Integration with SSO using CAS

251 views
Skip to first unread message

Nicky

unread,
Nov 8, 2007, 1:21:53 PM11/8/07
to Google Web Toolkit
We are using CAS (http://www.ja-sig.org/products/cas/) to handle
authentication.

Simply put when the user tries to access the GWT site and does not
have an authenticated session their browser is redirected to secured
sign on page (possibly on a different server). Once the user
authenticates with that page they are redirected back to the original
url ( this was embedded in the url on the first redirect) with a
ticket. this ticket is then verified by the GWT site with the
authentication site and if it is still valid they are allowed access
to the GWT site.

This strategy is similar to Kerberos ticket granting with third party
validation.

The above works great for the first time access to the GWT
app....However all RPC calls are similarily authenticated. Once say
the session with the GWT app expires and the next RPC call happens it
is redirected to the sign on page and causes a security exception. In
firefox this results in an internal SecurityException: Content ... may
not load data from ... and on IE the user is prompted and if they
accept the redirected page's output could be displayed ( different
from the browser being redirected). However neither one is able to
handle a redirect request back to the browser.

Ideally I would like the asycn http request redirect to result in a
new browser window that redirects to the authentication web site. Then
the user authenticates and is redirected back to the GWT site with the
ticket and this would enable the GWT site to validate the ticket and
establish a new session with the user.

How can this be done? Has anyone done something similar ? This is
similar to how Google Auth works as well and so I hope there is
someone who has thought through this redirect to auth page redirect on
rpc async call stuff.

GeertB

unread,
Dec 19, 2007, 9:20:37 AM12/19/07
to Google Web Toolkit
I successfully integrated with container managed security, which did
similar things to the RPC calls when the session expired or when the
user was not authorised for the RPC call.
Although I handled the login (and re-login) within the GWT application
(and not in a separate page), you might want to take a look at:
http://groups.google.com/group/Google-Web-Toolkit-Contributors/browse_thread/thread/4a561951308ea809/47341fcff5e75e33?lnk=gst&q=geertb#47341fcff5e75e33

Regards,

GeertB

On Nov 8, 7:21 pm, Nicky <karajd...@gmail.com> wrote:
> We are usingCAS(http://www.ja-sig.org/products/cas/) to handle
Reply all
Reply to author
Forward
0 new messages