Hi Andrew, I'm still new to this myself, but I am using CAS now to authenticate a chat client to OpenFire (an open source Jabber chat server). I'm finding that proxy authentication works fine. The primary challenge for me was getting the proxy ticket to the client so it could pass it to the OpenFire server.
The way CAS is designed, the CAS server must call back to the application that needs the proxy ticket to give it a ticket. In my case, it was another client application (the chat client) which needed the proxy ticket and not another application running in the middle tier so I had to arrange to have the web application request and accept the proxy ticket and then put it in the web page in a hidden field. The chat client then retrieves the ticket from the web page and connects/authenticates with OpenFire. I was lucky in that OpenFire has a reasonably open architecture that allows you to build your own authentication module. And it is written in Java so I could use either of the available CAS Java clients to call proxyValidate to validate the ticket and retrieve the username. The only other issue I ran into was that although OpenFire allowed me to say yes/no to whether the user was authenticated, it still expected that the username passed to it be the correct one ... i.e. my module didn't get called until after it already had the username. This is a bit of a problem for CAS because all you have is the ticket ... you don't get the username until after you validate the ticket. Luckily, I already knew the username from when my original web application authenticated so I just embedded that in the web page, too, and sent it to OpenFire along with the proxy ticket. I have also finished integrating CAS with ACEGI and Spring Web Services and that is working pretty well also. In my case, the web services are also being called from a Flex/Flash client so I had to use the same approach (i.e. get the proxy ticket before rendering the page and putting it in the web page where the Flex/Flash application was embedded) to get the ticket in the hands of the application calling the web services. Don't know if this is the sort of feedback you were looking for, but it is my 2 cents worth anyway. Bill -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andrew R Feller Sent: Friday, August 17, 2007 2:10 PM To: Yale CAS mailing list Cc: Christopher M Dalrymple Subject: Proxy authentication of non-web applications Given a mixture of web applications and offline services/EJBs/etc, what solutions are available for CAS-ified web applications to authenticate with offline services aside from making them a web service? I know that CAS 2+ supports proxy authentication between services but was curious what situations the rest of the community has experienced. Thanks, Andy Andrew R Feller, Analyst Subversion Administrator University Information Systems Louisiana State University [EMAIL PROTECTED] (office) 225.578.3737 _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
