Hello David and thank you ! Actually I resolved the problem by adding a REST WS (e.g "/registerservice") invoked only if the CAS-Proxy had not yet acquired the sessionId of the target service.
So the "/registerservice" invocation allows the PT creation and validation. It initiates also the session with the backend service, therefore the sessionId is acquired and stored in the CAS-Proxy user session Id. For info, I setup the "servername" java client parameter. The Java CAS client did not store "by default" the backend service sessionId, although it would have been useful a such behavior. Regards, Alf. On Fri, Mar 15, 2013 at 8:37 PM, Ohsie, David <[email protected]> wrote: > I have two java web modules:**** > > - The first one is acccessed directly by the user and acting as CAS-Proxy > (proxy.war)**** > > - The second one is acting as the proxied service (service.war)**** > > - "proxy.war" is accessing "service.war" via REST calls of type GET.**** > > The Proxy CAS mecanism is working correctlty. I got the tickets: > TicketGrantingTicket, PgtIOU, ProxyGrantingTicket.**** > > ** ** > > ** ** > > Before that "proxy.war" invokes "service.war", I added the code in > "proxy.war" asking for ProxyTicket.**** > > >>>String ticket = principal.getProxyTicketFor(targetURL); <<< **** > > with targetURL = https://<host>:<port>/service/rest /* This is the > root context of all REST calls*/**** > > ** ** > > As all the target sevices are REST calls of type GET, then each call will > be suffixed according to is arguments:**** > > For example, it will be " > https://<host>:<port>/service/rest/path1/argument1" for a call and " > https://<host>:<port>/service/rest/path2/argument2" for another.**** > > ** ** > > ** ** > > 1/ Should I ask for a ticket for each REST call ?**** > > Ex: principal.getProxyTicketFor(" > https://<host>:<port>/service/rest/path1/argument1") for a call**** > > principal.getProxyTicketFor(" > https://<host>:<port>/service/rest/path2/argument2") for another call**** > > ** ** > > You can, but you should try to avoid this. What you have to remember is > that once you access a URL with a proxy ticket (PT), then the > authentication information can be stored in the session (I think that the > Java CAS client does this by default). Therefore, as long as your client > (insie the proxy) can store cookies, it can make further access to the > "service" web application without getting additional tickets. The trick is > that you need to maintain the cookie store (you could store it in the > user's session of the "proxy" service).**** > > ** ** > > 2/ Or, is it possible to get a unique ticket valid to a patten of URLs ? * > *** > > If I use the PT issued by principal.getProxyTicketFor(" > https://<host>:<port>/service/rest"),**** > > this ticket won't be validated > (/poxyvalidate?ticket=<PT>&service=https:// > <host>:<port>/service/rest/pathi/argumenti**** > > ** ** > > There are two different issues.**** > > ** ** > > 1) The ticket will be good for one time use only by default. However, > the session that is established by your servlet container will apply to the > entire "service" web application. So you get the ticket for one URI and > you use the resulting session for the other accesses.**** > > ** ** > > 2) Whether you request the ticket for the specific URI or you request a > generic service will depend on how you have configured the java cas client. > **** > > ** ** > > from: > https://wiki.jasig.org/display/CASC/Configuring+the+Jasig+CAS+Client+for+Java+in+the+web.xml > **** > > ** ** > > **· **service - the service URL to send to the CAS server, e.g. > https://localhost:8443/yourwebapp/index.html**** > > **· **serverName - the server name of the server this application > is hosted on. Service URL will be dynamically constructed using this, i.e. > https://localhost:8443 (you must include the protocol, but port is > optional if it's a standard port).**** > > ** ** > > If you set up the client with the "service" parameter, then you will > always getProxyTicketFor() that service URI no matter which URI you are > accessing.**** > > ** ** > > If you set up the client with the "serverName" parameter, then you will > getProxyTicketFor() that the specific URI.**** > > ** ** > > I've always set up clients with the "serverName" parameter. I think that > if you use "service" and go directly against you rest service with the > browser, the initial call that requires the service ticket will always get > redirected to the "service" URI.**** > > ** ** > > ** ** > > What is wrong with what I'm doing ?**** > > ** ** > > ** ** > > Thanks. **** > > ** ** > > Alf.**** > > ** ** > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user**** > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
