RESTful Web服务的CAS认证 [英] CAS authentication of a RESTful web service

问题描述

我的应用程序需要访问不同的服务器上的RESTful Web服务的运行。此Web服务使用CAS认证，并且通过浏览器消费时，它会重定向到CAS登录如果用户尚未验证。有没有方法实际上是通过CAS登录。我的应用程序还使用CAS因此用户将进行身份验证

My application needs to access a RESTful web service running on a different server. This web service uses CAS authentication, and when consuming it through the browser it will redirect to CAS login if the user isn't already authenticated. There is no method to actually login through CAS. My application also uses CAS so users will be authenticated

我想通过JQuery的/ AJAX来访问它，但服务器似乎并没有被配置为JSONP我的理解是因为跨域问题至关重要。

I'd like to access it through JQuery/Ajax, but the server doesn't seem to be configured for JSONP which I understand is essential because of the cross-domain issue.

现在，我可以使通过我的服务器，而不是，这导致了我的问题Ajax请求：为我的服务器调用没有CAS登录方法，我怎么能'告诉'用户进行身份验证的Web服务？

Now, I could make the Ajax requests via my server instead, which leads to my question: with no CAS login method for my server to call, how can I 'tell' the web service that the user is authenticated?

所以我想首先我要得到什么回事浏览器，CAS和RESTful服务之间的明确和授权的方式，而不凭据任何显式的传球处理。其次，我想怎么看/我是否可以复制在调用从我的服务器 - 该服务时，它不会是相同的会话从浏览器的请求所以会是没有CAS授权令牌，但我不看看如何将一个或提供。

So I suppose firstly I want to get clear on what's going on between the browser, CAS, and the RESTful service, and how authorisation is handled without any explict passing of credentials. Secondly, I want to see how/if I can replicate that when calling the service from my server- it wouldn't be the same session as a request from the browser so there'd be no CAS authorisation token, but I don't see how to get one or provide it.

推荐答案

有关问题1如何在作品中的认证/单点登录：

当你登录CAS服务器（比如security.example.com）将在浏览器中域security.example.com设置cookie。当您通过使用标准的CAS认证和验证器应用程序的浏览器访问加密文件一个典型的流程是这样的：

For question 1 on how the authentication/single sign on works:
When you login the CAS server (say security.example.com) would set a cookie in your browser for the domain security.example.com. A typical flow when you access secured files through the browser on an application using standard CAS authentication and validation filters looks like:

1. 为应用程序配置检查，如果用户对象是在会话CAS认证过滤器。如果是用户是通过让


2. 如果不是，CAS认证过滤器重定向浏览器CAS登录页面。在方案中的单点登录，CAS服务器识别自己的cookie时，会检查应用程序注册并参与单点登录 - 如果是浏览器重定向回​​用服务票证应用

在应用程序配置
3. CAS验证标识过滤服务票据和接触CAS服务器用于验证车票和创建断言对象

有关这整个流程来工作，你需要cookies和会话处理工作。

For this entire flow to work you need cookies and session handling to work.

有关如何在服务器端处理身份验证问题2：

我们在我们的应用程序也有类似的问题，用两种不同的方式来解决它：

For question 2 on how to handle authentication on the server side:
We had a similar problem in our application and use 2 different ways to get around it:

1. 使用内部系统的用户，做一个服务器通过使用基本身份验证头该用户的凭据访问服务器。当然，你需要配置来处理与基本身份验证令牌的非交互式登录适当的过滤器。这是很容易实现但有明显的缺点就像这个特殊的系统用户，您的应用程序看到用户密码等。


2. 使用代理认证。在当你的用户进行身份验证的应用程序1这种方法，它也产生一个代理票通过应用2（服务器到服务器调用）一起使用。此代理车票可在服务器到服务器的通信中传递，因此应用程序1访问应用2代表用户的

1. Use an internal system user and do a server to server access passing the credentials of this user using basic authentication headers. Of course you need to have appropriate filters configured to handle a non-interactive login with basic authentication tokens. This is easy to implement however has obvious downsides like having this special system user, your application seeing the users password etc.
2. Use proxy authentication. In this approach when your user is authenticated for application1, it also generates a proxy ticket to be used by application2 (server to server call). This proxy ticket can be passed in server to server communication so that application1 accesses application2 on behalf of the user

这篇关于RESTful Web服务的CAS认证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！