Ray, Thank you for your idea. But after I check the Proxy Authentication Protocol documentation, I think that is not what I want.
Sensitive API provider mentioned before is not web service, it is a micro service, without a session, no status, so there is no need to login to the API service, thus it's not protected under CAS. In fact I think this is not a authentication problem, it is a micro-service governing problem, it's about how to track a request in a micro-service distributed system. We finnally found what we could do. All we are asking for, is the ability to update principal's attributes on each service ticket validation event. So I took a trip (which is difficult) into CAS's source code, and found that we could set services' attribute release policy member in the JSON service registry to a class which is under our control, and in our AttributeReleasePolicy class, we will call a remote API to get latest attributes on every service validation. The only problem left, is getAttributes method was called twice at each ST validation... but I think I will work it out soon. Anyway, thank you for your reply. James 在 2019年8月21日星期三 UTC+8下午11:52:41,rbon写道: > > jm, > > This sounds like proxy protocol, > https://apereo.github.io/cas/6.0.x/installation/Configuring-Proxy-Authentication.html > Your APIs will have to be CASified. > > Ray > > On Mon, 2019-08-19 at 21:20 -0700, jm wrote: > > Hi all, > > There are some sensitive API providers(services without web interface) in > our company, and some web services will invoke those APIs. Web services are > all logged in via CAS service provided by me. Here comes the requirement: > sensitive API providers want to obtain orgin caller from the caller. They > want to know the origin user and the origin service to which the user > logged in. > > So I have to record some information when some events happen, they are: > 1. User authentication successfully > 2. ST granted and validated successfully > 3. TGT expired > > I have an idea to do this. I can make an aspect to hijack inspectr > framework's APIs, in aspect I will get AuditActionContext object and do a > HTTP call to send this audit event to my service. > > But is there better way to do this? Like subscribing some events directly > in CAS or ... something I didn't realized. > > > > James > > -- > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 | CLE 019 | [email protected] <javascript:> > > I respectfully acknowledge that my place of work is located within the > ancestral, traditional and unceded territory of the Songhees, Esquimalt and > WSÁNEĆ Nations. > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c867ccad-ade8-4fc2-bc67-298ffa7142d9%40apereo.org.
