Is the username the student's username? If its just some made up value, I'd recommend instead of doing the POST, writing a NonInteractiveCredentialAction and passing a token as a request parameter that can be read (kind of like the SPNEGO and X.509 support) and parsed by a custom Authentication Handler and CredentialsToPrincipalResolver
You could do the same thing even if the username was involved. You should note though that if they already have a session established, doing the POST or the redirect with the token won't result in that token being used. The session takes precedence. On Sun, Aug 29, 2010 at 4:58 PM, Andrew Wang <[email protected]>wrote: > Hi ... the password hidden field would hold a generated hash that no user > knows.. The hash would be different each visit and would not be valid after > a period of time. But it grants the student access to our site. > > The page the student gets to that renders the button with the hash, is part > of a password protected site thats using a different student account > mechanism. The main campus that hosts the site is not willing to use CAS. > But we are CASified. The wonders of a decentralized departments. > > So: > A student logs into Site A with their credentials. > The student browses to a page to complete a declaration. Once the > declaration is done, they must visit Site B. > Site A is hosted at the main campus with an homegrown athentication > mechanism. > Site B is hosted at a satellite campus that has CASified a bunch of web > apps for students to use. > > The nice to have is that the student will not have to log in again to visit > Site B as its a requirement of the student to visit the site once the > original declaration is done. > > So I was thinking of the idea below ... but am open to any other > suggestions. > > Thanks, > Andrew > > ________________________________________ > From: Scott Battaglia [[email protected]] > Sent: Sunday, August 29, 2010 12:59 PM > To: [email protected] > Subject: Re: [cas-user] Alternative authenticating > > Why would you want to do that? What's your use case? > > We tend not to encourage you to put passwords in HTML pages. > > > On Fri, Aug 27, 2010 at 2:47 PM, Andrew Wang <[email protected] > <mailto:[email protected]>> wrote: > Hi ... I was wondering if it was possible to have a remote site with: > > <form action="https://cas.server.com/cas/login";> > <input type="hidden" name="username" value="SomeUserName"/> > <input type="hidden" name="password" value="SomeBigGeneratedHash"/> > <input type="submit" value="Let me in"/> > </form> > > I've added an Authenticaton handler that takes "SomeBigGeneratedHash" and > the username ... does some checking and lets user in if things are ok. > > I noticed 2 hidden tags on the cas login page > <input type="hidden" name="lt" value="e3s1" /> > <input type="hidden" name="_eventId" value="submit" /> > > But I can't figure out how/what lt and _eventId is used. Any pointers on > whether this is possible or what I am missing is greatly appreciated. > > Our apps are casified (which is great bw) but right now, casifying the > remote site is not possible. > > Thanks, > Andrew > > -- > You are currently subscribed to [email protected]<mailto: > [email protected]> as: [email protected]<mailto: > [email protected]> > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
