I made some tests regarding web-services. Please refer to this subject on this list:
Validating Service Tickets in POST requests - Securing WS Regards Manfredo 2016-07-13 16:49 GMT-03:00 Misagh Moayyed <[email protected]>: > They are both conceptually, more or less, the same. The caveat with the > REST API is, you will have to manage the SSO session, and you will need to > manually pass in the uid/psw to CAS while with the proxy scenario, the user > is required to be present to do that for you automatically and CAS keeps > SSO. Also, turning on the REST API has the potential of becoming the target > of DOS attacks, unless properly secured. > > -- > Misagh > > From: Robert <[email protected]> <[email protected]> > Reply: Robert <[email protected]> > <[email protected]> > Date: July 11, 2016 at 1:36:54 AM > To: CAS Community <[email protected]> <[email protected]> > Subject: [cas-user] CAS with REST services > > We are currently using CAS 3 for a traditional web application, and we are > moving towards a more modern architecture with a single page application > and rest services. My first question would be if the CAS protocol is still > the right choice for us. I don't have experience with development using CAS > so far, but I tried to gather information about it. > > Looking at the CAS protocol at > https://apereo.github.io/cas/4.2.x/protocol/CAS-Protocol.html > it seems that the normal web flow is not appropriate anymore for our > application. I read that CAS 4 contains a REST service for requesting TGTs > and > STs. So I had the following simple solution in mind for our application. > The client (browser) would initially request a TGT from the CAS server and > store this. Each time when the client needs to call one of our REST > services, > it would request a ST from the CAS server and call our service with the ST. > The application service would verify the ST with the CAS server before > executing the method. The downside of this solution is that 2 additional > remote > calls need to be made for each app service call. > > Documentation seems to point towards Proxy Granting Tickets, such as in the > Spring Security documentation > > http://docs.spring.io/spring-security/site/docs/4.1.0.RELEASE/reference/htmlsingle/#cas-pt-client > But I can't find a conceptual explanation why I need it and how it works. > When I look at the CAS protocol documentation for proxy's it just seems to > add even more overhead compared to my solution and we would need a proxy > web > application. that we need to call instead of the actual app service. > https://apereo.github.io/cas/4.2.x/protocol/CAS-Protocol.html > > Thanks for any help you can provide me. > > -- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/ > . > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/5c81eba4-f0ed-45ac-a362-d7f4d95c8077%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/5c81eba4-f0ed-45ac-a362-d7f4d95c8077%40apereo.org?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/a/apereo.org/d/optout. > > -- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/ > . > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.57869b3a.5faee68a.14275%40unicon.net > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.57869b3a.5faee68a.14275%40unicon.net?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/a/apereo.org/d/optout. > -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAB623R9Uv1XcD171thOv9pvMC%2BkSxr6HspOgRngDrbQuTbsbiQ%40mail.gmail.com. For more options, visit https://groups.google.com/a/apereo.org/d/optout.
