Thanks for the pointers. Finally what we did was invoke a GET service [which does not do any heavy duty work]. This sends back the session cookie in the response. The POST call is then called by setting the JSESSIONID cookie in the request. This seems to work fine for now.
Regards, Prasad From: Dmitriy Kopylenko [mailto:[email protected]] Sent: Saturday, August 22, 2015 4:13 PM To: [email protected] Subject: Re: [cas-user] problem with POST requests What CAS really needs is the true, stateless JWT implementation - that would solve the problem of authentication for RESTful resources once and for all, but that's a discussion for another day :-) Cheers, D. Sent from my iPhone On Aug 21, 2015, at 18:42, Carl Waldbieser <[email protected]<mailto:[email protected]>> wrote: In that email thread, the issue is that the browser initially has no session with the proxy protecting the resouce. When the proxy redirects the user to the CAS service using a GET, the initial POST data is lost. If this is analogous to what is happening in the original poster's case, the way to get around it is to make 2 requests. The first to a GETable resource. This establishes an authenticated session with the service by doing the CAS dance. The second request would need to use the session cookie from the first request when it made the POST and CAS would get out of the way. Strictly speaking, that is not a RESTful API. It would make more sense for a RESTful API to hand out an access token in response to a GET for a valid CAS service ticket. The access token could then be used to authenticate to the rest of the API without having to monkey around with cookies and sessions. Thanks, Carl Waldbieser On Aug 21, 2015 6:03 PM, "Andrew Morgan" <[email protected]<mailto:[email protected]>> wrote: Have a look at this email thread: https://groups.google.com/forum/#!topic/jasig-cas-user/if0SQ0gUbp8 It's an old problem. I'm not sure how CAS JASPIC works, but I've seen the Java cas client in action. It seems to consume the ST, validate the ST, then redirect the client to the original resource. Like this: GET /foo?ST=12345 (processing happens to validate the ST) RESPONSE: 302 REDIRECT /foo GET /foo When the redirect happens, the POST data is lost. It might work if you switched from POST to GET. You can read about some options and recommendations in the email thread above. Andy On Fri, 21 Aug 2015, Mahantesh Prasad Katti wrote: Has anybody run into this problem? Do you think i need to explain this problem better or provide additional info? Regards Prasad From: Mahantesh Prasad Katti Sent: Friday, August 21, 2015 2:39 PM To: [email protected]<mailto:[email protected]> Subject: [cas-user] problem with POST requests Hi , We have a casified java application. This application exposes a bunch of REST apis. When accessing POST APIs from another application by explicitly obtaining the service ticket and appending it to the target URL, the calls are failing. Apparently, the after the ticket validation happens successfully, the POST body data gets lost and the service call fails because of that. Do we need to modify the server auth module to handle this scenario? Note that this happens for POST calls only. The get calls work just fine. We are using the CAS JASPIC jar available from google groups. Any help is appreciated. Regards Prasad -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
