To authenticate a user, the values should be passed via POST. We don't recommend you pass them EVER as part of the query String. The point is that no application should know the password.
If you grab the other parameter (the _eventId) you may be able to do it via GET (I haven't tried), but again we don't recommend it. Cheers, Scott On Tue, Apr 27, 2010 at 12:12 PM, Guimaraes, Patricia (NIH/NLM) [C] < [email protected]> wrote: > Hi, > > We currently have a web application that uses version 2.0.12 of the CAS > server integrated with version 2.4.2 of uPortal. When I go to the home page > for this application, it redirects me to the CAS login page: > > https://www.mycompany.com/cas/login?service=http://www.mycompany.com/myapp > > If I view the source for the login page and extract the value of the hidden > variable “lt” from it, I can then authenticate a test user against the CAS > server with the following URL: > > > https://www.mycompany.com/cas/login?service=http://www.mycompany.com/myapp&username=test&password=test<=LT- > XXXXXXX > > We are re-engineering this web application to be a Spring-based application > that authenticates using the latest version of CAS (we’re currently testing > with 3.3.5). As a proof-of-concept, I downloaded, built, and deployed the > cas-sample application that comes with the source code for Spring Security > (3.0.0.RELEASE). I deployed both the CAS server (3.3.5) and the cas-sample > application within Tomcat and was able to successfully authenticate a test > user against the CAS server via the CAS login form. > > I then wanted to verify that I could authenticate the test user against the > CAS server using the same process I mentioned above for the current/legacy > web application. That is, I went to the home page of the cas-sample > application, clicked on the “Secure page” link, and was redirected to the > CAS login page. I then viewed the source for the login page and extracted > the value of the hidden variable “lt”, which no longer starts with “LT-“. > Its value now is something like this: > _c6960A3E2-AF72-0779-1638-E3B7FF771938_kE2D5CF84-DCE0-A7DC-D1D5-FBBD73E409B4. > > At this point, I tried to go to the URL listed below thinking it would > authenticate the test user against the CAS server (like it did with the > current/legacy web application), but it simply redisplayed the login page: > > > https://www.mycompany.com/cas/login?service=https%3A%2F%2Fwww.mycompany.com%2Fcas-sample%2Fj_spring_cas_security_check&username=test&password=test<=_c6960A3E2-AF72-0779-1638-E3B7FF771938_kE2D5CF84-DCE0-A7DC-D1D5-FBBD73E409B4 > > These are the lines written to the log file: > > 2010-04-27_12:03 DEBUG org.jasig.cas.web.flow.AuthenticationViaFormAction - > Action 'AuthenticationViaFormAction' beginning execution > 2010-04-27_12:03 DEBUG org.jasig.cas.web.flow.AuthenticationViaFormAction - > Executing setupForm > 2010-04-27_12:03 DEBUG org.jasig.cas.web.flow.AuthenticationViaFormAction - > Found existing form object with name 'credentials' of type [class > org.jasig.cas.authentication.principal.UsernamePasswordCredentials] in scope > Flow > 2010-04-27_12:03 DEBUG org.jasig.cas.web.flow.AuthenticationViaFormAction - > No property editor registrar set, no custom editors to register > 2010-04-27_12:03 DEBUG org.jasig.cas.web.flow.AuthenticationViaFormAction - > Action 'AuthenticationViaFormAction' completed execution; result is > 'success' > 2010-04-27_12:03 DEBUG org.jasig.cas.web.flow.AuthenticationViaFormAction - > Action 'AuthenticationViaFormAction' beginning execution > 2010-04-27_12:03 DEBUG org.jasig.cas.web.flow.AuthenticationViaFormAction - > Action 'AuthenticationViaFormAction' completed execution; result is > 'success' > > > Should I have been able to authenticate the test user this way? Is the > problem that CAS now requires the username, password, and lt parameters to > be passed via POST instead of GET? What I am doing wrong? > > Any help will be greatly appreciated. > > Thanks, > > Pat > > > > -- > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
