The issue here is I cannot just validate once. My eco system is rest based and we cannot rely on the session as the service could be multi-instance.
So I possibly could end up with a large number of validations..I can look into oauth or open id. Thanks for all the replies. Looks like there is no way to do the user-embedding on the service ticket. Ajay On Tue, Jun 30, 2015 at 1:40 PM, Mailvaganam, Hari <[email protected]> wrote: > If managing API ACL - perhaps OAuth/Open ID Connect? Or as another > poster replied, manage via session, upon initial CAS validate. > > Averaging 300K CAS validations/day at term time - no performance issues > with 5 load balanced VMs. > > ------------------------------ > *From:* Ajay Madhavan [[email protected]] > *Sent:* Monday, June 29, 2015 15:10 > *To:* [email protected] > > *Subject:* Re: [cas-user] Embedding username info in Service ticket > > Hi Carl, > > I do have a distributed system where I have multiple services. Imaging > each service to be a host by itself. I use cas for authenticating access to > all services. > > I am expecting api scale to increase enormously over close to say 1000 > api per second or so. > > I was trying to understand if I could avoid network calls if each of > these services were inside a host by themselves. I do understand the CAS > protocol, just wanted to see if there was a secure way of scaling > horizontally. > > > Regards > Ajay > > On Mon, Jun 29, 2015 at 1:33 PM, Waldbieser, Carl <[email protected]> > wrote: > >> >> Service ticket validation is more or less integral to how CAS works. >> Maybe if you could explain a bit more in depth what you are trying to >> accomplish, it might make more sense to the members of the community, and >> you could receive better advice. >> >> Also, why do you believe there would be some kind of bottleneck >> validating service tickets? What kind of volume have you measured or are >> you expecting in terms of validations per unit of time? >> >> Thanks, >> Carl Waldbieser >> ITS Systems Programmer >> Lafayette College >> >> ----- Original Message ----- >> From: "Ajay Madhavan" <[email protected]> >> To: [email protected] >> Sent: Monday, June 29, 2015 4:20:49 PM >> Subject: Re: [cas-user] Embedding username info in Service ticket >> >> I do have a secure mechanism to encrypt my service ticket with the public >> key and then decrypt it later using the private-key. >> >> Also there are multiple webapps which are being protected by the CAS >> service and I dont want the service validate to be a bottle neck for each >> of those webapps. I know service ticket generation does do that. But I >> want >> to see if I can skip service validation at least. >> >> Thanks >> Ajay >> >> >> >> On Mon, Jun 29, 2015 at 1:04 PM, Dmitriy Kopylenko <[email protected] >> > >> wrote: >> >> > I second what Andy says, and just want to add that service ticket >> > validation is the necessary step in a secure CAS protocol, and the >> simple >> > answer is - “no, you cannot skip the ST validation step”. >> > >> > Best, >> > Dmitriy. >> > >> > > On Jun 29, 2015, at 3:55 PM, Andrew Morgan <[email protected]> wrote: >> > > >> > > On Mon, 29 Jun 2015, Ajay Madhavan wrote: >> > > >> > >> I want to skip service validation. I want to distribute the >> validation >> > >> among all my webapps where i can obtain the username from the service >> > >> ticket. >> > >> >> > >> I still want to use CAS for service ticket generation. >> > > >> > > If you don't validate the ST over a back-channel connection, then how >> do >> > you prevent someone from spoofing the username? An attacker could put >> > whatever they want in the ST value to become any other user. >> > > >> > > Validating the ST is a necessary step for security. >> > > >> > > I don't understand what you mean by "distribute the validation among >> all >> > my webapps". >> > > >> > > Andy >> > > >> > > -- >> > > You are currently subscribed to [email protected] as: >> > [email protected] >> > > To unsubscribe, change settings or access archives, see >> > http://www.ja-sig.org/wiki/display/JSG/cas-user >> > >> > >> > -- >> > You are currently subscribed to [email protected] as: >> > [email protected] >> > To unsubscribe, change settings or access archives, see >> > http://www.ja-sig.org/wiki/display/JSG/cas-user >> > >> > >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
