...
CAS 2.0 ProxyTickets are ServiceTickets the GrantingTicket of which has a Principal that is a service – an authetnicated proxy ticket receptor which received the PGT – and which itself has a grantor that is not null – that is the GrantingTicket issued to a previous authenticated service in the chain or to the end user's web browser.
Chains of authenticated principals
But all we have ever had is chains of authenticated principals. What we've been calling the "user" is merely the user at the top of the chain. What we've been calling ServiceTickets are merely the special case where the chain was of size one.
Perhaps an appropriate new representation for a validation response in CAS 3.0 would be something like:
| Code Block | ||||
|---|---|---|---|---|
| ||||
<cas:validationResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
<cas:principalChain>
<cas:principal>awp9</cas:principal>
<cas:principal>https://portal.yale.edu/CasProxyServlet</principal>
<cas:principal>https://mail.yale.edu/imap2XmlGateway</principal>
</cas:principalChain>
</cas:authenticationSuccess>
</cas:serviceResponse>
|
This representation can be used equally well for the case where the top Principal in the chain is a service, rather than a user in a web browser, to which the original GrantingTicket was issued:
| Code Block | ||||
|---|---|---|---|---|
| ||||
<cas:validationResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
<cas:principalChain>
<cas:principal>https://portal.yale.edu/CasTicketReceptorServlet</principal>
<cas:principal>https://portal.yale.edu/tshirtSalesPortlet/CasTicketReceptorServlet</principal>
</cas:principalChain>
</cas:authenticationSuccess>
</cas:serviceResponse>
|
It's turtles all the way down.