Richard, By design, only CAS can set and read the CAS ticket granting cookie. This is important to the security of using CAS, since if your CAS TGC was readable more widely (by, say, your application on a different domain), then applications able to read the cookie could read it and use it to craft their own requests to get service tickets in the name of the user. That is, this would enable illicit delegation.
So. What are you trying to do? The RESTful API is more intended for your application to authenticate as itself to get a TGT to obtain STs authenticating itself to other services. If you want to be authenticating end users, then the intent of the CAS design is for your application to send those users to CAS to log in to CAS directly, obtain a ST to log in to your application, and then your application can obtain a PGT from that if you need to be getting PTs to authenticate to other applications on the user's behalf. Hope this helps, Andrew On Fri, Oct 19, 2012 at 2:46 PM, Richard Yang <[email protected]> wrote: > I am calling cas Restful API to generate a TGT. I would like to store this > as the valie in the > CASTGC. But the domain of my application is different from that of the cas > server. So can I foul the cas server to make it think this is a valid > cookie? > > Otherwise, I had to generate a ST for each service request > programmatically using Restful api. This approach has its drawback as it > involves application code to manage the ST. > > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
