What CAS really needs is the true, stateless JWT implementation - that would solve the problem of authentication for RESTful resources once and for all, but that's a discussion for another day :-)
Cheers, D. Sent from my iPhone > On Aug 21, 2015, at 18:42, Carl Waldbieser <[email protected]> wrote: > > In that email thread, the issue is that the browser initially has no session > with the proxy protecting the resouce. When the proxy redirects the user to > the CAS service using a GET, the initial POST data is lost. > > If this is analogous to what is happening in the original poster's case, the > way to get around it is to make 2 requests. The first to a GETable resource. > This establishes an authenticated session with the service by doing the CAS > dance. The second request would need to use the session cookie from the > first request when it made the POST and CAS would get out of the way. > > Strictly speaking, that is not a RESTful API. It would make more sense for a > RESTful API to hand out an access token in response to a GET for a valid CAS > service ticket. The access token could then be used to authenticate to the > rest of the API without having to monkey around with cookies and sessions. > > Thanks, > Carl Waldbieser > >> On Aug 21, 2015 6:03 PM, "Andrew Morgan" <[email protected]> wrote: >> Have a look at this email thread: >> >> https://groups.google.com/forum/#!topic/jasig-cas-user/if0SQ0gUbp8 >> >> It's an old problem. >> >> I'm not sure how CAS JASPIC works, but I've seen the Java cas client in >> action. It seems to consume the ST, validate the ST, then redirect the >> client to the original resource. Like this: >> >> GET /foo?ST=12345 >> (processing happens to validate the ST) >> RESPONSE: 302 REDIRECT /foo >> GET /foo >> >> >> When the redirect happens, the POST data is lost. >> >> It might work if you switched from POST to GET. >> >> You can read about some options and recommendations in the email thread >> above. >> >> Andy >> >> On Fri, 21 Aug 2015, Mahantesh Prasad Katti wrote: >> >>> >>> Has anybody run into this problem? Do you think i need to explain this >>> problem better or provide additional info? >>> >>> Regards >>> Prasad >>> >>> From: Mahantesh Prasad Katti >>> Sent: Friday, August 21, 2015 2:39 PM >>> To: [email protected] >>> Subject: [cas-user] problem with POST requests >>> >>> Hi , >>> >>> We have a casified java application. This application exposes a bunch of >>> REST apis. When accessing POST APIs from another application by explicitly >>> obtaining the service ticket and appending it to the target URL, the calls >>> are failing. Apparently, the after the ticket validation happens >>> successfully, the POST body data gets lost and the service call fails >>> because of that. Do we need to modify the server auth module to handle this >>> scenario? Note that this happens for POST calls only. The get calls work >>> just fine. >>> >>> We are using the CAS JASPIC jar available from google groups. Any help is >>> appreciated. >>> >>> Regards >>> Prasad >>> >>> >>> >>> >>> >>> -- >>> >>> You are currently subscribed to [email protected] as: >>> [email protected] >>> >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> -- >>> You are currently subscribed to [email protected] as: [email protected] >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
