Hi folks, We have a number of eager and talented student developers who would love to be able to build powerful apps to help their peers. The challenge is that many of the richest applications would use sensitive data (e.g. a student's Previous/Current Class Enrollments so they could build a Class Scheduling App using available Class Schedule data).
It would be inadvisable to allow unknown apps to query sensitive business services directly, but it is possible to use CAS Proxy to have the user authenticate to a campus page and then redirect the user's browser (along with a proxy ticket) to an untrusted app which could then send the proxy ticket to a service facade that was set to receive the proxy ticket, get the user's ID from CAS using the proxyticket and send the id to a business service (e.g. a Transcript Service) and then return the business data (e.g. past class enrollments) without any personally identifiable information. Given this configuration, a student app could take any CAS authenticated user and get business data for that user (and only that user) that would be appropriate for this purpose (e.g. just business data that has no PII). The key is that the untrusted app never receives anything that can be tied to the user - all it ever receives is a proxyticket and unidentifiable business data. Has anyone done this already or see any red flags about it? Thanks! Tom O'Brien -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
