Are your users authenticating through a normal CAS login page before accessing the page that kicks off the web service calls or are you trying to bypass the CAS login screen? The general advice is that you should avoid bypassing the CAS login page/authenticating via a web service.
Assuming they are logging in through the CAS login page via a CASified .NET application, the caller of the service requests have a FormsAuthenticationTicket & FormsAuthenticationCookie. If your web services are running on the same server as the application, you can configure your web services to respect the FormsAuthenticationTicket and the HttpContext.User.Identity will be set automatically. Assuming your web services are WCF-based, you'll need to turn on compatibility mode in order to have WCF integrated into the ASP.NET pipeline. Otherwise it won't be aware of Forms Auth. If they are on different servers under the same domain (i.e., a.cortland.eduand b.cortland.edu) and you have control of both environments, it's possible to get the FormsAuthenticationCookie to work between them, but there are some security implications. The 2 domains would need to share a common machineKey and the FormsAuthenticationCookie's domain would need to be set to cortland.edu. Both are doable from web.config and/or machine.config. In all other cases, I think you want to take a look at proxy tickets. Your users would login to the CAS server via a CAS login screen and get a proxy granting ticket (PGT). The .NET CAS will let you use that PGT to generate proxy tickets through a simple API call. It takes some configuration to get it working and there are some SSL considerations, but this is probably the route you'll want to go down. You can send the proxy tickets to your web services and the web services can validate them on their end. The CAS server will verify that they are legitimate and will identify the user. If you're anticipating a lot of service calls, you would likely want to implement something at in your web services layer to turn proxy ticket into some kind of a service token so you don't have to keep generating & validating proxy tickets. I believe that they can only be verified once. There's some sample code in SVN where the example web site generates a proxy ticket and passes it as a command line argument to a ClickOnce app. The ClickOnce app verifies the ticket and bypasses the app's login screen. This is essentially the same idea as the web service call idea. If you have any questions, please provide some details about which of these scenarios applies to your situation. -ScottH On Tue, Jan 31, 2012 at 7:17 PM, Joshua Peluso <[email protected]>wrote: > Hi All- > > We are developing .NET webservices, which essentially produce JSONP > results to be consumed by jquery. Has anyone found a way to make > asynchronous calls with javascript to a webservice and have that webservice > authenticate to a CAS server. We are spinning our wheels and wonder if > anyone has accomplished this. > > Thanks. > > ________________________________ > Joshua Peluso 00' > Director > Systems Administration & Web Services > Winchell Hall > 607.753.5514 > [email protected]<mailto:[email protected]> > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
