I believe we've answered multiple times that it is NOT recommended to capture user credentials and submit them and then create a CAS session for the user. CAS is the only thing that should be creating a CAS session for the user. Its a security risk for anyone to have the TGT other than the user and the CAS server. We go through great extends to NOT allow it.
While you may feel that is a use case that cannot be overlooked, its in fact a use case we purposely don't do. Are there ways around it? Sure. Previous discussions have talked about embedding the login page in a form using something like an IFRAME, which still allows CAS to handle the credentials (similar to what Google Accounts does). -Scott -Scott Battaglia PGP Public Key Id: 0x383733AA LinkedIn: http://www.linkedin.com/in/scottbattaglia On Tue, Jan 20, 2009 at 5:21 PM, Keith Garry Boyce <[email protected]>wrote: > Again. I'd appreciate an answer on this please. > > -----Original Message----- > From: Keith Garry Boyce <[email protected]> > Sent: Saturday, January 17, 2009 8:07 AM > To: 'Yale CAS mailing list' <[email protected]> > Subject: RE: CAS without CAS login page using restful api and > modifiedlogin-webflow.xml > > Anyone? > > > _____________________________________________ > > From: [email protected] > > [mailto:[email protected]] On Behalf Of Keith Garry Boyce > > Sent: Friday, January 16, 2009 9:53 AM > > To: [email protected] > > Subject: CAS without CAS login page using restful api and > > modifiedlogin-webflow.xml > > > > I wanted to code a JSF application where the login page is a JSF page > > rather than a CAS page. I see this as a use case that cannot be > overlooked > > in present day application development. > > > > I understand that it is discouraged to present credentials to an > > application but an applications security model shouldn't have to be > custom > > for every security solution plugged in. > > > > In my case I'm using spring security as the mechanism to glue the > security > > stuff together. If I switch from plain security to CAS security it seems > > that all documentation points to me doing custom things for the login > page > > such as iframe etc.. > > > > So here's what I've come up with. I'd appreciate feedback on this > > solution: > > > > In login-webflow.xml I made it so if ticketGrantingTicketId is passed as > a > > parameter on the /cas/login URL then > > Service cookie can be issued directly using the ticketGrantingTicketId. > In > > my case I get the ticketGrantingTicketId using the CAS restful api. > > > > <action-state id="initialFlowSetup"> > > <action bean="initialFlowSetupAction" /> > > <!-- garpinc replace --> > > <!-- > > <transition on="success" > > to="ticketGrantingTicketExistsCheck" /> > > --> > > <!-- garpinc with --> > > <transition on="success" > > to="ticketGrantingTicketIdExistsCheck" /> > > <!-- garpinc end replace --> > > </action-state> > > > > <!-- added by garpinc --> > > <decision-state id="ticketGrantingTicketIdExistsCheck"> > > <if test="${requestParameters.ticketGrantingTicketId == > > null}" then="ticketGrantingTicketExistsCheck" > > else="populateFromRequestParams" /> > > </decision-state> > > > > <action-state id="populateFromRequestParams"> > > <set attribute="ticketGranti > > [The entire original message is not included] > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas >
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
