I don't think a POST can be reliably redirected. If the parameters
aren't too big, they can be URL-encoded in a GET (which I think the CAS
filter does), but different browsers have different limits on the URL size.
To handle a larger POST, I would have a filter save the parameters in a
session, if authentication is required (perhaps leaving just a parameter
indicating an interrupted POST for the redirect URL). Then, upon
validation, a filter would restore those POST parameters from the
session. If the servlet container doesn't recognize the filter changing
the resuming GET method back to POST in the filter chain, then the
servlet would just have to treat it as such. Also, I would limit the
total size of unauthenticated session data, to guard against denial of
service attacks.
Has anyone done anything like this? (Does the CAS client already? I
haven't looked in a while.)
Cheers,
11011011
On 2010-11-12 03:30 , Patrick wrote:
Scenario:
I need to POST form data from an unauthenticated client to a Java web service
which authenticates through CAS.
Problem:
After successful login (using default CAS.war and 'password' credentials), the
re-direct back to my web service is sent as a GET request, not a POST request,
and the data sent to my web service before authentication is lost.
NOTE: If I resubmit the original POST request once I have a valid ticket, it
succeeds, but going through the initial failure each time obviously won't fly
with users.
I took a look at this page:
https://wiki.jasig.org/display/CASUM/Applications+that+Require+POST+Responses
and tried adding method=POST to my CAS login URL.
This also failed. It did sent a POST instead of a get to my web service
following authentication. However, instead of containing my POST data, it
contained the CAS ticket! The ticket is therefore not received by the web
service and the web service will now loop back to CAS to request another ticket.
Why not login to CAS before sending the POST:
Because this same scenario will be present if a session has expired and my
users wish to POST valid data to the next stage of the service.
Some details:
CAS 3.4.3 using the .war included in the download for evaluation on Tomcat6 on
Ubuntu server 10.04. Java client is 3.1.12.
CAS authentication filter from web.xml:
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filetr-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>http://cashost:8080/cas/login</param-value>
</init-param>
<init-param>
<param-name>service</param-name>
<param-value>http://jerseyhost:8080/jerseyapp/rest/process</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://jerseyhost:8080</param-value>
</init-param>
--
You are currently subscribed to cas-dev@lists.jasig.org as:
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-dev
