I think that Jérôme probably hit it with this suggestion:
Do you have the parameter redirectAfterValidation set to true for your CAS validation filter ? After validating the service ticket, many (most? all?) CAS clients will respond with a 302 sending you back the the protected URI with out the ticket parameter, unless you configure them to do otherwise. At EMC, we've made some mods to look at a header that indicates that the client is a REST client and to turn off this behavior for REST clients, while leaving it on for browser clients. So you do a POST to https://example.com/myResource?ticket=ST-1234567 The service responds with a 302 with Location: https://example.com/myResource and the http client will then do a GET. The only thing that I don't understand is how you could succed in the POST when you are using the CAS form authentication. This is basically impossible, because the 302 back and forth to CAS will result in your POST getting turned into a GET. The only way that this could be working is that you are logging in first with an ST and then doing a POST on the same session after the ticket validation. But that would work whether you got the ST from the CAS form login page or from the CAS REST URI. From: Jérôme LELEU [mailto:lel...@gmail.com] Sent: Tuesday, February 12, 2013 2:06 AM To: cas-user@lists.jasig.org Cc: cas-user@lists.jasig.org; cas-user@lists.jasig.org; genix2...@googlemail.com Subject: Re: [cas-user] CAS protected glassfish webservice problems with CAS RESTful API Hi, I misunderstood your original post. You're talking about POST requests on a protected url, not on the /serviceValidate url. Did you try to send POST requests with the service ticket as a form parameter (not in the query string) ? Do you have the parameter redirectAfterValidation set to true for your CAS validation filter ? Can you turn on DEBUG logs for org.jasig.cas.client package and post relevant logs ? Thanks, Jérôme On Monday, February 11, 2013 6:45:19 PM UTC+1, genix wrote: Hi Jérôme, thanks for the reply. The strange thing is, that when I send the request as POST, the ticket is validated correctly (that's what the cas logs tell me), but the webservice is telling me "resource moved" and provides me with an link to the same resource, but using the get-method. Doing the same request being authenticated by the cas login form, it is being executed correctly. I am using the offical CAS Client for Java 3.1, with a web.xml configuration. Regards, genix. -- You are currently subscribed to cas-...@lists.jasig.org <javascript:> as: cas-user-ga...@googlegroups.com <javascript:> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: david.oh...@emc.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
smime.p7s
Description: S/MIME cryptographic signature