Restlet Discuss

CAS authentication in Restlet server

5 messages Options
Embed this post
Permalink
Arjohn Kampman

CAS authentication in Restlet server

Reply Threaded More More options
Print post
Permalink
Hi all,

I'm planning to integrate CAS (proxy) authentication in my Restlet-based
server. Has anyone worked on this before? Any suggestions on how to best
implement this?

CAS: http://www.jasig.org/cas

Regards,

Arjohn

--
Arjohn Kampman, Senior Software Engineer
Aduna - Semantic Power
www.aduna-software.com

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2415378
Rhett Sutphin

Re: CAS authentication in Restlet server

Reply Threaded More More options
Print post
Permalink
Hi Arjohn,

On Nov 7, 2009, at 4:31 AM, Arjohn Kampman wrote:

> I'm planning to integrate CAS (proxy) authentication in my Restlet-
> based
> server. Has anyone worked on this before? Any suggestions on how to  
> best
> implement this?

I have done this for my Restlet-based API.  I can point you to the  
code[1], but since the application is a redistributable webapp which  
supports several authentication plugins, the implementation is  
probably more indirect than you need.  Also, please note that my  
experience is with Restlet 1.1 only so far -- I haven't tried to  
update this application to 2.0.

If I were adding support for just CAS, I would define a new challenge  
scheme (call it something like cas_proxy_ticket) and define a Guard  
and AuthenticationHelper pair which handle this scheme.  This would  
mean that a client would need to acquire a proxy ticket and then  
include it in the HTTP request as the Authentication header, something  
like

Authentication: cas_proxy_ticket PT-123456789

Rhett

[1]: https://ncisvn.nci.nih.gov/svn/psc/trunk/web/src/main/java/edu/northwestern/bioinformatics/studycalendar/restlets/PscGuard.java 
  and https://ncisvn.nci.nih.gov/svn/psc/trunk/web/src/main/java/edu/northwestern/bioinformatics/studycalendar/restlets/PscAuthenticationHelper.java 
  are the Restlet-specific parts.  https://ncisvn.nci.nih.gov/svn/psc/trunk/authentication/cas-plugin/src/main/java/edu/northwestern/bioinformatics/studycalendar/security/plugin/cas/CasAuthenticationSystem.java 
  is the plugin for CAS.

>
> CAS: http://www.jasig.org/cas
>
> Regards,
>
> Arjohn
>
> --
> Arjohn Kampman, Senior Software Engineer
> Aduna - Semantic Power
> www.aduna-software.com
>
> ------------------------------------------------------
> http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2415378

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2415839
Arjohn Kampman

Re: CAS authentication in Restlet server

Reply Threaded More More options
Print post
Permalink
Hi Rhett,

Many thanks for these pointers and your suggestions. The code looks nice
and clean. The license for this code looks very BSD-like, is that
correct?

I noticed that this code is based on acegi. Is this easier/better than
using the CAS client code directly?

Arjohn

Rhett Sutphin wrote:

> I have done this for my Restlet-based API.  I can point you to the  
> code[1], but since the application is a redistributable webapp which  
> supports several authentication plugins, the implementation is  
> probably more indirect than you need.  Also, please note that my  
> experience is with Restlet 1.1 only so far -- I haven't tried to  
> update this application to 2.0.
>
> If I were adding support for just CAS, I would define a new challenge  
> scheme (call it something like cas_proxy_ticket) and define a Guard  
> and AuthenticationHelper pair which handle this scheme.  This would  
> mean that a client would need to acquire a proxy ticket and then  
> include it in the HTTP request as the Authentication header, something  
> like
>
> Authentication: cas_proxy_ticket PT-123456789
>
> Rhett

--
Arjohn Kampman, Senior Software Engineer
Aduna - Semantic Power
www.aduna-software.com

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2416109
Rhett Sutphin

Re: CAS authentication in Restlet server

Reply Threaded More More options
Print post
Permalink
Hi Arjohn,

On Nov 10, 2009, at 5:31 AM, Arjohn Kampman wrote:

> Hi Rhett,
>
> Many thanks for these pointers and your suggestions. The code looks  
> nice
> and clean.

Thanks.

