Is it possible to record authentication events and ST granted events?
16 views
Skip to first unread message
jm
Aug 21, 2019, 2:39:54 AM8/21/19
to CAS Community
Hi all,
There are some sensitive API providers(services without web interface) in our company, and some web services will invoke those APIs. Web services are all logged in via CAS service provided by me. Here comes the requirement: sensitive API providers want to obtain orgin caller from the caller. They want to know the origin user and the origin service to which the user logged in.
So I have to record some information when some events happen, they are:
1. User authentication successfully
2. ST granted and validated successfully
3. TGT expired
I have an idea to do this. I can make an aspect to hijack inspectr framework's APIs, in aspect I will get AuditActionContext object and do a HTTP call to send this audit event to my service.
But is there better way to do this? Like subscribing some events directly in CAS or ... something I didn't realized.
James
Ray Bon
Aug 21, 2019, 11:52:41 AM8/21/19
to cas-...@apereo.org
jm,
This sounds like proxy protocol,
https://apereo.github.io/cas/6.0.x/installation/Configuring-Proxy-Authentication.html
Your APIs will have to be CASified.
Ray
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca
I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.
jm
Aug 22, 2019, 10:17:10 AM8/22/19
to CAS Community
Ray,
Thank you for your idea. But after I check the Proxy Authentication Protocol documentation, I think that is not what I want.
Sensitive API provider mentioned before is not web service, it is a micro service, without a session, no status, so there is no need to login to the API service, thus it's not protected under CAS. In fact I think this is not a authentication problem, it is a micro-service governing problem, it's about how to track a request in a micro-service distributed system.
We finnally found what we could do. All we are asking for, is the ability to update principal's attributes on each service ticket validation event. So I took a trip (which is difficult) into CAS's source code, and found that we could set services' attribute release policy member in the JSON service registry to a class which is under our control, and in our AttributeReleasePolicy class, we will call a remote API to get latest attributes on every service validation. The only problem left, is getAttributes method was called twice at each ST validation... but I think I will work it out soon.
Anyway, thank you for your reply.
James
在 2019年8月21日星期三 UTC+8下午11:52:41,rbon写道:
Reply all
Reply to author
Forward
0 new messages