RESTful CAS


1 © Copyright 2013 EMC Corporation. All rights reserved. RESTful CAS Leveraging CAS to Protect RESTful Resources and Support Non-Browser Clients David Ohsie, EMC Corporation (david.ohsie@emc.com) John Field, Pivotal (jfield@gopivotal.com) Vijaya Bharadwaj, Pivotal (vbharadwaj@gopivotal.com) 2 © Copyright 2013 EMC Corporation. All rights reserved. Background  EMC is a Apereo Commercial Affiliate  EMC ships CAS embedded in software (and later) some hardware platforms in order to integrate software  The three authors (David, John, Vijaya) work on CAS adoption across EMC products  I (David) participate on the CAS user list and the CAS appsec working group 3 © Copyright 2013 EMC Corporation. All rights reserved. Goals  Understand the REST challenges to CAS  Understand two very, very simple techniques to meet those challenges  If these ideas resonate, incorporate into the CAS protocol and codebase 4 © Copyright 2013 EMC Corporation. All rights reserved. Problem Statement  CAS works nicely when the client is a browser  “Problem”: Make CAS work with RESTful clients  RESTful client working definition: – An http client that doesn’t grok html/javascript  A RESTful client may or may not have a person behind it 5 © Copyright 2013 EMC Corporation. All rights reserved. Use Cases  Command Line Clients  Proxy Ticketing  AJAX Clients  Programmatic Clients 6 © Copyright 2013 EMC Corporation. All rights reserved. Browser CAS Server Protected Service GET https://app.com/ 302 Location: https://cas.com/cas/login?service=https://app.com GET https://cas.com/cas/login?service=https://app.com/ 200 [Content of Login page] Browser POST with username and password Browser gets login form 302 Location: https://app.com/?ticket=ST-12345-10.1.1.8 GET https://app.com/?ticket=ST-12345-10.1.1.8 200 Service Response Set-Cookie: MOD_AUTH_CAS_S=sldkf0fj498 CAS Browser Interaction Danger, Will Robinson! POST https://cas.com/cas/login?service=https://app.com/ 7 © Copyright 2013 EMC Corporation. All rights reserved. What about the CAS “REST” interface  Client has to know when to authenticate  Client has to know where to authenticate  Solution: use 401 when you need to authenticate instead of a 302  What about browsers? – Key the behavior off of a header. REST clients send them, while browsers don’t. 8 © Copyright 2013 EMC Corporation. All rights reserved. Client CAS Server Protected Service X-EMC-MAC-USE-401: TRUE GET/POST https://app.com/ 401 WWW-Authenticate: X-EMC-CAS realm=”EMC CAS” Location: https://cas.com/cas/v1/tickets POST https://cas.com/cas/v1/tickets Content (form encoded) username=u&password=p POST https://cas.com/cas/v1/tickets/TGT-2-abcdefg Content (form encoded) service=https://app.com/ 200 OK Content (text) ST-3-abcdefg GET https://app.com/?ticket=ST-3-abcdefg 200 Service Response Set-Cookie: MOD_AUTH_CAS_S=sldkf0fj498 CAS REST Interaction 201 Location: https://cas.com/cas/v1/tickets/TGT-2-abcdefg CAS REST Endpoint/ Protocol 9 © Copyright 2013 EMC Corporation. All rights reserved. Where are we?  Positives: – Clients can install a 401 handler to get the Service ticket – 401 unambiguously indicates that a CAS login is required and where it is required to login  Negatives: – CAS REST protocol works, but is non-standard 10 © Copyright 2013 EMC Corporation. All rights reserved. Client CAS Server Protected Service X-EMC-CAS-V2: TRUE POST https://app.com/ 401 WWW-Authenticate: X-EMC-CAS-V2 realm=”EMC CAS” Location: https://cas.com/cas/login?service=https://app.com&casAction=login GET https://cas.com/cas/login?service=https://app.com&casAction=login 302 Location: https://app.com/?ticket=ST-12345-10.1.1.8&casAction=login GET https://app.com/?ticket=ST-12345-10.1.1.8&casAction=login 204 Set-Cookie: MOD_AUTH_CAS_S=sldkf0fj498 CAS REST V2 Interaction 401 WWW-Authenticate: Basic realm="CAS" GET https://cas.com/cas/login?service=https://app.com&casAction=login Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== Now that the user is Authenticated the POST can be repeated 11 © Copyright 2013 EMC Corporation. All rights reserved. Where are we?  Positives: – Clients can install a 401 handler to get the Service ticket – Actual authentication done via Basic Auth or other standard authentication method – 401 handler is very simple  Negatives: – Still requires a special 401 X-EMC-CAS-V2 handler 12 © Copyright 2013 EMC Corporation. All rights reserved. Browser CAS Server Protected Service X-EMC-CAS-V2: TRUE GET https://app.com/ 302 Location: https://cas.com/cas/login?service=https://app.com GET https://cas.com/cas/login?service=https://app.com 302 Location: https://app.com/?ticket=ST-12345 GET https://app.com/?ticket=ST-12345 200 Set-Cookie: MOD_AUTH_CAS_S=sldkf0fj498 CAS REST V2 Interaction 401 WWW-Authenticate: Basic realm="CAS" GET https://cas.com/cas/login?service=https://app.com Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== 13 © Copyright 2013 EMC Corporation. All rights reserved. Possible Objections  Doesn’t CAS have a REST protocol already? – Yes, but it implies that the client knows when and where to use it. – It contains sensitive info in the URI  REST clients are programmatic. Why do you need SSO? – Not all REST clients are programmatic – Those that are can still benefit from an IdP and a unified authentication experience 14 © Copyright 2013 EMC Corporation. All rights reserved. How we did it  Small change in CAS client to turn 302 into 401 based on incoming header  Small addition CAS to the webflow to present 401 basic auth  We also have simple a simple 401 handler for the apache httpclient and also a C# version for use with the protocol 15 © Copyright 2013 EMC Corporation. All rights reserved. Summary  Turn login form into 401 basic auth handler to eliminate HTML  Turn 302 into 401 to tell the client when authentication is required and where to authenticate  That really all it is! 16 © Copyright 2013 EMC Corporation. All rights reserved. Next Steps  Plan to have code up on github once approved – CAS + mod_auth_cas + java cas client  Gauge interest in having this be part of the CAS protocol  Eventually pull requests to CAS and mod_auth_cas
还剩16页未读

继续阅读

下载pdf到电脑,查找使用更方便

pdf的实际排版效果,会与网站的显示效果略有不同!!

需要 3 金币 [ 分享pdf获得金币 ] 2 人已下载

下载pdf

pdf贡献者

wibert

贡献于2013-08-07

下载需要 3 金币 [金币充值 ]
亲,您也可以通过 分享原创pdf 来获得金币奖励!
下载pdf