On Fri, Oct 12, 2012 at 12:35 PM, Richard Yang <[email protected]> wrote: > The example in https://wiki.jasig.org/display/CASUM/RESTful+API shows that > username and password is needed to call cas to generate TGT. In our case, > the user is already logged in in our own application. Can we not pass the > password to the CAS server, since the user is already authenticated in our > application.
Yes, although this is not a typical deployment strategy and generally breaks the CAS security model. A more consistent/secure model would be for your application to use CAS to authenticated the user and then use Proxy Tickets to access backend services on behalf of the user. The REST API was mostly introduced to enable service to service authentication without any specific user present. > > The second question is that can we append the generated ST to service url > only we need to go through cas? We only need to check with cas for a few > service calls. The majority requests in our application does not need to go > through cas as our application has its own authentication. I'm not sure I understand your question. Using the REST API your application can request STs for backend services that require CAS authentication...a better approach would be to use Proxy Tickets in the case you have a user present. > > The third question is that if a thrid party application wants to > authenticate our request (with ST appened) with cas server, what api the > third party application can use to make sure that our request is from a > trusted source. The 3rd party application/services would use one of the many CAS clients. http://www.jasig.org/cas/client-integration > > Sorry if the questions do not make sense. I am a newbie and we do not want > to go through cas for all requests. I encourage you to review the Proxy Ticket feature and use cases. Not all requests literally have to "go through" CAS...once a ST is obtained CAS can be pretty much out of the picture. http://www.jasig.org/cas/proxy-authentication Authenticating to a Stateless Service with CAS : http://static.springsource.org/spring-security/site/docs/3.1.x/reference/cas.html Best, Bill > > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
