Whenever possible an application should never collect the credentials and pass them to CAS. However, in certain scenarios (such as desktop applications), deployers wish to leverage an existing CAS installation in a situation where CAS would normally not be used. In that scenario there may be no other alternative than collecting credentials.
-Scott Scott Battaglia Application Developer, Architecture & Engineering Team Enterprise Systems and Services, Rutgers University v: 732.445.0097 | f: 732.445.5493 | [EMAIL PROTECTED] Ingeneur wrote: > Hi Deval, > > Though I havent implemented the applet cas yet, I certainly feel that > the application should not obtain the user's password. Somehow that > part of the job (of obtaining the username/passwd and authenticating > with the provider) should be handled only by the CAS tomcat! I think > the suggestions given to me including proxy CAS is the way to go! I > won't mind sharing what I ve done, once I get it up and running. > > Regards, > Abishek Goda > > On 6/21/06, DEVAL SHAH <[EMAIL PROTECTED]> wrote: > >> Hello, >> Even I am trying to use CAS with my desktop application. Do you know how to >> go about doing this. This is what I am trying to do: >> >> The desktop appln contact the Tomcat server using webservices and gets back >> the result. >> Now I want a user to fill in a username and password and this be sent to the >> Tomcat server which uses CAS to authenticate. It should return a ticket back >> to the desktop application so that it can make future calls to webservices >> with that ticket. >> I just want authenticated user to be able to make calls to my webservices >> >> Any idea how I can achieve this >> >> Thanks >> Deval >> >> >>> From: Ingeneur <[EMAIL PROTECTED]> >>> Reply-To: Yale CAS mailing list <[email protected]> >>> To: "Yale CAS mailing list" <[email protected]> >>> Subject: Re: casify applets >>> Date: Sun, 18 Jun 2006 11:07:37 +0530 >>> >>> Well, I am initially planning to try the VNC Viewer applet. Actually, >>> it is not just about applets alone. I ve had this requirement for some >>> desktop applications too!! Maybe be I am sounding ridiculous. >>> >>> I think I like the proxying idea! It would greatly reduce the >>> possibility of faking identity. I dont want to access the CAS cookie >>> at all. I still havent got the idea of proxying CAS. Well I ll get >>> back after doing my homework. >>> >>> Thank You. In case of issues, I ll get back with a useful usecase too. >>> >>> Regards, >>> Abishek Goda >>> >>> >>> >>> On 6/18/06, Andrew Petro <[EMAIL PROTECTED]> wrote: >>> >>>> I don't know much about applets. Here's my stab at a reply anyway: >>>> >>>> As I understand it, a Java applet is strongly associated with some >>>> authoritative website from which it is loaded. >>>> >>>> So make the user CAS authenticate to that website and then have that >>>> >>> website >>> >>>> communicate the authenticated user (perhaps cryptographically signing >>>> >>> this >>> >>>> assertion?) to the applet. This is pretty easy as a gateway to get the >>>> applet in the first place (and then just deliver an >>>> authentication-provisioned applet.) >>>> >>>> If you really want the user to start from the applet and "get >>>> authenticated", then produce a URL in the applet to the website with an >>>> identifying session key, and then the website can require CAS >>>> >>> authentication >>> >>>> and provide a service that the applet call with the key to see who's >>>> authenticated for that key. >>>> >>>> However, providing any authentication to a Java applet is a tough way to >>>> >>> go. >>> >>>> The code is running on the end user's computer. He can do arbitrarily >>>> clever things like replace the local JVM with a compromised JVM. So >>>> >>> more or >>> >>>> less whatever you come up with, there will be some way for the end user >>>> >>> to >>> >>>> fake out the applet once received to believe he is someone he is not. >>>> >>>> However, if the applet in turn uses CAS proxy tickets to proxy >>>> authentication to access whatever it is that it accesses, then security >>>> >>> can >>> >>>> be restored inasmuch as it will not be possible to get valid proxy >>>> >>> tickets >>> >>>> in the name of anyone other than the user who received the ST from which >>>> >>> the >>> >>>> PGT was derived. You'll have to solve interesting problems to use proxy >>>> tickets including what the proxy callback URL is going to be -- >>>> >>> presumably >>> >>>> also a service provided by the website hosting the applet. >>>> >>>> In any case, I would strongly recommend against the applet accessing the >>>> >>> CAS >>> >>>> TGT cookie directly. That cookie is intended to be only available to >>>> >>> the >>> >>>> CAS server. No CAS-using services should ever see or touch that cookie, >>>> >>> and >>> >>>> widening the scope of that cookie or making it visible over non-SSL'ed >>>> connections seriously compromises the security of the CAS protocol. >>>> >>>> >>>> Use case? What will your applet do? >>>> >>>> Andrew >>>> >>>> >>>>> -----Original Message----- >>>>> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] >>>>> >>> On >>> >>>>> Behalf Of Ingeneur >>>>> Sent: Saturday, June 17, 2006 6:27 AM >>>>> To: Yale CAS mailing list >>>>> Subject: casify applets >>>>> >>>>> Hi All, >>>>> >>>>> I need some starter ideas on how to casify a java applet. Is this >>>>> possible at all?? I can have the page casified. Can I then try a >>>>> URLConnection to the cas server to get the User Logged In?? Will the >>>>> applet need to read the CAS cookie information?? >>>>> >>>>> Am I talking sense at all???? >>>>> >>>>> Thank You >>>>> -- >>>>> Regards, >>>>> >>>>> Abishek Goda >>>>> http://www.geocities.com/abi_gt >>>>> _______________________________________________ >>>>> Yale CAS mailing list >>>>> [email protected] >>>>> http://tp.its.yale.edu/mailman/listinfo/cas >>>>> >>>> _______________________________________________ >>>> Yale CAS mailing list >>>> [email protected] >>>> http://tp.its.yale.edu/mailman/listinfo/cas >>>> >>>> >>> -- >>> Regards, >>> >>> Abishek Goda >>> http://www.geocities.com/abi_gt >>> _______________________________________________ >>> Yale CAS mailing list >>> [email protected] >>> http://tp.its.yale.edu/mailman/listinfo/cas >>> >> _______________________________________________ >> Yale CAS mailing list >> [email protected] >> http://tp.its.yale.edu/mailman/listinfo/cas >> >> > > > _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