> The license for this code looks very BSD-like, is that
> correct?

That's correct.  You're free to take and adapt it if you like with no  
limits on redistribution of any derived code.

> I noticed that this code is based on acegi. Is this easier/better than
> using the CAS client code directly?

If you're just using Restlet, maybe not.  This application contains  
both a Spring MVC webapp and a Restlet-based RESTful API, so I adapted  
the Acegi bits from the webapp to work with Restlet, too.  Acegi's CAS  
integration seems like a pretty thin wrapper around the jasig client.

Rhett

>
> Arjohn
>
> Rhett Sutphin wrote:
>> I have done this for my Restlet-based API.  I can point you to the
>> code[1], but since the application is a redistributable webapp which
>> supports several authentication plugins, the implementation is
>> probably more indirect than you need.  Also, please note that my
>> experience is with Restlet 1.1 only so far -- I haven't tried to
>> update this application to 2.0.
>>
>> If I were adding support for just CAS, I would define a new challenge
>> scheme (call it something like cas_proxy_ticket) and define a Guard
>> and AuthenticationHelper pair which handle this scheme.  This would
>> mean that a client would need to acquire a proxy ticket and then
>> include it in the HTTP request as the Authentication header,  
>> something
>> like
>>
>> Authentication: cas_proxy_ticket PT-123456789
>>
>> Rhett
>
> --
> Arjohn Kampman, Senior Software Engineer
> Aduna - Semantic Power
> www.aduna-software.com
>
> ------------------------------------------------------
> http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2416109

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2416151
jlouvel

RE: CAS authentication in Restlet server

Reply Threaded More More options
Print post
Permalink
Hi all,

In addition, we have a pending RFE:

"Support SSO mechanisms"
http://restlet.tigris.org/issues/show_bug.cgi?id=693

There is an indirect pointer there to another CAS implementation from Alex
Horn.

I might be a good idea to provide a dedicated Restlet extension for CAS.
Anyone willing to lead this?

Best regards,
Jerome Louvel
--
Restlet ~ Founder and Lead developer ~ http://www.restlet.org
Noelios Technologies ~ Co-founder ~ http://www.noelios.com




-----Message d'origine-----
De : Rhett Sutphin [mailto:[hidden email]]
Envoyé : mardi 10 novembre 2009 15:07
À : [hidden email]
Objet : Re: CAS authentication in Restlet server

Hi Arjohn,

On Nov 10, 2009, at 5:31 AM, Arjohn Kampman wrote:

> Hi Rhett,
>
> Many thanks for these pointers and your suggestions. The code looks  
> nice
> and clean.

Thanks.

> The license for this code looks very BSD-like, is that
> correct?

That's correct.  You're free to take and adapt it if you like with no  
limits on redistribution of any derived code.

> I noticed that this code is based on acegi. Is this easier/better than
> using the CAS client code directly?

If you're just using Restlet, maybe not.  This application contains  
both a Spring MVC webapp and a Restlet-based RESTful API, so I adapted  
the Acegi bits from the webapp to work with Restlet, too.  Acegi's CAS  
integration seems like a pretty thin wrapper around the jasig client.

Rhett

>
> Arjohn
>
> Rhett Sutphin wrote:
>> I have done this for my Restlet-based API.  I can point you to the
>> code[1], but since the application is a redistributable webapp which
>> supports several authentication plugins, the implementation is
>> probably more indirect than you need.  Also, please note that my
>> experience is with Restlet 1.1 only so far -- I haven't tried to
>> update this application to 2.0.
>>
>> If I were adding support for just CAS, I would define a new challenge
>> scheme (call it something like cas_proxy_ticket) and define a Guard
>> and AuthenticationHelper pair which handle this scheme.  This would
>> mean that a client would need to acquire a proxy ticket and then
>> include it in the HTTP request as the Authentication header,  
>> something
>> like
>>
>> Authentication: cas_proxy_ticket PT-123456789
>>
>> Rhett
>
> --
> Arjohn Kampman, Senior Software Engineer
> Aduna - Semantic Power
> www.aduna-software.com
>
> ------------------------------------------------------
>
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=24161
09

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=24161
51

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2416500
Free Embeddable Forum Powered by Nabble Help