Hi there, We have a Spring MVC based web app., that is protected by CAS 4.1.7 overlay setup.
We are exposing the server side REST API to our clients, the Web App UI also calls server side REST API to render the pages. The web pages work well, but the issue is with the REST API. Even with valid ST tickets, our client gets the CAS login page in the HTTP response. They are calling our API like this, appending a valid ST ticket. https://xxx/api/users?ticket=ST-xyz My understanding of fixing this is that: 1. Use CAS Authentication Filter to protect all endpoints, but exclude /api endpoint, so that CAS login page does not return in response when /api is invoked. 2. Use CAS Validation Filter to protect /api endpoint, it simply gets the ticket from request URL and checks against CAS server. This filter does a subset of what CAS Authentication Filter does. Does that sound right? I have not seen any solution for that, even though it should be a quite popular setting. Thanks, Yan -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To post to this group, send email to cas-user@apereo.org. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a8a80e10-7c1f-4e42-9f73-b1758e116e29%40apereo.org. For more options, visit https://groups.google.com/a/apereo.org/d/optout.