at our company we have multiple web applications deployed that are secured through SSO using CAS server. A user requests an url of an application, and if not already authenticated, gets redirected to the CAS server login page. In case of successful authentication the user will be redirected back to the originally requested url. common workflow and works perfectly.
but, we also want to protect our REST Apis using CAS Server. Our prefered flow would be as follows:
sounds like OAuth, which CAS server does support, except that the user is not asked for a credentials at any time, but we'd also like to provide authentication for services i.e., other applications calling our APIs:
We want our REST Api applications to know nothing about user credentials, they don't even have access to the user database, which works just fine for humans using the application (redirect to CAS login page).
I don't know how we can implement this flow without having to heavily customize CAS server and implement this behavior by ourselves.
Google uses JWT for OAuth 2.0 for Server to Server Applications, which seems like the way to go.
I'd appreciate it if anyone can provide some hints or alternatives (to CAS server). Maybe someone has already implemented this pattern using CAS server and can provide some information on this issue.
Best Regards, Marco
finally we got it working in an easy way:
at CAS server:
the REST endpoint /cas/../token returns a JSON object:
{ serviceTicket: 'ST-ALKSJDFLSJDFLKJ-Ljksdf-sdflkjsf' }
at (Spring-based) CAS client (protected resource):
<bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">
<property name="service" value="${cas.service.url}" />
<property name="sendRenew" value="false" />
<property name="authenticateAllArtifacts" value="true"/>
</bean>
now, the client, which wants to access your protected resources, can
GET /rest/foo/bar HTTP/1.1 Host: www.example.com Authorization: CUSTOM_SCHEME ST-ALKSJDFLSJDFLKJ-Ljksdf-sdflkjsf
since CAS client CasAuthenticationFilter obtains artifacts (i.e., ST) on each request, the client gets authenticated in just a single request.
Additionally on CAS server, you can configure the ST to be valid for only n requests (the number of times the CAS client requests the serviceValidate url at CAS server).
I think this is a pretty good way without having to customize CAS server and client massively, and subsequently, creating critical security flaws.