Thanks for your answer. the main issue that
https://ui.example.com is not a secure application. This is a set of static AngularJS javascript/html/css/image files. So I use my CAS server with a following url: https://cas.example.com/login?service=https://ui.example.com/some_folder only to return user back into my application after successful authentication to a proper page. So, is it possible in this case to obtain PT for API https://api.example.com <http://ui.example.com> based on the returned ST for https://ui.example.com <http://cas.example.com/login?service=https://ui.example.com> ? Another option I'm currently thinking about is to place both of the applications at the same domain, for example: <http://cas.example.com/login?service=https://ui.example.com>https://ui.example.com -> <http://cas.example.com/login?service=https://ui.example.com>https://ui.example.com https:// <http://cas.example.com/login?service=https://ui.example.com>api.example.com -> <http://ui.example.com>https://ui.example.com/api Will the same ST ticket work for both of them ? <http://ui.example.com>Thanks. воскресенье, 20 декабря 2015 г., 12:05:37 UTC+2 пользователь Misagh Moayyed написал: > > No. It’s not. You need a PT for the API domain. > > > > *From:* [email protected] <javascript:> [mailto:[email protected] > <javascript:>] *On Behalf Of *Destiny Child > *Sent:* Sunday, December 20, 2015 3:01 AM > *To:* CAS Community <[email protected] <javascript:>> > *Subject:* [cas-user] CAS server cross subdomain ST ticket > > > > I have own Jasig CAS server: > > > > https://cas.example.com > > Also, I have two subdomains(applications) connected to this CAS server, > for example: > > > > https://ui.example.com > > https://api.example.com > > I can successfully create ST ticket for https://ui.example.com with a > following request: > > > > https://cas.example.com/login?service=https://ui.example.com > > response: > > > > https://cas.example.com/?ticket=ST-5-p5rVK3OWBKPzwAAZteNw-cas.example.com/ > > but I'm unable to use this ticket for https://api.example.com > > > <https://api.example.com> > > https://api.example.com/api/v1.0/account?ticket=ST-5-p5rVK3OWBKPzwAAZteNw-cas.example.com > > with a following error: > > > > access to this resource is > forbidden","errors":[{"field":"BadCredentialsException","message":"\n > Ticket \u0027ST-5-p5rVK3OWBKPzwAAZteNw-cas-dev.cfwdev.com\u0027 does not > match supplied service. The original service was > \u0027https://ui.example.com/\u0027 <http://ui.example.com/%5Cu0027> and the > supplied service was \u0027https://api.example.com/api/v1.0/account > > > > This is my service configuration: > > > > { > > "@class" : "org.jasig.cas.services.RegexRegisteredService", > > "serviceId" : "^(http?|https?)://.*example.com/.*", > > "name" : "example.com dev > > "theme" : example > > "id" : 20000002, > > "description" : "example.com dev environment", > > "proxyPolicy" : { > > "@class" : > "org.jasig.cas.services.RegexMatchingRegisteredServiceProxyPolicy", > > "pattern" : "^(http?|https?)://.*example.com/.*" > > }, > > "evaluationOrder" : 2, > > "usernameAttributeProvider" : { > > "@class" : > "org.jasig.cas.services.DefaultRegisteredServiceUsernameProvider" > > }, > > "logoutType" : "BACK_CHANNEL", > > "attributeReleasePolicy" : { > > "@class" : "org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy", > > "principalAttributesRepository" : { > > "@class" : > "org.jasig.cas.authentication.principal.DefaultPrincipalAttributesRepository" > > }, > > "authorizedToReleaseCredentialPassword" : false, > > "authorizedToReleaseProxyGrantingTicket" : false > > }, > > "accessStrategy" : { > > "@class" : > "org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy", > > "enabled" : true, > > "ssoEnabled" : true > > } > > } > > Is it possible to issue one ST ticket that will be accepted by both of > these subdomains https://ui.example.com and https://api.example.com ? > > -- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/ > . > > -- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/ > . > -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
