Yan, If I understand correctly, you have deployed App A and App B. You are not able nor willing to change CAS config on App B because it breaches PCI compliance. It seems odd that PCI compliance would allow any user access but not allow a proxy. Did you create app A or are both apps from third party vendors?
If app B needs to know the user that is sending the request, then you will have to use clearpass, https://apereo.github.io/cas/4.0.x/integration/ClearPass.html. If app B only needs to have an authenticated user, then perhaps App A can perform the log in on behalf of all users. The Ajax calls would go from App A UI to App A service that makes the REST calls. What do the creators of App B suggest for authentication? Ray On 2016-11-02 13:12, Yan Zhou wrote: > thanks for the feedback. > > Unfortunately, we cannot use Proxy Authentication, due to PCI > implication. A non PCI-compliant App proxy a PCI (credit card) > service, that would not be allowed by PCI standards. > > The reason we run into problem with CAS protected REST services (App > B, no UI), is that Ajax somehow does not handle redirect (even after I > enable CORS). Browser does it fine, but fails when Ajax tries to > access the REST endpoint without an application session in place, thus > triggers CAS login flow with all the redirect. > > I do not see how OAuth solve that problem. Does that requires a Login > page UI to redirect to and back, would not that run into the same > problem with Ajax? > > Can you elaborate on JSONP? Would app. B now have to know user's > password? CAS is nice because the application does not see user's > password, only CAS server does. > > Thx, > Yan > > On Wed, Nov 2, 2016 at 5:41 AM, Pascal Rigaux > <[email protected] <mailto:[email protected]>> > wrote: > > Hi, > > Solutions: > - proxy CAS: As the proxy ticket can only be validated once, you > will need to cache the ticket, or create your own session > - JWT: create a JWT and check it on app B. > - oauth > - JSONP login on app B. We are using this quite a lot. Simple and > works great. > Commits implementing this on angular-seed : > https://github.com/prigaux/angular-seed/commits/master > <https://github.com/prigaux/angular-seed/commits/master> > and especially the first one: > > https://github.com/prigaux/angular-seed/commit/27eae718ff6fd3206f60926317c7a24ddfd79b68 > > <https://github.com/prigaux/angular-seed/commit/27eae718ff6fd3206f60926317c7a24ddfd79b68> > I wrote some doc on this, alas in french: > http://prigaux.github.io/presentation-web-widgets-cas-jsonp/index.html#/7 > > <http://prigaux.github.io/presentation-web-widgets-cas-jsonp/index.html#/7> > > Happy CAS, > cu > > On 01/11/2016 20:22, Yan Zhou wrote: > > Hello, > > CAS protocol does not let the apps (CAS client) get TGT > ticket. We have a need for that. > > We have two web apps, both are casified in CAS 4.1.X. One web > app has AngularJS (Javascript) front end, and, the other > webapp is UI-Less, it just offers REST services. > > Javascript code in App A wants to call REST API in App B. We > run into problem with CORS, etc. But, even after CORS are > enabled, still run into trouble. > > So, the thought is, if Javascript code can get hold of TGT > after user login to the app. A, then, JS code call use CAS > REST API to authenticate against the 2nd app (the UI-less REST > Services). > > Is that a bad idea, and how is that possible? > > Yan > > -- > - CAS gitter chatroom: https://gitter.im/apereo/cas > - CAS mailing list guidelines: > https://apereo.github.io/cas/Mailing-Lists.html > <https://apereo.github.io/cas/Mailing-Lists.html> > - CAS documentation website: https://apereo.github.io/cas > - CAS project website: https://github.com/apereo/cas > --- > You received this message because you are subscribed to the > Google Groups "CAS Community" group. > To unsubscribe from this group and stop receiving emails from > it, send an email to [email protected] > <mailto:cas-user%[email protected]> > <mailto:[email protected] > <mailto:cas-user%[email protected]>>. > To view this discussion on the web visit > > https://groups.google.com/a/apereo.org/d/msgid/cas-user/f60e5fea-2a9b-4515-8a92-a7c2c8769497%40apereo.org > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/f60e5fea-2a9b-4515-8a92-a7c2c8769497%40apereo.org> > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/f60e5fea-2a9b-4515-8a92-a7c2c8769497%40apereo.org?utm_medium=email&utm_source=footer > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/f60e5fea-2a9b-4515-8a92-a7c2c8769497%40apereo.org?utm_medium=email&utm_source=footer>>. > > > > -- > Pascal Rigaux > > Expert en développement et déploiement d'applications > DSIUN-SAS (service applications et services numériques) > Université Paris 1 Panthéon-Sorbonne - Centre Pierre Mendès > France (PMF) > B 402 - 90, rue de Tolbiac - 75634 PARIS CEDEX 13 - FRANCE > Tél : 01 44 07 86 59 > > -- > - CAS gitter chatroom: https://gitter.im/apereo/cas > - CAS mailing list guidelines: > https://apereo.github.io/cas/Mailing-Lists.html > <https://apereo.github.io/cas/Mailing-Lists.html> > - CAS documentation website: https://apereo.github.io/cas > - CAS project website: https://github.com/apereo/cas > --- You received this message because you are subscribed to the > Google Groups "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, > send an email to [email protected] > <mailto:cas-user%[email protected]>. > To view this discussion on the web visit > > https://groups.google.com/a/apereo.org/d/msgid/cas-user/ea50cbeb-3a79-ddc2-5865-f1aa0bfdd040%40univ-paris1.fr > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/ea50cbeb-3a79-ddc2-5865-f1aa0bfdd040%40univ-paris1.fr>. > > > -- > - CAS gitter chatroom: https://gitter.im/apereo/cas > - CAS mailing list guidelines: > https://apereo.github.io/cas/Mailing-Lists.html > - CAS documentation website: https://apereo.github.io/cas > - CAS project website: https://github.com/apereo/cas > --- > You received this message because you are subscribed to the Google > Groups "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] > <mailto:[email protected]>. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFSoZekksrQ%2BSMuPcRfVRJ14iJe4sYP29rx%3D3fK49AT-6SH-CQ%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFSoZekksrQ%2BSMuPcRfVRJ14iJe4sYP29rx%3D3fK49AT-6SH-CQ%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 | CLE C023 | [email protected] -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/bf8f3d53-4936-889b-90e9-65e36bcb25c6%40uvic.ca.
