Just to be clear - CAS protocol was never designed to work with Ajax and REST resources (non-interactive service-to-service)
Best, D. -- > On Thursday, Nov 03, 2016 at 11:10 AM, Yan Zhou <[email protected] > (mailto:[email protected])> wrote: > Hello, > > The basic problem is that CAS login flow works in browser. However, because > of the series of redirect involved, CAS login flow does not seem to work in > Ajax. > > This is my set-up: App A has UI with AngularJS and backend, App B has NO UI > and it offers REST services including Credit card services. Both are casified > and we have total control. We are trying to use CAS to protect REST services > in B. > > App B must be deployed in a PCI environment, but App A does not. If App A was > going to talk to or proxy App B, that is not allowed by PCI standards, > because A would see credit card info. passing along to B, but A is not > deployed in PCI environment. > > The idea is for UI (AngularJS) to talk to App B directly, so that there is > not anything else between user and PCI environment. I am making the point > that Proxy Authentication is not a solution here. > > Here is what I am trying to do: user from Internet first login to CAS and > goes to App A's UI. From there, javascript makes Ajax call to App B's REST > service. This results in a series of redirect before an application session > in B is established and REST call can proceed. In Ajax, it is failing. > > Thanks, > Yan > > > On Wed, Nov 2, 2016 at 5:42 PM, Ray Bon <[email protected] (mailto:[email protected])> > wrote: > > Yan, > > > > If I understand correctly, you have deployed App A and App B. You are not > > able nor willing to change CAS config on App B because it breaches PCI > > compliance. > > It seems odd that PCI compliance would allow any user access but not allow > > a proxy. > > Did you create app A or are both apps from third party vendors? > > > > If app B needs to know the user that is sending the request, then you will > > have to use clearpass, > > https://apereo.github.io/cas/4.0.x/integration/ClearPass.html. > > If app B only needs to have an authenticated user, then perhaps App A can > > perform the log in on behalf of all users. The Ajax calls would go from App > > A UI to App A service that makes the REST calls. > > > > What do the creators of App B suggest for authentication? > > > > Ray > > > > > > On 2016-11-02 13:12, Yan Zhou wrote: > > > thanks for the feedback. > > > > > > Unfortunately, we cannot use Proxy Authentication, due to PCI > > > implication. A non PCI-compliant App proxy a PCI (credit card) service, > > > that would not be allowed by PCI standards. > > > > > > The reason we run into problem with CAS protected REST services (App B, > > > no UI), is that Ajax somehow does not handle redirect (even after I > > > enable CORS). Browser does it fine, but fails when Ajax tries to access > > > the REST endpoint without an application session in place, thus triggers > > > CAS login flow with all the redirect. > > > > > > I do not see how OAuth solve that problem. Does that requires a Login > > > page UI to redirect to and back, would not that run into the same problem > > > with Ajax? > > > > > > Can you elaborate on JSONP? Would app. B now have to know user's > > > password? CAS is nice because the application does not see user's > > > password, only CAS server does. > > > > > > Thx, > > > Yan > > > > > > On Wed, Nov 2, 2016 at 5:41 AM, Pascal Rigaux > > > <[email protected] (mailto:[email protected])> > > > wrote: > > > > Hi, > > > > > > > > Solutions: > > > > - proxy CAS: As the proxy ticket can only be validated once, you will > > > > need to cache the ticket, or create your own session > > > > - JWT: create a JWT and check it on app B. > > > > - oauth > > > > - JSONP login on app B. We are using this quite a lot. Simple and works > > > > great. > > > > Commits implementing this on angular-seed : > > > > https://github.com/prigaux/angular-seed/commits/master > > > > and especially the first one: > > > > https://github.com/prigaux/angular-seed/commit/27eae718ff6fd3206f60926317c7a24ddfd79b68 > > > > I wrote some doc on this, alas in french: > > > > http://prigaux.github.io/presentation-web-widgets-cas-jsonp/index.html#/7 > > > > > > > > Happy CAS, > > > > cu > > > > > > > > On 01/11/2016 20:22, Yan Zhou wrote: > > > > > Hello, > > > > > > > > > > CAS protocol does not let the apps (CAS client) get TGT ticket. We > > > > > have a need for that. > > > > > > > > > > We have two web apps, both are casified in CAS 4.1.X. One web app has > > > > > AngularJS (Javascript) front end, and, the other webapp is UI-Less, > > > > > it just offers REST services. > > > > > > > > > > Javascript code in App A wants to call REST API in App B. We run into > > > > > problem with CORS, etc. But, even after CORS are enabled, still run > > > > > into trouble. > > > > > > > > > > So, the thought is, if Javascript code can get hold of