Christian, The typical recommendation is to generate a unique token and store that somewhere (i.e. a database along with the associated principal) and have a non-interactive CAS authentication handler read that value and return the principal. This has been asked enough times that we should probably consider adding something.
Cheers, Scott On Wed, May 1, 2013 at 3:42 PM, Christian Romney <[email protected]>wrote: > Hi all, > > I've been searching for information regarding a fairly typical web > application pattern: account creation with automatic login. I've found one > page on the wiki ( > https://wiki.jasig.org/display/CAS/Using+CAS+without+the+Login+Screen) > that looks relevant, but seems somewhat "experimental". Is there a > consensus best practice for doing this? > > For clarity, I have a Spring application (using Spring Security 3.2) that > I have configured to use CAS. The normal "intercept a protected URL" > pattern works. But in this application, I can create a new user account. > Ideally, I would like to present a "success" page after the account has > been created and have the user be logged-in at that point. The typical CAS > workflow, however, relies on the user performing direct input of the > password, since it's usually undesirable to have applications handle the > password. However, at least one application must handle account creation so > this should be a fairly standard exception. > > Any pointers, ideas, flames, etc would be much appreciated. > > TIA > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
