if I'm going the wrong way with this matter =) > > > > Thanks in advance > > __ > > Romain-first-time-poster-on-this-list > > > > > > -- > > You are currently subscribed to cas-dev@lists.jasig.org as: > lel...@gmail.com > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev > > > > > > -- > > You are currently subscribed to > > cas-dev@lists.jasig.org > > as: as...@neteyes.org > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev > > > > > -- > You are currently subscribed to cas-dev@lists.jasig.org as: > lel...@gmail.com > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev > > -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
