Re: [cas-user] Getting 403 when POST to /cas endpoint
So you want to turn CAS into a SAML 2 SP? You'll need to follow this documentation: https://apereo.github.io/cas/5.3.x/integration/Delegate-Authentication.html On Thu, 2021-01-21 at 17:09 -0800, Yan Zhou wrote: > Hi, > > Try to implement this: people logged into their app (that does not > use CAS), they click a link in their webapp, that triggers a POST to > CAS /login endpoint, with SAML Assertion in POST body. My CAS > implementation will detect the payload and then follow a different > route of validating SAML, etc. (the CAS login page does not show up, > instead, we are validating SAML Assertion). I thought the non- > interactive type of login also comes in through the /login endpoint. > Because we still want it to go through service validation, TGT/ST > generation, etc., so it has to go through CAS login flow. > > But we noticed that such POST made by another Webapp on /cas endpoint > fails in FF and Chrome, it works in IE. > > CAS 5.3.x runs on Tomcat, the access logs shows 403, but I donot see > anything in CAS or Tomcat logs (after turn on DEBUG). My guess is > there is some kind of CSRF type of protection in CAS preventing such > post? I placed "executionKey" in the form post, made no difference, > still 403. > > How would such non-interactive flow work? If CAS indeed has > something prevent such POST, why does IE work and what that is? > > Thanks, > Yan > > On Thursday, January 21, 2021 at 7:09:35 PM UTC-5 richard.frovarp > wrote: > > Why are you trying to POST to the login URL? It looks like this > > isn't > > the POST from the login page? What do the CAS logs say? > > > > On Thu, 2021-01-21 at 15:27 -0800, Yan Zhou wrote: > > > Hello, > > > > > > i am using CAS 5.3.X, but I think the same would apply to CAS4 > > or > > > CA5. > > > > > > > > action="https://.MyCASEndPoint,,>/cas/login"> > > > > > > > > > In browser, when I submit this form, I get 403, > > > > > > But, when I use PostMan, it returns CAS login page. > > > > > > I do not understand why in browser (FF and Chrome), I am getting > > 403, > > > is that because of CSRF? I tried to put in "execution" as hidden > > > value, but that did not help). > > > > > > Why does Postman return a different result as Chrome/FF? > > > > > > Thanks, > > > Yan -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b96028c548f64cb999893535a69aff01b7b5aa0d.camel%40ndsu.edu.
Re: [cas-user] Getting 403 when POST to /cas endpoint
Hi, Try to implement this: people logged into their app (that does not use CAS), they click a link in their webapp, that triggers a POST to CAS /login endpoint, with SAML Assertion in POST body. My CAS implementation will detect the payload and then follow a different route of validating SAML, etc. (the CAS login page does not show up, instead, we are validating SAML Assertion). I thought the non-interactive type of login also comes in through the /login endpoint. Because we still want it to go through service validation, TGT/ST generation, etc., so it has to go through CAS login flow. But we noticed that such POST made by another Webapp on /cas endpoint fails in FF and Chrome, it works in IE. CAS 5.3.x runs on Tomcat, the access logs shows 403, but I donot see anything in CAS or Tomcat logs (after turn on DEBUG). My guess is there is some kind of CSRF type of protection in CAS preventing such post? I placed "executionKey" in the form post, made no difference, still 403. How would such non-interactive flow work? If CAS indeed has something prevent such POST, why does IE work and what that is? Thanks, Yan On Thursday, January 21, 2021 at 7:09:35 PM UTC-5 richard.frovarp wrote: > Why are you trying to POST to the login URL? It looks like this isn't > the POST from the login page? What do the CAS logs say? > > On Thu, 2021-01-21 at 15:27 -0800, Yan Zhou wrote: > > Hello, > > > > i am using CAS 5.3.X, but I think the same would apply to CAS4 or > > CA5. > > > > > action="https://.MyCASEndPoint,,>/cas/login"> > > > > > > In browser, when I submit this form, I get 403, > > > > But, when I use PostMan, it returns CAS login page. > > > > I do not understand why in browser (FF and Chrome), I am getting 403, > > is that because of CSRF? I tried to put in "execution" as hidden > > value, but that did not help). > > > > Why does Postman return a different result as Chrome/FF? > > > > Thanks, > > Yan > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a1704227-b04a-48c0-9fbb-ce9fe7ca1ccdn%40apereo.org.
Re: [cas-user] Getting 403 when POST to /cas endpoint
Why are you trying to POST to the login URL? It looks like this isn't the POST from the login page? What do the CAS logs say? On Thu, 2021-01-21 at 15:27 -0800, Yan Zhou wrote: > Hello, > > i am using CAS 5.3.X, but I think the same would apply to CAS4 or > CA5. > > action="https://.MyCASEndPoint,,>/cas/login"> > > > In browser, when I submit this form, I get 403, > > But, when I use PostMan, it returns CAS login page. > > I do not understand why in browser (FF and Chrome), I am getting 403, > is that because of CSRF? I tried to put in "execution" as hidden > value, but that did not help). > > Why does Postman return a different result as Chrome/FF? > > Thanks, > Yan -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2a9b6ed50da22a5cb6f82aa376e8354039519e6b.camel%40ndsu.edu.
[cas-user] Getting 403 when POST to /cas endpoint
Hello, i am using CAS 5.3.X, but I think the same would apply to CAS4 or CA5. https://.MyCASEndPoint,,>/cas/login"> In browser, when I submit this form, I get 403, But, when I use PostMan, it returns CAS login page. I do not understand why in browser (FF and Chrome), I am getting 403, is that because of CSRF? I tried to put in "execution" as hidden value, but that did not help). Why does Postman return a different result as Chrome/FF? Thanks, Yan -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ed75ec30-3910-4120-b237-bc347e467147n%40apereo.org.
