CAS with REST services
84 views
Skip to first unread message
Robert
Jul 11, 2016, 4:35:42 AM7/11/16
to CAS Community
We are currently using CAS 3 for a traditional web application, and we are
moving towards a more modern architecture with a single page application
and rest services. My first question would be if the CAS protocol is still
the right choice for us. I don't have experience with development using CAS
so far, but I tried to gather information about it.
Looking at the CAS protocol at
https://apereo.github.io/cas/4.2.x/protocol/CAS-Protocol.html
it seems that the normal web flow is not appropriate anymore for our
application. I read that CAS 4 contains a REST service for requesting TGTs and
STs. So I had the following simple solution in mind for our application.
The client (browser) would initially request a TGT from the CAS server and
store this. Each time when the client needs to call one of our REST services,
it would request a ST from the CAS server and call our service with the ST.
The application service would verify the ST with the CAS server before
executing the method. The downside of this solution is that 2 additional remote
calls need to be made for each app service call.
Documentation seems to point towards Proxy Granting Tickets, such as in the
Spring Security documentation
http://docs.spring.io/spring-security/site/docs/4.1.0.RELEASE/reference/htmlsingle/#cas-pt-client
But I can't find a conceptual explanation why I need it and how it works.
When I look at the CAS protocol documentation for proxy's it just seems to
add even more overhead compared to my solution and we would need a proxy web
application. that we need to call instead of the actual app service.
https://apereo.github.io/cas/4.2.x/protocol/CAS-Protocol.html
Thanks for any help you can provide me.
moving towards a more modern architecture with a single page application
and rest services. My first question would be if the CAS protocol is still
the right choice for us. I don't have experience with development using CAS
so far, but I tried to gather information about it.
Looking at the CAS protocol at
https://apereo.github.io/cas/4.2.x/protocol/CAS-Protocol.html
it seems that the normal web flow is not appropriate anymore for our
application. I read that CAS 4 contains a REST service for requesting TGTs and
STs. So I had the following simple solution in mind for our application.
The client (browser) would initially request a TGT from the CAS server and
store this. Each time when the client needs to call one of our REST services,
it would request a ST from the CAS server and call our service with the ST.
The application service would verify the ST with the CAS server before
executing the method. The downside of this solution is that 2 additional remote
calls need to be made for each app service call.
Documentation seems to point towards Proxy Granting Tickets, such as in the
Spring Security documentation
http://docs.spring.io/spring-security/site/docs/4.1.0.RELEASE/reference/htmlsingle/#cas-pt-client
But I can't find a conceptual explanation why I need it and how it works.
When I look at the CAS protocol documentation for proxy's it just seems to
add even more overhead compared to my solution and we would need a proxy web
application. that we need to call instead of the actual app service.
https://apereo.github.io/cas/4.2.x/protocol/CAS-Protocol.html
Thanks for any help you can provide me.
Misagh Moayyed
Jul 13, 2016, 3:49:32 PM7/13/16
to CAS Community
They are both conceptually, more or less, the same. The caveat with the REST API is, you will have to manage the SSO session, and you will need to manually pass in the uid/psw to CAS while with the proxy scenario, the user is required to be present to do that for you automatically and CAS keeps SSO. Also, turning on the REST API has the potential of becoming the target of DOS attacks, unless properly secured.
--
Misagh
Misagh
--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/5c81eba4-f0ed-45ac-a362-d7f4d95c8077%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.
Manfredo Hopp
Jul 13, 2016, 5:11:39 PM7/13/16
to CAS Community
I made some tests regarding web-services.
Please refer to this subject on this list:
Validating Service Tickets in POST requests - Securing WS
Regards Manfredo
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.57869b3a.5faee68a.14275%40unicon.net.
robert.di...@gmail.com
Jul 15, 2016, 4:47:29 AM7/15/16
to jasig-cas-user, cas-...@apereo.org, mmoa...@unicon.net
Is there any information about securing the CAS REST API?
Op woensdag 13 juli 2016 21:49:26 UTC+2 schreef Misagh Moayyed:
Op woensdag 13 juli 2016 21:49:26 UTC+2 schreef Misagh Moayyed:
They are both conceptually, more or less, the same. The caveat with the REST API is, you will have to manage the SSO session, and you will need to manually pass in the uid/psw to CAS while with the proxy scenario, the user is required to be present to do that for you automatically and CAS keeps SSO. Also, turning on the REST API has the potential of becoming the target of DOS attacks, unless properly secured.
--
Misagh
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.57869b3a.5faee68a.14275%40unicon.net.
Misagh Moayyed
Jul 15, 2016, 10:34:48 AM7/15/16
to cas-...@apereo.org
Support is added to throttle requests, but nothing that would “secure” it. We *could* restrict it to a set of trusted ip patterns, but I don’t think that’s all that practical or useful if done by CAS. Best bet likely would be to resort to good old firewall mechanics perhaps. If you have other suggestions, please share.
--
Misagh
Misagh
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a0d557c0-2fb6-45e9-9cdd-624fd5fedc96%40googlegroups.com.
Tom Mendenhall
Jul 15, 2016, 10:49:47 AM7/15/16
to Misagh Moayyed, cas-...@apereo.org
We proxy CAS with an apache web server and use this in our httpd.conf file. It seems to work.
<Location /cas/v1>
Order deny,allow
Deny from all
Allow from n.n.n.n
</Location>
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.5788f47f.72781cd1.f1b%40unicon.net.
Reply all
Reply to author
Forward
0 new messages