I don't know how I could utilize the proxying in my situation. I feel this should be a quite common situation for any site with content served with ajax where Several webapps use the same rest API, so that the session cannot be shared.
I will attempt to setup a proxying setup, maybe I'll see that my perception of CAS proxy ticketing is wrong. I found the lack of examples on this type of use-case strange. -- Thomas From: Greg Smith <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: tirsdag 13. november 2012 18:17 To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: [cas-user] AW: SSO into an ajax rest api Using the cas proxying to access the API would require the user authenticate and store the cookie and supply pgt's to your API for access. Is that the scenario you are in? On Nov 13, 2012 12:13 PM, "Pronstad, Thomas" <[email protected]<mailto:[email protected]>> wrote: I don't think your problem is the same as mine. Your issue is solvable by just changing paths. Cas client filter is just a java servlet filter, and servlet filters don't support exclusions of paths. If you structure your paths differently, so that ws path is not contained by what cas should secure, you would be ok. My issue is that some of the resources in the rest api must be secured because they deliver sensitive data, and the rest api is not a part of the web application that actually logs in the user. -- Thomas From: Yuriy Larin <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: tirsdag 13. november 2012 12:39 To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: [cas-user] AW: SSO into an ajax rest api Subject: [cas-user] AW: SSO into an ajax rest api Date: Tuesday, November 13, 2012 Hi all. Probably I have similar question. We have freely accessible, non secured web service in we app. It's not accessible anymore after adding SSO to project. Is it possible to 'exclude' some url (like .../ws/* ) from processing by CAS client filter? What is right approach in such cases? Yuriy. You wrote: Tuesday, November 13, 2012 I am not sure this is supported. We have a similar problem, where we want t= o provide something which we refer as: inflow login in some cases where we = don't want to redirect a user to a new application (CAS). We have analyzed = CAS 3.5 restful support and it was designed for application backend to CAS = communication not Web frontend auth mechanism. Since we have not managed to find a resolution, we are close to reaching a = conclusion that CAS may not be the right solution when inflow login is a re= quirement, hence seeking another solution. We realized that once you use restful API from web front end suddenly you h= ave to store cookie (TGC) in your root app domain and not cas domain and th= e site needs to be HTTPS to protect against man in the middle attacks. It would be good it somebody could share more thoughts on this matter, hope= fully more experienced with CAS. Does CAS 3.5 support inflow login? If not = is it a planned feature, is it against CAS core design, etc? Mateusz Szczap - eBay.de Von: Pronstad, Thomas [mailto:[email protected]] Gesendet: Dienstag, 13. November 2012 11:02 An: [email protected]<mailto:[email protected]> Betreff: [cas-user] SSO into an ajax rest api Hi We have a web application that uses a rest API over ajax. The web application has open pages that uses open resources in the rest API. When a user wants access to secured pages, he is sent to cas by the web application and logs in. How should we now handle sso for the rest API? As I understood the proxy protocol, it's designed for application-to-application on behalf of the user which does not cover this scenario (I might be wrong). When the users browser via ajax requests resources from the rest api it wont be able to go through the standard sso path with CAS since browser redirects is not available in ajax. Any ideas on how this is best designed is welcome. Kind regards. Thomas Pronstad -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
