Hi, I'm developing an application which exposes REST endpoints. I want to protect them with CAS but at the same time I want to avoid to require a new service ticket for each request. I developed a couple of filter in order to do this, essentially I'm saving the Assertion object and mapping it with the successfully validated service ticket. If the user want to do another request he send me the same service ticket, which is not valid for CAS anymore, and I put the saved Assertion object in the HttpServletRequest. All works well, my mapping is also integrated with the single sign out. My unique problem concerns the AuthenticationFilter which checks whether the assertion is present as session attribute. Why doesn't it check in the request attribute? I saw that other filters, like HttpServletRequestWrapperFilter and AssertionThreadLocalFilter, try to find the Assertion object also as request attribute. I would avoid to create a session for each request or create a copy and paste version of the AuthenticationFilter, It is possible to introduce this behavior in the AuthenticationFilter?
Thank you in advance Vincenzo -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
