Hi, We are re-engineering an existing application that requires two different interfaces: a web application (accessed via a web browser) and web services. Both interfaces share the same middleware. In the re-engineered code, we added security to the web application by using Spring Security integrated with CAS. However, we have not yet made a final decision on how to add security to the web services.
Originally, we planned to use proxying because that is what the legacy/existing application currently does (it uses version 2.0.12 of the CAS server). That is, a web service client sends the username and password to an Authentication Web Service, which sends the username and password to CAS for authentication and returns a PGTIOU to the web service client. The web service client then sends the PGTIOU to the Authentication Web Service to get a one-time use service ticket, and then uses the one-time use service ticket to call another web service. Is sending the PGTIOU to the client any more secure than sending the actual PGT? If so, why? Recently, we came across the RESTful API and thought that maybe we could provide the same functionality as the legacy application by using the RESTful API instead of proxying. That is, the Authentication Web Service would send the TGT (obtained via the RESTful API) back to the web service client instead of the PGTIOU, and the web service client would send the TGT to the Authentication Web Service to get the one-time use service ticket. Keep in mind that we must remain backwards compatible, so the Authentication Web Service must still exist in the re-engineered code. I'd like to know people's opinions on these two options, that is, RESTful API versus proxying. Which is the more appropriate option to use in this case and why? Is one any more secure than the other? Also, as I understand it, authentication via the web browser works by having the application server redirect the client to the CAS server to authenticate the user for the specified service. The CAS server then authenticates the user and adds the TGT for the specified service to a cookie in the client's web browser. So, I am assuming that the TGT in the cookie is only valid for the specified service. Is that correct? As I also understand it, when using the RESTful API, a TGT can be obtained by posting the username and password to the proper URL. I thought that if I also specified a service parameter when obtaining the TGT, that the TGT would be tied to the specified service, and therefore, if I later tried to get a service ticket using this TGT and specifying a different service, that I would get an error. But I didn't. I actually got a valid service ticket, which surprised me. So, again, I'd like to know if TGTs are tied to the specified service or not. Any feedback would be highly appreciated! Thanks, Pat -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
