We have used SPNEGO and pgt's with extjs to avoid using logon screen to server.
Greg On Feb 1, 2012 4:21 AM, "Scott" <[email protected]> wrote: > Are your users authenticating through a normal CAS login page before > accessing the page that kicks off the web service calls or are you trying > to bypass the CAS login screen? The general advice is that you should > avoid bypassing the CAS login page/authenticating via a web service. > > Assuming they are logging in through the CAS login page via a CASified > .NET application, the caller of the service requests have a > FormsAuthenticationTicket & FormsAuthenticationCookie. If your web > services are running on the same server as the application, you can > configure your web services to respect the FormsAuthenticationTicket and > the HttpContext.User.Identity will be set automatically. Assuming your web > services are WCF-based, you'll need to turn on compatibility mode in order > to have WCF integrated into the ASP.NET pipeline. Otherwise it won't be > aware of Forms Auth. > > If they are on different servers under the same domain (i.e., > a.cortland.edu and b.cortland.edu) and you have control of both > environments, it's possible to get the FormsAuthenticationCookie to work > between them, but there are some security implications. The 2 domains > would need to share a common machineKey and the FormsAuthenticationCookie's > domain would need to be set to cortland.edu. Both are doable from > web.config and/or machine.config. > > In all other cases, I think you want to take a look at proxy tickets. > Your users would login to the CAS server via a CAS login screen and get a > proxy granting ticket (PGT). The .NET CAS will let you use that PGT to > generate proxy tickets through a simple API call. It takes some > configuration to get it working and there are some SSL considerations, but > this is probably the route you'll want to go down. You can send the proxy > tickets to your web services and the web services can validate them on > their end. The CAS server will verify that they are legitimate and will > identify the user. > > If you're anticipating a lot of service calls, you would likely want to > implement something at in your web services layer to turn proxy ticket into > some kind of a service token so you don't have to keep generating & > validating proxy tickets. I believe that they can only be verified once. > > There's some sample code in SVN where the example web site generates a > proxy ticket and passes it as a command line argument to a ClickOnce app. > The ClickOnce app verifies the ticket and bypasses the app's login screen. > This is essentially the same idea as the web service call idea. > > If you have any questions, please provide some details about which of > these scenarios applies to your situation. > > -ScottH > > On Tue, Jan 31, 2012 at 7:17 PM, Joshua Peluso <[email protected] > > wrote: > >> Hi All- >> >> We are developing .NET webservices, which essentially produce JSONP >> results to be consumed by jquery. Has anyone found a way to make >> asynchronous calls with javascript to a webservice and have that webservice >> authenticate to a CAS server. We are spinning our wheels and wonder if >> anyone has accomplished this. >> >> Thanks. >> >> ________________________________ >> Joshua Peluso 00' >> Director >> Systems Administration & Web Services >> Winchell Hall >> 607.753.5514 >> [email protected]<mailto:[email protected]> >> >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
