Jose, > Dale Ogilvie escribió: > > The disadvantage of your approach below is that now the TGT is exposed > > in the "web service client" space and in the pipe between the client and > > your "authentication web service". > > Another feature of this method is that the TGT is worth nothing in terms > of the future needs of STs. In a login-form-only scenario, the TGT would > get added to the browser's cookie allowing for SSO and other goodies. In > this case the TGT is wasted and credentials shall be passed for every > access request to a service.
By credentials, do you mean either the username and password, or the TGT? Because the username and password are passed only once. After that, only the TGT is passed to the Authentication Web Service so a service ticket can be obtained. In my view, that's essentially the same thing that happens when authentication is done via the web browser, except that in the case of the web browser, it happens transparently to the user, and in the case of the web service client, the client needs to get a service ticket every time. There might be a better way of doing this, that is, so the client doesn't need to get a service ticket every time, but since that's how the existing version of the application works, the future version of the application needs to support this as well. > > I also wonder why the "authentication web service" exists. Why not go > > straight to the restful api from the web service client? I don't think > > the authentication web service adds anything useful, but maybe I > > misunderstand. > > From Pat's explanation, I assume the web service exists only for > authorization purposes, i.e., a middleware for user-service access > control mapping, maybe with access to a specific DB or LDAP server with > that authorization information, that neither CAS nor the application can > or want to access. The authentication web service must exist for backwards compatibility only. But the other web services, which will receive a service ticket from the web service client, will both authenticate and authorize the user before processing the web service client's request. Thanks again for your reply, Pat -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
