Eric, I am currently using CAS with web services (Spring Web Services to be exact but I think the concepts apply for other frameworks as well even though you might need to do a bit more work). You can get a proxy ticket that is used to authenticate with the web services, but application obtaining the proxy has to have been authenticated by CAS and possess a proxy granting ticket.
You don't have to use a JSP, but you have to obtain credentials from the user somehow, right? How do you obtain the credentials (username/password) you will use to authenticate? If you are not obtaining credentials from a user (e.g. a middle-tier application that always logs in with some fixed username and password) then I question the value of using CAS. In my case, my applications are rich (Flex) clients. When the end user is authenticated in any of these applications, they request a proxy granting ticket and then obtain a proxy ticket specifically for the web services. The proxy ticket is embedded in a hidden field in the resulting web page and the Flex client retrieves the proxy ticket from the hidden field and uses it in calls to the web services (using WS-Security UsernameToken). The other issue you have to contend with is that CAS tickets are one-time usage tickets. Since you don't want to authenticate all over again for each web services call AND since web services are stateless, you need to cache valid tickets and compare new tickets to the cache first before going to CAS. Spring Web Services with ACEGI handles this for you by allowing the username to be _cas_stateless_ in which case ACEGI checks the cache for a matching ticket first and only validates it against CAS if not found. For other web services frameworks, I suspect you might have to implement this particular behavior yourself. Hope this helps some. Bill -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Miles Sent: Thursday, September 27, 2007 3:23 PM To: cas@tp.its.yale.edu Subject: Headless CAS? Can CAS act as a headless authentication mechanism? I'd like to use CAS for authenticating web service calls (which are stateless and headless). I currently have CAS all wired up with my web application so I understand how that works (it works great). However, I am failing to see how I could CASify my web services. Is it possible to create a CAS Ticket via an API as there is no way for these clients to go to a UI and "login"? I see numerous "Java Client" examples that show how to validate a ticket once in hand, but I see no examples of how to get the ticket itself(without logging in through a JSP page). Thanks, Eric _______________________________________________ Yale CAS mailing list cas@tp.its.yale.edu http://tp.its.yale.edu/mailman/listinfo/cas _______________________________________________ Yale CAS mailing list cas@tp.its.yale.edu http://tp.its.yale.edu/mailman/listinfo/cas
