Seems like this to increase the security and avoid CSRF attacks. It forces to any application to submit the credentials by POST method in CAS server app.
See my comment in CAS wiki If you need avoid that behaviour, for example to submit via ajax...., you should create a non-interactive authentication action (org.jasig.cas.web.flow.AbstractNonInteractiveCredentialsAction) like SPNEGO, X509 Certificates or remote trusted client are doing, and modify the login-webflow to handle you behaviour. I hope that this helps you!! 2013/11/8 Michael Wechner <[email protected]> > Hi > > I am still working on generating the login screen by the content > management system instead CAS, > whereas I have read > > https://wiki.jasig.org/display/CAS/Using+CAS+without+the+Login+Screen > > I understand that one wants to prevent that credentials are being sent to > the content management system, > but having the action pointing to the CAS Server directly > > <form action="https://127.0.0.1:7070/cas-server-webapp-3.5.2/login"; > method="POST"> > > does not seem to me like violating in security issues. > > But of course this does not work because of the required Login Ticket. > > I have been reading > > http://www.jasig.org/cas/protocol > > but I still don't really understand what's the purpose of the Login Ticket. > Does somebody have some more hints on this? > > I am currently considering to disable the login ticket validation inside > > cas-server-3.5.2/cas-server-core/src/main/java/org/jasig/cas/web/flow/ > AuthenticationViaFormAction.java > > but I guess this is not really considered best practice :-) > > Thanks > > Michael > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
