Support is added to throttle requests, but nothing that would “secure” it. We *could* restrict it to a set of trusted ip patterns, but I don’t think that’s all that practical or useful if done by CAS. Best bet likely would be to resort to good old firewall mechanics perhaps. If you have other suggestions, please share.
-- Misagh From: [email protected] <[email protected]> Reply: [email protected] <[email protected]> Date: July 15, 2016 at 1:47:32 AM To: jasig-cas-user <[email protected]> Cc: [email protected] <[email protected]>, [email protected] <[email protected]> Subject: Re: [cas-user] CAS with REST services Is there any information about securing the CAS REST API? Op woensdag 13 juli 2016 21:49:26 UTC+2 schreef Misagh Moayyed: They are both conceptually, more or less, the same. The caveat with the REST API is, you will have to manage the SSO session, and you will need to manually pass in the uid/psw to CAS while with the proxy scenario, the user is required to be present to do that for you automatically and CAS keeps SSO. Also, turning on the REST API has the potential of becoming the target of DOS attacks, unless properly secured. -- Misagh From: Robert <[email protected]> Reply: Robert <[email protected]> Date: July 11, 2016 at 1:36:54 AM To: CAS Community <[email protected]> Subject: [cas-user] CAS with REST services We are currently using CAS 3 for a traditional web application, and we are moving towards a more modern architecture with a single page application and rest services. My first question would be if the CAS protocol is still the right choice for us. I don't have experience with development using CAS so far, but I tried to gather information about it. Looking at the CAS protocol at https://apereo.github.io/cas/4.2.x/protocol/CAS-Protocol.html it seems that the normal web flow is not appropriate anymore for our application. I read that CAS 4 contains a REST service for requesting TGTs and STs. So I had the following simple solution in mind for our application. The client (browser) would initially request a TGT from the CAS server and store this. Each time when the client needs to call one of our REST services, it would request a ST from the CAS server and call our service with the ST. The application service would verify the ST with the CAS server before executing the method. The downside of this solution is that 2 additional remote calls need to be made for each app service call. Documentation seems to point towards Proxy Granting Tickets, such as in the Spring Security documentation http://docs.spring.io/spring-security/site/docs/4.1.0.RELEASE/reference/htmlsingle/#cas-pt-client But I can't find a conceptual explanation why I need it and how it works. When I look at the CAS protocol documentation for proxy's it just seems to add even more overhead compared to my solution and we would need a proxy web application. that we need to call instead of the actual app service. https://apereo.github.io/cas/4.2.x/protocol/CAS-Protocol.html Thanks for any help you can provide me. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/5c81eba4-f0ed-45ac-a362-d7f4d95c8077%40apereo.org. For more options, visit https://groups.google.com/a/apereo.org/d/optout. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.57869b3a.5faee68a.14275%40unicon.net. For more options, visit https://groups.google.com/a/apereo.org/d/optout. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a0d557c0-2fb6-45e9-9cdd-624fd5fedc96%40googlegroups.com. For more options, visit https://groups.google.com/a/apereo.org/d/optout. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.5788f47f.72781cd1.f1b%40unicon.net. For more options, visit https://groups.google.com/a/apereo.org/d/optout.
