« Return to Thread: RESTful CAS API
Re: RESTful CAS API
by Smith, Matt
::
Rate this Message:
Scott -
<hat type="security">
If a service is trying to authenticate to CAS as itself, is
ID/Password the right kind of credential? Seems like a stronger
mechanism could be encouraged by default. Perhaps X.509 or similar?
I also worry that this API makes it too "easy" for a service to pop-up
a dialog box asking for a user's credentials, and perform validation,
bypassing the whole WebISO thing without the CAS admin being aware.
Yeah, it is possible today by screen-scraping the 'LT' param from the
login script and submitting it with the ID/Password, but this API makes
it much easier. Defaulting this API to use a mechanism like X.509,
GSSAPI/SPNEGO, etc eliminates this undesired use.
</hat>
<hat type="developer">
Yeah -- those point do make the problem space *much* more complicated.
But, they are important to consider anyway.
</hat>
HTH,
-Matt
On Wed, 2008-04-23 at 09:32 -0400, Scott Battaglia wrote:
> All,
>
> We have need of a way of programmatically obtaining tickets for
> purposes of service to service authentication. We've previously used
> a SOAP-based web service (which we've kept internal). We're planning
> on moving to a much lighter approach, to make it easier for our
> non-Java clients (SOAP isn't necessarily fun to parse/construct), but
> we're most likely going to contribute it back as a module in the CAS
> project, as it seems like something other people could use (and I
> believe some people have hinted at needing something).
>
> To that end, we've posted a suggested API for obtaining TGTs and
> Service Tickets:
> http://www.ja-sig.org/wiki/display/CASUM/RESTful+API
>
> Please let us know if you have any feedback, additional ideas, etc.
>
> Thanks
> -Scott
>
> --
> -Scott Battaglia
> PGP Public Key Id: 0x383733AA
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
> _______________________________________________
> cas-dev mailing list
> cas-dev@...
> http://tp.its.yale.edu/mailman/listinfo/cas-dev--
Matt Smith
matt.smith@...
University Information Technology Services (UITS)
University of Connecticut
PGP Key ID: 0xE9C5244E
_______________________________________________
cas-dev mailing list
cas-dev@...
http://tp.its.yale.edu/mailman/listinfo/cas-dev
<hat type="security">
If a service is trying to authenticate to CAS as itself, is
ID/Password the right kind of credential? Seems like a stronger
mechanism could be encouraged by default. Perhaps X.509 or similar?
I also worry that this API makes it too "easy" for a service to pop-up
a dialog box asking for a user's credentials, and perform validation,
bypassing the whole WebISO thing without the CAS admin being aware.
Yeah, it is possible today by screen-scraping the 'LT' param from the
login script and submitting it with the ID/Password, but this API makes
it much easier. Defaulting this API to use a mechanism like X.509,
GSSAPI/SPNEGO, etc eliminates this undesired use.
</hat>
<hat type="developer">
Yeah -- those point do make the problem space *much* more complicated.
But, they are important to consider anyway.
</hat>
HTH,
-Matt
On Wed, 2008-04-23 at 09:32 -0400, Scott Battaglia wrote:
> All,
>
> We have need of a way of programmatically obtaining tickets for
> purposes of service to service authentication. We've previously used
> a SOAP-based web service (which we've kept internal). We're planning
> on moving to a much lighter approach, to make it easier for our
> non-Java clients (SOAP isn't necessarily fun to parse/construct), but
> we're most likely going to contribute it back as a module in the CAS
> project, as it seems like something other people could use (and I
> believe some people have hinted at needing something).
>
> To that end, we've posted a suggested API for obtaining TGTs and
> Service Tickets:
> http://www.ja-sig.org/wiki/display/CASUM/RESTful+API
>
> Please let us know if you have any feedback, additional ideas, etc.
>
> Thanks
> -Scott
>
> --
> -Scott Battaglia
> PGP Public Key Id: 0x383733AA
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
> _______________________________________________
> cas-dev mailing list
> cas-dev@...
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
matt.smith@...
University Information Technology Services (UITS)
University of Connecticut
PGP Key ID: 0xE9C5244E
_______________________________________________
cas-dev mailing list
cas-dev@...
http://tp.its.yale.edu/mailman/listinfo/cas-dev
signature.asc (196 bytes) « Return to Thread: RESTful CAS API
| Free Forum Powered by Nabble | Forum Help |