Hi, Try to implement this: people logged into their app (that does not use CAS), they click a link in their webapp, that triggers a POST to CAS /login endpoint, with SAML Assertion in POST body. My CAS implementation will detect the payload and then follow a different route of validating SAML, etc. (the CAS login page does not show up, instead, we are validating SAML Assertion). I thought the non-interactive type of login also comes in through the /login endpoint. Because we still want it to go through service validation, TGT/ST generation, etc., so it has to go through CAS login flow.
But we noticed that such POST made by another Webapp on /cas endpoint fails in FF and Chrome, it works in IE. CAS 5.3.x runs on Tomcat, the access logs shows 403, but I donot see anything in CAS or Tomcat logs (after turn on DEBUG). My guess is there is some kind of CSRF type of protection in CAS preventing such post? I placed "executionKey" in the form post, made no difference, still 403. How would such non-interactive flow work? If CAS indeed has something prevent such POST, why does IE work and what that is? Thanks, Yan On Thursday, January 21, 2021 at 7:09:35 PM UTC-5 richard.frovarp wrote: > Why are you trying to POST to the login URL? It looks like this isn't > the POST from the login page? What do the CAS logs say? > > On Thu, 2021-01-21 at 15:27 -0800, Yan Zhou wrote: > > Hello, > > > > i am using CAS 5.3.X, but I think the same would apply to CAS4 or > > CA5. > > > > <form method="POST" > > action="https://.....MyCASEndPoint,,,,,,>/cas/login"> > > <input type="submit" name="submit" value="submit"></input> > > > > In browser, when I submit this form, I get 403, > > > > But, when I use PostMan, it returns CAS login page. > > > > I do not understand why in browser (FF and Chrome), I am getting 403, > > is that because of CSRF? I tried to put in "execution" as hidden > > value, but that did not help). > > > > Why does Postman return a different result as Chrome/FF? > > > > Thanks, > > Yan > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a1704227-b04a-48c0-9fbb-ce9fe7ca1ccdn%40apereo.org.
