> Subject: [cas-user] Why is proxying so complicated? > > > Why isn't it possible to forward the service ticket to another application and > allow this other application to validate this service ticket a second (or third or > ...) time?
[DO] I can answer this part of it. If I allow that, then any service that get itself an ST forwarded to it is now also trusted to act on behalf of the user. There has to be a system for authenticating the service that is going to access other services on behalf of the user. The CAS https callback to the service to hand it the PGT is the method for identifying the service, since the cert validation can be used to authenticate the service. The chaining of proxy services used to get the Proxy Ticket is then available any service that wants to decide which proxies to trust. The fact that a callback is used to authenticate the proxy service is one of the most complicate aspects of proxy ticketing. There have been suggestions to allow the service present a client cert when validating the ST and then getting the PGT back in the serviceValidate payload. This would simplify acquisition of the PGT. Also, ST's are bearer tokens. Whoever possesses the ST can use it. There is no validation of who is holding the token. This is generally dangerous. The only reason that ST's can be used in a secure way is that they have an "audience restriction": they can only be used for access to a specific service. They are also only usable once. If you can use them as many time as you want by anyone , then they don't provide any real authentication. David Ohsie Software Architect EMC Corporation > > I assume that there must be some security reason, but what exactly is the > security reason? > > Thanks for your help > > Michael > > -- > You are currently subscribed to [email protected] as: > [email protected] To unsubscribe, change settings or access archives, > see http://www.ja-sig.org/wiki/display/JSG/cas-user
smime.p7s
Description: S/MIME cryptographic signature
