Based on what I've learned so far, it seems like using the RESTful API for web service authentication is a reasonable option. Since the target web services are part of our application, there is no need for proxying. Information about the RESTful API can be found at http://www.ja-sig.org/wiki/display/CASUM/RESTful+API.
Below is how I plan to implement web service authentication within our application: 1) A web service client sends the username and password to an Authentication Web Service. 2) The Authentication Web Service sends the username and password to the CAS server via the RESTful API, and obtains a ticket granting ticket (TGT). 3) The Authentication Web Service returns the TGT to the web service client. 4) The web service client sends the TGT and the name of a target web service to the Authentication Web Service to obtain a single-use service ticket for the target web service. 5) The Authentication Web Service sends the TGT and the target web service to the CAS server and obtains a single-use service ticket for the target web service. 6) The Authentication Web Service returns the single-use service ticket to the web service client. 7) The web service client sends the single-use service ticket to the target web service, along with any other parameters. 8) The target web service sends the single-use service ticket and its name (which should match the target web service provided by the web service client when the service ticket was obtained) to the CAS server for validation. 9) If validation is successful, the CAS server returns the username associated with the single-use service ticket to the target web service. 10) Optional Step: The target web service checks if the user is authorized to execute the target web service. 11) If authentication (and optionally authorization) is successful, the target web service processes the web service client's request and returns the result to the client. If anyone thinks that this implementation would be insecure, please let me know. Thanks a lot, Pat -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
