To casify web service I am planning to follow the following:
I have a application that requests for a web service, the web service will only server the client if the application passes a valid ticket string.
The Java application sends a username/password combination to the CAS server using restful API.
The CAS server replies with a ticket on successful authentication.
The application sends the ticket my web service and ask for some data for some data.
The web service receives the ticket and sends the ticket to the CAS server to validate it.
If the CAS server returns a username/ or any kind of message that confirms the validity of the ticket, the web service replies back to the application a response to fulfill the application request.
The CAS server is returning the ticket to the application,the application posts the ticket string to web service, the web server accepts the ticket string. Now how do I send the ticket to CAS server for validation? Any ideas? Also is there any better way to casify the Web service?
I tried to draw what I want to archive:
Since this is a java based application you can use the filters that are available with CAS to do the validation & authentication.
Related
I am trying to implement CAS validation on a Webserver that receives restful requests I only care if the ticket is valid then I can continue doing the operation. So web app A provides the client with content, the client will then do a post to restful webserver B. Webserver B will validate their ticket, and proceed.
I will only have access to the endpoints of the CAS server, no helper classes, dlls etc.
Here is the ticket provided, I'm positive it is correct. I pulled it from the web app that has the user logged in.
ST-3285-1AijQkayTlcWSXQIVHUP-svvautht01.domain.org
the service that was requested was http://localhost:15559/WebApp/Main
Here is the endpoint I am calling.
https://svvautht01.domain.org:8443/cas/serviceValidate?ticket=ST-3285-1AijQkayTlcWSXQIVHUP-svvautht01.domain.org&service=http%3a%2f%2flocalhost%3a15559%2fWebApp%2fMain
I have tried the service with unencoded URL and both return the response below.
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationFailure code='INVALID_TICKET'>
Ticket 'ST-3285-1AijQkayTlcWSXQIVHUP-svvautht01.domain.org' not recognized
</cas:authenticationFailure>
</cas:serviceResponse>
I don't understand what I could be doing incorrectly. I can physically see that this is the correct ticket!
This is the Apereo jasig CAS found here wiki jasig
CAS Service Tickets by default have a lifetime of 10 seconds , after this time CAS itself will validate the user and any further validation requests for the same ST will show invalid ticket error
I need to build some web services in a WebLogic application server. This server lies between a mobile app and Oracle ERP. Basically, after the mobile app "login" to the Oracle ERP via a web service call on the application server, a session should be maintained on the application server. One reason is this:
Every time a web service is called by the mobile app, it needs to return a random challenge token. This is a requirement by our internal security. Within the same session, when the same mobile app calls the same web service (or a different web service) on the application server, it needs to pass the challenge token that it received previously. The application server will then have to check that the token is the same one that it returned previously to the mobile client.
We have discussed about using JAX-RS for communication between mobile app and the web services. However, I have read that JAX-RS is supposed to be stateless. In this case, how can I maintain a session such that the application knows the challenge token that it returned to a client previously? There is no database for the application by the way. Normally for a web application, it can just save the challenge token to a session object, but how do you do so for a web service?
If JAX-RS cannot maintain session, then what about JAX-WS?
Thanks.
In lightweight SOAs I've seen many designs that have a Web Server receives Client requests and send responses that are dependent upon responses from other services. I've also seen this done incorrectly resulting in unacceptable latency issues.
For Example:
Assume:
We have 1 Web API Server and 1 Service A API.
Web Server performs basic User Auth and other User functionality.
Service A performs database operations.
ZeroMQ (ZMQ, 0MQ, etc) REQ/RES user for service messaging
Work Flow:
Client makes request to Web API Server API.
Web Server performs database operations (auth etc).
Web Server makes request to Service A API.
Service A performs database operations.
Service A responds with data to Web Server.
Web Server receives response and sends response to client.
This pattern is different from the typical offline message queue processing work flow. As well it includes a request to a single service (A)
While trying to maintain separate system services is this a correct usage pattern with ZeroMQ?
I'm trying to figure out if ZeroMQ can be used to make service requests and send the results to client web service requests without significant performance issues.
I tried to do SSO with web services with jasig CAS.
I did the security for web application using spring filters, but I don't know how to do it with web services on the server side.
We do this with a combination of the rest client (https://wiki.jasig.org/display/CASUM/RESTful+API) and the CasLoginModule (https://wiki.jasig.org/display/CASC/CASLoginModule+for+JAAS+applications) through JAAS (https://wiki.jasig.org/display/CASUM/JAAS) . It works like this:
The client sends down a username and password to your web service who authenticates and validates this against the CAS server. After this, the CASLoginModule caches the resulting service ticket so that future requests that can provide a service ticket don't need to contact CAS again.
This is quite a long way out of the "normal" usage of CAS because essentially it makes the service ticket a long lived item. Normally the ST should last long enough for the resulting service to validate the client. In my case I figured that it doesn't matter too much because all of our communication is on the server-side behind a firewall but this may be different for you.
i'm developping a mobile application in Android and blackberry, I want that Users can connect from their Smartphones to Webservice witch will verify their login and password in an Oracle Database, I should maintain connection between Client and server within Sessions.
my webservice should be under apache Tomcat using Axis2.
how can I implement this Session via Soap Messages ???
Thanks in advance :)
its best if you could get this without having to maintain sessions. if maintaining session is a must, you'll have to pass authentication details with each soap request along with a token or a session status object where at each end you'll be manually updating with status.