Hi, Andrew:
Thanks for your quick response. My problem right now is that I don't want to use cas as SSO. I use cas just because the third party use cas to validate request from us to them. We have our own login page. That is why I use cas restful api to generate TGT and subsequently generate ST. This all work fine except that the ST is used only once and thrown away. If the client (browser) refreshes, it needs to get a new url with new ST appeneded. This created performance issue. Is there any way to config cas not to throw away ST. Instead make is valid for a period of time? Please let me know. Thanks. Richard From: Andrew Petro [mailto:[email protected]] Sent: Friday, October 19, 2012 2:15 PM To: [email protected] Subject: Re: [cas-user] Can yo manually set CASTGC cookie manually (httpservletrsponse) to a different domain Richard, By design, only CAS can set and read the CAS ticket granting cookie. This is important to the security of using CAS, since if your CAS TGC was readable more widely (by, say, your application on a different domain), then applications able to read the cookie could read it and use it to craft their own requests to get service tickets in the name of the user. That is, this would enable illicit delegation. So. What are you trying to do? The RESTful API is more intended for your application to authenticate as itself to get a TGT to obtain STs authenticating itself to other services. If you want to be authenticating end users, then the intent of the CAS design is for your application to send those users to CAS to log in to CAS directly, obtain a ST to log in to your application, and then your application can obtain a PGT from that if you need to be getting PTs to authenticate to other applications on the user's behalf. Hope this helps, Andrew On Fri, Oct 19, 2012 at 2:46 PM, Richard Yang <[email protected]> wrote: I am calling cas Restful API to generate a TGT. I would like to store this as the valie in the CASTGC. But the domain of my application is different from that of the cas server. So can I foul the cas server to make it think this is a valid cookie? Otherwise, I had to generate a ST for each service request programmatically using Restful api. This approach has its drawback as it involves application code to manage the ST. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
