Thank you, all, for your advice about managing services. I am still a bit confused about authentication. The docs say:
"By default, the cas-management-webapp is configured to authenticate against a CAS server. We assume that it's the case in this documentation. However, you could change the authentication method by overriding the WEB-INF/spring-configuration/securityContext.xml file. Securing Access and Authorization/ " Currently, my CAS server is using a MySQL db for authenticating users. Is this the authentication that is being referred to in the above statement ? "Access to the management webapp is controlled via Spring Security. Rules are defined in the /cas-management-webapp/src/main/webapp/WEB-INF/managementConfigContext.xml file. Static List of Users. By default, access is limited to a static list of users whose credentials may be specified in a user-details.properties file that should be available on the runtime classpath." So, this is authentication for users of the management webapp. Again, what is the authentication referred to as the default authentication method in the first statement.? A little clarification would be most helpful. Many thanks. >-----Original Message----- >From: [email protected] >[mailto:[email protected]] On Behalf Of Milt Epstein >Sent: Tuesday, January 27, 2015 11:02 AM >To: [email protected] >Subject: Re: [cas-user] question about Service Management > >To echo Carl's comments, I think it's a good idea to use at least a lightweight >service manager. If it works for you, might I suggest the Unicon YAML Service >Registry addon (it works at least with CAS 4.0.X). > >Configuration is easy, assuming you're using the Maven overlay method >-- one additional dependency in pom.xml, one additional config file >src/main/webapp/WEB-INF/spring-configuration/servicesRegistry.xml, and >the YAML services registry file itself servicesRegistry.yml (exact location >specified by the aforementioned servicesRegistry.xml). > >More documentation can be found online (I can probably find the link for that >if searching doesn't yield anything helpful). > >Limitations are that there's no web interface for managing services, and you >need to modify the file servicesRegistry.yml to make changes (changes are >recognized instantaneously when the file is changed/saved). > >CAS 4.1 (in development) includes a facility for service registry using a JSON >file. I'm not familiar with the details of that. > >Milt Epstein >Applications Developer >Graduate School of Library and Information Science (GSLIS) University of >Illinois at Urbana-Champaign (UIUC) [email protected] > > >On Tue, 27 Jan 2015, Waldbieser, Carl wrote: > >> Chris, >> >> It is true, you don't need to use a Service Manager, but that means that >*any* service can use your CAS. This might not be what you want-- a rouge >service provider could leverage your CAS in order to fool your users into >thinking it is trustworthy service. Once authenticated, it may ask for >sensitive >information. So while the rouge service can't get user's password, it could >potentially trick them into revealling other PII. >> >> CAS needs to run as an HTTPS site-- the TGT is stored in a secure cookie. >> Services don't *have* to be HTTPS unless they want to leverage PGTs, but in >practice it makes sense to secure services in many cases. >> >> Thanks, >> Carl Waldbieser >> ITS System Programmer >> Lafayette College >> >> ----- Original Message ----- >> From: "Chris Adams" <[email protected]> >> To: [email protected] >> Sent: Tuesday, January 27, 2015 12:53:15 PM >> Subject: [cas-user] question about Service Management >> >> Hello all, >> >> I was just looking in to building the Service Management module, as I >assumed it was required. >> >> I am utilizing CAS for SSO for a handful of services. From the CAS >documentation, it says: >> >> "It is not required to use the service management facility explicitly. CAS >ships with a default configuration that is suitable for deployments that do not >need or want to leverage the capabilities above. The default configuration >allows any service contacting CAS over https/imaps to use CAS and receive >any attribute configured by an IPersonAttributeDao bean." >> >> Does that mean that I don't have to register these services if I don't need >> to >manage them with this interface? Can I just append the URL of the service to >the CAS server login string and be done with it ? >> >> Also, somewhere in the docs, it said that any serviced also had to utilize >> SSL. >Can someone verify that ? >> >> Many thanks, >> >> Christopher Adams >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] To unsubscribe, change settings or access >> archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] To unsubscribe, change settings or access >> archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user >> > >-- >You are currently subscribed to [email protected] as: >[email protected] To unsubscribe, change settings or access archives, >see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
