Hi, We currently have a web application that uses version 2.0.12 of the CAS server integrated with version 2.4.2 of uPortal. When I go to the home page for this application, it redirects me to the CAS login page:
https://www.mycompany.com/cas/login?service=http://www.mycompany.com/myapp If I view the source for the login page and extract the value of the hidden variable "lt" from it, I can then authenticate a test user against the CAS server with the following URL: https://www.mycompany.com/cas/login?service=http://www.mycompany.com/myapp&username=test&password=test<=LT-XXXXXXX We are re-engineering this web application to be a Spring-based application that authenticates using the latest version of CAS (we're currently testing with 3.3.5). As a proof-of-concept, I downloaded, built, and deployed the cas-sample application that comes with the source code for Spring Security (3.0.0.RELEASE). I deployed both the CAS server (3.3.5) and the cas-sample application within Tomcat and was able to successfully authenticate a test user against the CAS server via the CAS login form. I then wanted to verify that I could authenticate the test user against the CAS server using the same process I mentioned above for the current/legacy web application. That is, I went to the home page of the cas-sample application, clicked on the "Secure page" link, and was redirected to the CAS login page. I then viewed the source for the login page and extracted the value of the hidden variable "lt", which no longer starts with "LT-". Its value now is something like this: _c6960A3E2-AF72-0779-1638-E3B7FF771938_kE2D5CF84-DCE0-A7DC-D1D5-FBBD73E409B4. At this point, I tried to go to the URL listed below thinking it would authenticate the test user against the CAS server (like it did with the current/legacy web application), but it simply redisplayed the login page: https://www.mycompany.com/cas/login?service=https%3A%2F%2Fwww.mycompany.com%2Fcas-sample%2Fj_spring_cas_security_check&username=test&password=test<=_c6960A3E2-AF72-0779-1638-E3B7FF771938_kE2D5CF84-DCE0-A7DC-D1D5-FBBD73E409B4 These are the lines written to the log file: 2010-04-27_12:03 DEBUG org.jasig.cas.web.flow.AuthenticationViaFormAction - Action 'AuthenticationViaFormAction' beginning execution 2010-04-27_12:03 DEBUG org.jasig.cas.web.flow.AuthenticationViaFormAction - Executing setupForm 2010-04-27_12:03 DEBUG org.jasig.cas.web.flow.AuthenticationViaFormAction - Found existing form object with name 'credentials' of type [class org.jasig.cas.authentication.principal.UsernamePasswordCredentials] in scope Flow 2010-04-27_12:03 DEBUG org.jasig.cas.web.flow.AuthenticationViaFormAction - No property editor registrar set, no custom editors to register 2010-04-27_12:03 DEBUG org.jasig.cas.web.flow.AuthenticationViaFormAction - Action 'AuthenticationViaFormAction' completed execution; result is 'success' 2010-04-27_12:03 DEBUG org.jasig.cas.web.flow.AuthenticationViaFormAction - Action 'AuthenticationViaFormAction' beginning execution 2010-04-27_12:03 DEBUG org.jasig.cas.web.flow.AuthenticationViaFormAction - Action 'AuthenticationViaFormAction' completed execution; result is 'success' Should I have been able to authenticate the test user this way? Is the problem that CAS now requires the username, password, and lt parameters to be passed via POST instead of GET? What I am doing wrong? Any help will be greatly appreciated. Thanks, Pat -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
