Dale Ogilvie escribió: > The disadvantage of your approach below is that now the TGT is exposed > in the "web service client" space and in the pipe between the client and > your "authentication web service".
Another feature of this method is that the TGT is worth nothing in terms of the future needs of STs. In a login-form-only scenario, the TGT would get added to the browser's cookie allowing for SSO and other goodies. In this case the TGT is wasted and credentials shall be passed for every access request to a service. > I also wonder why the "authentication web service" exists. Why not go > straight to the restful api from the web service client? I don't think > the authentication web service adds anything useful, but maybe I > misunderstand. >From Pat's explanation, I assume the web service exists only for authorization purposes, i.e., a middleware for user-service access control mapping, maybe with access to a specific DB or LDAP server with that authorization information, that neither CAS nor the application can or want to access. -- José Miguel Parrella Romero (bureado.com.ve) PGP: 0×88D4B7DF Debian Developer Caracas, VE/Quito, EC -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
