Dear CAS Team (and all): Thank you for the wonderful CAS solution. I am evaluating this for including as part of our package used in the banking domain.
In our package scenario, during certain sensitive steps like authorization, we would force the user to authenticate himself again using a different form of authentication (from the one he/she used during sign on). To accomplish this in CAS, I am thinking of running two CAS Servers. One for the login and another for the second authentication. Our web app is a RubyOnRails app. Hence we use the Ruby CAS client. All our app servlet (controller as it is called in RubyOnRails) actions are protected by the main filter from the CAS Client. Only for the sensitive actions, I have setup a second CAS Client filter. This filter is set to renew so it would authenticate each time sensitive action is invoked. I have been able to get this setup working. However, I had to fix some bugs in the RubyCAS client and I will supply the patches to the RubyCAS team. On the CAS Server side, since our app now needs to talk to two CAS Servers, the ticket parameter name (called artifact name/id in the Java CAS Client) should be different. I patched the class org.jasig.cas.authentication.principal.SimpleWebApplicationServiceImpl and changed the constant CONST_PARAM_TICKET to 'ticket1' to make this work. I would appreciate any feedback on this including some thoughts on below: 1. Am on the right track on my attempted solution? 2. Does my approach introduce any security holes? 3. Did I have to patch the CAS Server above to change the artifact name? Sorry I was working without internet and didn't have access to the docs as well. Thank you, Warm Regards, Venkat. -- View this message in context: http://www.nabble.com/Using-CAS-in-scenario-where-two-authentications-are-required-tp15450319p15450319.html Sent from the CAS Dev mailing list archive at Nabble.com. _______________________________________________ cas-dev mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas-dev
