Am 03.09.2011 00:31, schrieb Lars Huttar:
Unfortunately the client is COTS software. I've asked the company for
such a modification -- i.e. start with a simple GET request so that the
authorization can finish before sending important POST data -- but they
have a huge number of customers, and I have little reason to expect this
to happen in the near future.
Just a pragmatic solution i would think. Another crazy idea could
be to obtain a Proxy Ticket for your application. It's basically
made for working with automated backend work of servers
(webservices,imap etc.)
Can you give any more details on what this would mean?
Since you are using mod_auth_cas it might not be possible. The current
feature list says they don't support being proxied [1] I guess you can
maybe trick it do it anyway by manipulating the validation url to be
/proxyValdiate instead of /serviceValidate. (CAUTION: This poses a
security risk since you allows any service with ANY valid PT to proxy
this service in the name of a user).
Have a look at the wiki[2,3] But since you have a COTS it might be
difficult to implement that: You could basically build a webservice that
allows a user to aquire a PT, somehow hand if over to the desktop app,
include it as a GET paramter in your POST and then it can be directly
used in the authentication.
This whole idea contains a lot of ifs/buts and security wise also leaves
a lot of questions open. As i said: CRAZY!!.
Have you thought about changing you webservice to return an webserver
error 400(500) or something similar if a client hits the page without
POSTing an actual SOAP request. This would force a well written client
to try again? This would probably mean hacking your webservice a bit
because i currently know no apache controls to do that in front of the
actual service. For GET one could use rewrite but for POST i'm at a loss...
If you figure out a solution please share. :D
Regards,
Joachim
[1]https://wiki.jasig.org/display/CASC/Client+Feature+Matrix
[2]https://www.jasig.org/cas/proxy-authentication
[3]https://wiki.jasig.org/display/CAS/Proxy+CAS+Walkthrough
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
