Hi, Quoting Scott from a discussion on a pull request :
*The reason that LoginTickets/Tokens exist (which essentially forces a session) was to combat an issue with browsers reposting credentials when users hit the back button. This issue was around in 2005. Not sure if its a major issue right now.* Best, Jérôme 2013/11/8 KaTeLmE <kate...@gmail.com> > Sorry i forgot the wiki link lol > > https://wiki.jasig.org/display/CAS/Using+CAS+without+the+Login+Screen > > > 2013/11/8 KaTeLmE <kate...@gmail.com> > >> Seems like this to increase the security and avoid CSRF attacks. It >> forces to any application to submit the credentials by POST method in CAS >> server app. >> >> See my comment in CAS wiki >> >> If you need avoid that behaviour, for example to submit via ajax...., >> you should create a non-interactive authentication action >> (org.jasig.cas.web.flow.AbstractNonInteractiveCredentialsAction) like >> SPNEGO, X509 Certificates or remote trusted client are doing, and modify >> the login-webflow to handle you behaviour. >> >> I hope that this helps you!! >> >> >> 2013/11/8 Michael Wechner <michael.wech...@wyona.com> >> >>> Hi >>> >>> I am still working on generating the login screen by the content >>> management system instead CAS, >>> whereas I have read >>> >>> https://wiki.jasig.org/display/CAS/Using+CAS+without+the+Login+Screen >>> >>> I understand that one wants to prevent that credentials are being sent >>> to the content management system, >>> but having the action pointing to the CAS Server directly >>> >>> <form action="https://127.0.0.1:7070/cas-server-webapp-3.5.2/login"; >>> method="POST"> >>> >>> does not seem to me like violating in security issues. >>> >>> But of course this does not work because of the required Login Ticket. >>> >>> I have been reading >>> >>> http://www.jasig.org/cas/protocol >>> >>> but I still don't really understand what's the purpose of the Login >>> Ticket. >>> Does somebody have some more hints on this? >>> >>> I am currently considering to disable the login ticket validation inside >>> >>> cas-server-3.5.2/cas-server-core/src/main/java/org/jasig/cas/web/flow/ >>> AuthenticationViaFormAction.java >>> >>> but I guess this is not really considered best practice :-) >>> >>> Thanks >>> >>> Michael >>> >>> -- >>> You are currently subscribed to cas-user@lists.jasig.org as: >>> kate...@gmail.com >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >> >> > -- > You are currently subscribed to cas-user@lists.jasig.org as: lel...@gmail.com > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