TGT after user > > > > > login to the app. A, then, JS code call use CAS REST API to > > > > > authenticate against the 2nd app (the UI-less REST Services). > > > > > > > > > > Is that a bad idea, and how is that possible? > > > > > > > > > > Yan > > > > > > > > > > -- > > > > > - CAS gitter chatroom: https://gitter.im/apereo/cas > > > > > - CAS mailing list guidelines: > > > > > https://apereo.github.io/cas/Mailing-Lists.html > > > > > - CAS documentation website: https://apereo.github.io/cas > > > > > - CAS project website: https://github.com/apereo/cas > > > > > --- > > > > > You received this message because you are subscribed to the Google > > > > > Groups "CAS Community" group. > > > > > To unsubscribe from this group and stop receiving emails from it, > > > > > send an email to [email protected] > > > > > (mailto:cas-user%[email protected]) > > > > > <mailto:[email protected] > > > > > (mailto:cas-user%[email protected])>. > > > > > To view this discussion on the web visit > > > > > https://groups.google.com/a/apereo.org/d/msgid/cas-user/f60e5fea-2a9b-4515-8a92-a7c2c8769497%40apereo.org > > > > > > > > > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/f60e5fea-2a9b-4515-8a92-a7c2c8769497%40apereo.org?utm_medium=email&utm_source=footer>. > > > > > > > > > > > > -- > > > > Pascal Rigaux > > > > > > > > Expert en développement et déploiement d'applications > > > > DSIUN-SAS (service applications et services numériques) > > > > Université Paris 1 Panthéon-Sorbonne - Centre Pierre Mendès France (PMF) > > > > B 402 - 90, rue de Tolbiac - 75634 PARIS CEDEX 13 - FRANCE > > > > Tél : 01 44 07 86 59 > > > > > > > > -- > > > > - CAS gitter chatroom: https://gitter.im/apereo/cas > > > > - CAS mailing list guidelines: > > > > https://apereo.github.io/cas/Mailing-Lists.html > > > > - CAS documentation website: https://apereo.github.io/cas > > > > - CAS project website: https://github.com/apereo/cas > > > > --- You received this message because you are subscribed to the Google > > > > Groups "CAS Community" group. > > > > To unsubscribe from this group and stop receiving emails from it, send > > > > an email to [email protected] > > > > (mailto:cas-user%[email protected]). > > > > To view this discussion on the web visit > > > > https://groups.google.com/a/apereo.org/d/msgid/cas-user/ea50cbeb-3a79-ddc2-5865-f1aa0bfdd040%40univ-paris1.fr. > > > > > > -- > > > - CAS gitter chatroom: https://gitter.im/apereo/cas > > > - CAS mailing list guidelines: > > > https://apereo.github.io/cas/Mailing-Lists.html > > > - CAS documentation website: https://apereo.github.io/cas > > > - CAS project website: https://github.com/apereo/cas > > > --- > > > You received this message because you are subscribed to the Google Groups > > > "CAS Community" group. > > > To unsubscribe from this group and stop receiving emails from it, send an > > > email to [email protected] > > > (mailto:[email protected]). > > > To view this discussion on the web visit > > > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFSoZekksrQ%2BSMuPcRfVRJ14iJe4sYP29rx%3D3fK49AT-6SH-CQ%40mail.gmail.com > > > > > > (https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFSoZekksrQ%2BSMuPcRfVRJ14iJe4sYP29rx%3D3fK49AT-6SH-CQ%40mail.gmail.com?utm_medium=email&utm_source=footer). > > > > -- Ray Bon Programmer Analyst Development Services, University Systems > > 2507218831 (tel:2507218831) | CLE C023 | [email protected] (mailto:[email protected]) > > -- > > - CAS gitter chatroom: https://gitter.im/apereo/cas > > - CAS mailing list guidelines: > > https://apereo.github.io/cas/Mailing-Lists.html > > - CAS documentation website: https://apereo.github.io/cas > > - CAS project website: https://github.com/apereo/cas > > --- > > You received this message because you are subscribed to the Google Groups > > "CAS Community" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected] > > (mailto:[email protected]). > > To view this discussion on the web visit > > https://groups.google.com/a/apereo.org/d/msgid/cas-user/bf8f3d53-4936-889b-90e9-65e36bcb25c6%40uvic.ca > > > > (https://groups.google.com/a/apereo.org/d/msgid/cas-user/bf8f3d53-4936-889b-90e9-65e36bcb25c6%40uvic.ca?utm_medium=email&utm_source=footer). > > -- > - CAS gitter chatroom: https://gitter.im/apereo/cas > - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html > - CAS documentation website: https://apereo.github.io/cas > - CAS project website: https://github.com/apereo/cas > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] > (mailto:[email protected]). > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFSoZenV3SjD3BuROr83o_iuJ-SdjtJUC8hOj7Rfh%3Ds8%3DF7oiw%40mail.gmail.com > > (https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFSoZenV3SjD3BuROr83o_iuJ-SdjtJUC8hOj7Rfh%3Ds8%3DF7oiw%40mail.gmail.com?utm_medium=email&utm_source=footer). -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f4871e58-8a0f-47f6-b838-343887e7b943%40dk.example.org.
