Hi Deval, Though I havent implemented the applet cas yet, I certainly feel that the application should not obtain the user's password. Somehow that part of the job (of obtaining the username/passwd and authenticating with the provider) should be handled only by the CAS tomcat! I think the suggestions given to me including proxy CAS is the way to go! I won't mind sharing what I ve done, once I get it up and running.
Regards, Abishek Goda On 6/21/06, DEVAL SHAH <[EMAIL PROTECTED]> wrote: > Hello, > Even I am trying to use CAS with my desktop application. Do you know how to > go about doing this. This is what I am trying to do: > > The desktop appln contact the Tomcat server using webservices and gets back > the result. > Now I want a user to fill in a username and password and this be sent to the > Tomcat server which uses CAS to authenticate. It should return a ticket back > to the desktop application so that it can make future calls to webservices > with that ticket. > I just want authenticated user to be able to make calls to my webservices > > Any idea how I can achieve this > > Thanks > Deval > > >From: Ingeneur <[EMAIL PROTECTED]> > >Reply-To: Yale CAS mailing list <[email protected]> > >To: "Yale CAS mailing list" <[email protected]> > >Subject: Re: casify applets > >Date: Sun, 18 Jun 2006 11:07:37 +0530 > > > >Well, I am initially planning to try the VNC Viewer applet. Actually, > >it is not just about applets alone. I ve had this requirement for some > >desktop applications too!! Maybe be I am sounding ridiculous. > > > >I think I like the proxying idea! It would greatly reduce the > >possibility of faking identity. I dont want to access the CAS cookie > >at all. I still havent got the idea of proxying CAS. Well I ll get > >back after doing my homework. > > > >Thank You. In case of issues, I ll get back with a useful usecase too. > > > >Regards, > >Abishek Goda > > > > > > > >On 6/18/06, Andrew Petro <[EMAIL PROTECTED]> wrote: > > > I don't know much about applets. Here's my stab at a reply anyway: > > > > > > As I understand it, a Java applet is strongly associated with some > > > authoritative website from which it is loaded. > > > > > > So make the user CAS authenticate to that website and then have that > >website > > > communicate the authenticated user (perhaps cryptographically signing > >this > > > assertion?) to the applet. This is pretty easy as a gateway to get the > > > applet in the first place (and then just deliver an > > > authentication-provisioned applet.) > > > > > > If you really want the user to start from the applet and "get > > > authenticated", then produce a URL in the applet to the website with an > > > identifying session key, and then the website can require CAS > >authentication > > > and provide a service that the applet call with the key to see who's > > > authenticated for that key. > > > > > > However, providing any authentication to a Java applet is a tough way to > >go. > > > The code is running on the end user's computer. He can do arbitrarily > > > clever things like replace the local JVM with a compromised JVM. So > >more or > > > less whatever you come up with, there will be some way for the end user > >to > > > fake out the applet once received to believe he is someone he is not. > > > > > > However, if the applet in turn uses CAS proxy tickets to proxy > > > authentication to access whatever it is that it accesses, then security > >can > > > be restored inasmuch as it will not be possible to get valid proxy > >tickets > > > in the name of anyone other than the user who received the ST from which > >the > > > PGT was derived. You'll have to solve interesting problems to use proxy > > > tickets including what the proxy callback URL is going to be -- > >presumably > > > also a service provided by the website hosting the applet. > > > > > > In any case, I would strongly recommend against the applet accessing the > >CAS > > > TGT cookie directly. That cookie is intended to be only available to > >the > > > CAS server. No CAS-using services should ever see or touch that cookie, > >and > > > widening the scope of that cookie or making it visible over non-SSL'ed > > > connections seriously compromises the security of the CAS protocol. > > > > > > > > > Use case? What will your applet do? > > > > > > Andrew > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > >On > > > > Behalf Of Ingeneur > > > > Sent: Saturday, June 17, 2006 6:27 AM > > > > To: Yale CAS mailing list > > > > Subject: casify applets > > > > > > > > Hi All, > > > > > > > > I need some starter ideas on how to casify a java applet. Is this > > > > possible at all?? I can have the page casified. Can I then try a > > > > URLConnection to the cas server to get the User Logged In?? Will the > > > > applet need to read the CAS cookie information?? > > > > > > > > Am I talking sense at all???? > > > > > > > > Thank You > > > > -- > > > > Regards, > > > > > > > > Abishek Goda > > > > http://www.geocities.com/abi_gt > > > > _______________________________________________ > > > > Yale CAS mailing list > > > > [email protected] > > > > http://tp.its.yale.edu/mailman/listinfo/cas > > > > > > _______________________________________________ > > > Yale CAS mailing list > > > [email protected] > > > http://tp.its.yale.edu/mailman/listinfo/cas > > > > > > > > >-- > >Regards, > > > >Abishek Goda > >http://www.geocities.com/abi_gt > >_______________________________________________ > >Yale CAS mailing list > >[email protected] > >http://tp.its.yale.edu/mailman/listinfo/cas > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > -- Regards, Abishek Goda http://www.geocities.com/abi_gt _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
