Mixing spnego and rest authentication

21 views
Skip to first unread message

Arnaud N.

unread,
Sep 12, 2018, 5:30:51 PM9/12/18
to CAS Community
Hello everybody,

Here is my problem :

Our information system rely upon cas 5.2.3 to enable SSO. We have webapps that communicate with soap ws and rest APIs.
SSO is configured to perform username+password authentication via a rest API, and every application uses cas 2.0 protocol.
So far everything works fine, TGT and PGT are granted, st and pt are validated, no problem.
Now we want to use spnego/Kerberos authentication on one of our webapps instead of the classic form/username+password auth. We managed to configure cas to perform spnego authentication on this webapp. The user type the url of the webapp, negotiation occurs and the user is connected to the application. The logs show that TGT and PGT are being granted for the webapp. The problem is when the application try to get a proxy ticket for another backend cas-protected application (soap ws or rest api). We made a TCP dump to monitor the exchange between CAS and the webapp, and we noticed that everything worked fine until the webapp uses its PGT to get a pt for the soap ws. the CAS reject the request stating that the service is not allowed. Without spnego everything works fine, the soap ws is allowed. From here we tried tinkering with CAS and service configuration without success.
In the end We were wondering if what we are trying to do is possible ? Mix spnego auth with username+password auth ? Has anyone here done that, using which CAS configuration ? As far as I understand the CAS protocol, once TGT and PGT are granted, the auth method is irrelevant, only the tickets are used to delegate authority...

Any help would be greatly appreciated.

Regards

Arnaud.

Ray Bon

unread,
Sep 12, 2018, 6:01:28 PM9/12/18
to cas-...@apereo.org
Arnaud,

Is the service URL changing in any way when spnego is used?
Before a PT is issued, CAS contacts the proxy callback. Is this prevented in any way with spnego?
I have not used spnego so just making some guesses.

Here is log config:

        <!-- DEBUG Response code from server matched [###] may be useful for debugging proxy
                   Created HTTP post message payload [POST URL] on logout -->
        <AsyncLogger name="org.apereo.cas.util.http.SimpleHttpClient" level="error" />

Ray
-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

Arnaud N.

unread,
Sep 12, 2018, 6:20:17 PM9/12/18
to CAS Community
Hello Ray,

Thank you for your answer. As far as I remember (I am not at the office) the service url doesn't change, but I'll double check tomorrow just to be sure.
I think that the PGT is tied to the auth method used when it is released. Some code in the method :
AbstractCentralAuthenticationService.getAuthenticationSatisfiedByPolicy

seems to validate this hypothesis. I'll look further into it tomorrow.

Reply all
Reply to author
Forward
0 new messages